What is DNS, and how does it work? The Domain Name System explained simply

The DNS, which stands for Domain Name System, acts as the phone directory of the internet. Instead of phone numbers, computers communicate using numeric addresses called IP addresses that look like 192.168.1.1.

Without DNS, you’d be unable to reach web services (such as websites, chat forums, or even your email accounts). That’s because your web browser speaks a different language (IP address) from yours (plaintext), which DNS servers help you both translate.

Here’s how it all works—and why it matters for your privacy.

DNS definition in simple terms

As mentioned above, you don’t speak the same language as your web browser, which can’t figure out the regular text web address you enter into it. Instead, your web browser needs a numerical equivalent of that web address—the IP address.

So, the DNS steps in as a middleman, translating the web address you entered into an IP address for your browser. That way, your browser can now understand your request and serve the exact web pages you want to visit.

Watch: What is DNS? (Video explainer by ExpressVPN)

How does DNS work? Step-by-step

DNS is activated when you type in a web page address and click or tap the Search or Go button in your browser (or the Enter key on your keyboard). DNS servers are so efficient that they work in milliseconds.

Below, I’ve simplified what happens between the time you make a web request and when your browser delivers it.

From typing a URL to loading a page

Once you type a web address in your internet browser and hit Go/Send/Enter, your browser sends that address to the Domain Name System. The DNS engages four main servers (explained below) to search for the corresponding IP address of that website—a process called the DNS lookup.

Your browser needs that IP address, as this unique address dictates exactly where the content you’re looking for is hosted on the internet. The DNS sends this IP address back to your web browser. The web browser now knows exactly where to go, resulting in a successful web page load—or an error if that page can’t be returned for any reason.But can’t you just enter the IP address in your browser itself and bypass the DNS? It is possible, but it’s usually not worth it. Here’s why:

• DNS is easier: It’s much simpler to remember website names like www.expressvpn.com than numeric IP addresses.
• IP addresses can change: Websites often update their IPs, and DNS handles this automatically. If you rely on memorized IPs, they may quickly become outdated.
• Technical limitations: Modern websites often use shared hosting and HTTPS. Entering an IP address directly may lead to TLS certificate mismatches or prevent the server from identifying the correct site, causing errors or security warnings.

The four main DNS servers involved

DNS queries from your browser are received, processed, and resolved by four main servers.

Recursive DNS resolver

The recursive DNS resolver, also known as the DNS recursor or recursive server, accepts a DNS lookup request from your browser and sends it in for processing.

It’s like the receptionist of the large data bank where all DNS records are kept. So, every request first has to pass through it before it gets to the other departments (servers) for processing.

In many cases, the recursive DNS resolver can do more than just accept the request. This happens in a situation called DNS caching, which I’ll explain better below.

Root name server

If the recursive DNS server doesn’t have the cached information, it passes on a request (query) to the root name server.

The root name server is like the records department, holding crucial information on where you need to go to get anything. It will return a list of TLD servers so your device can continue with the query by handing it over to a TLD server.

TLD (top-level domain) name server

The top-level domain refers to the final part of a website’s address, usually preceded by a dot. For example:

A TLD nameserver has information for all the domain names that share a common domain extension, like .com or .org. TLDs are divided into two categories: organizational hierarchy and geographical hierarchy. Organizational examples include .com, .gov, and .edu. For example, a .com TLD nameserver contains information about all the websites ending in .com. Geographical TLDs are localized to certain geographical areas of operations.

Authoritative name server

The authoritative name server is the final checkpoint. Unlike the rest, it’s tied to a specific domain name. That’s why it’s able to store all relevant information on that domain name, update the information when necessary, and effectively share that data (IP address) with the recursive server without mixing things up.

The recursive server gets the IP address from here and sends it to your web browser. Then, your web browser can resolve the web address you typed into the right location on the web.

DNS query types: Recursive, iterative, non-recursive

The recursive server is in charge of making queries on behalf of the client (your web browser) to the other three servers. These queries are categorized based on where the DNS information being searched is stored:

• Recursive queries: This is the sum total of interactions between the client (your browser) and the recursive server. Every DNS query passed through the recursive server will either end in an answer (the preferred web page is displayed) or an error (invalid certificates, name not found in DNS records, etc.).
• Iterative queries: Iterative DNS queries involve the interaction of the recursive server with the other main servers, resulting in a referral (from the root name and TLD servers) or an answer (from the authoritative server).
• Non-recursive queries: For this type of query, the recursive server knows where the answer is and doesn’t need to check with any of the middleman servers. This is the case when the DNS required is already cached.

DNS caching: How browsers and devices store DNS

DNS caching is a temporary storage process that retains a DNS query’s answer closer to the requesting client, usually on the recursive server. That way, the client doesn’t need to go through a series of servers on the next request before accessing the same web property. This consumes fewer CPU resources.

But there’s a catch: while caching improves speed and performance, it doesn’t serve you the latest version of a web page. For instance, if you re-access a subreddit while it’s still cached, you might not see new activity (comments, upvotes, etc.). In this case, you’d have to reload the page, purge the cache, or wait for the cached data to expire before getting new updates.

That said, where is cached DNS data stored?

Caching happens everywhere in the recursive chain: your browser caches DNS, and so do your device, your router, and the DNS server you are querying (as in the diagram above).

Browser DNS cache storage

Good internet browsers store cached data for websites you’ve recently visited. This makes them more resource-friendly, as they don’t have to make multiple queries to access that page a second time.

You don’t have to worry about outdated content, either. Cached data is only stored temporarily, as the browser will request new and updated pages after the cache limit expires.

Want to check your cache on popular browsers? Type the internal addresses below on your preferred browser:

Device-level cache storage

Most modern operating systems come with a built-in DNS server—the DNS stub resolver.

In itself, this DNS server can’t make requests to the other servers. However, it can package the message coming from your web client (such as the web browser) and send it to the DNS recursive server. Then, the DNS recursive server makes all the needed requests on its behalf.

Here’s where it gets interesting.

Once the DNS lookup process is completed and the recursive server has the IP address for the queried site, it’s sent back to the web client through the DNS stub resolver. At this stage, the stub resolver can store a copy (cache) of the DNS lookup request answer.

So, when next you request the same data, the DNS stub resolver can serve the web client without sending another message to the DNS recursive server.

What is a DNS address?

A DNS address is the IP address of the recursive DNS server your device uses to perform DNS lookups in the way we described above.

Most users only have to care about their recursive server, which is usually managed and owned by their ISP or employer, but in general, the DNS servers involved in resolving a website name to an IP address can be owned, managed, and hosted by individuals, the government, or organizations. Some of the most common public recursive DNS servers are 8.8.8.8 and 1.1.1.1, owned by Google and Cloudflare, respectively.

DNS privacy and security: What you should know

Knowing what a DNS server is and how it works is interesting. However, it’s far more important to know how crucial it is for your internet privacy and security.

What DNS reveals to ISPs and network providers

Your DNS lookups are, by default, routed via your ISP or network admin. Once the DNS server finds the IP address you need, this, too, is sent back to your browser through your ISP’s servers. This process reveals specific metadata to your ISP:

• Which domain name you requested.
• The exact time you made the request.
• Your IP address, which can be used to identify your location or device.

This information is enough to infer that you intended to connect to that website, even though the content of your communication with the website remains hidden if you're using encryption (like HTTPS). Still, the DNS request itself can disclose your browsing habits to observers.

The good news is that when you connect with ExpressVPN, our servers handle all of your DNS requests, not your ISP.

In fact, because ExpressVPN secures your traffic, your ISP can’t even tell if you make a DNS request. We never log DNS requests, and when we look up a name on your behalf, all any other DNS server can see is our server address—they can never see you.

As everyone on the same server shares the same DNS server as you, all the requests come from a single source, mingling your requests in with everyone else’s. Even if someone were to be interested in DNS traffic, they wouldn’t be able to isolate any particular user.

How DNS leaks compromise online anonymity and security

Even though they are not particularly private, public DNS servers are generally secure. Still, cybercriminals can target DNS servers to compromise your privacy and security and disrupt the functioning of your devices:

• DNS spoofing (cache poisoning): This attack involves injecting malicious DNS data into a resolver’s cache, causing it to return an incorrect IP address. This can redirect users to a phishing website where you’re tricked into divulging sensitive data (like credit cards or login information) or downloading malware.
• DNS amplification attacks: This is a type of DDoS attack where threat actors send fake DNS queries to a server, setting the return address as the victim’s IP address. The DNS servers then send back large responses to the victim’s IP address. These responses can overwhelm the victim’s computers and servers, causing them to fail and crash.
• DNS hijacking: This is similar to DNS spoofing, as the threat actor redirects legitimate DNS queries to the wrong sites to trick the victim. The main difference is that this happens on active DNS queries rather than cached DNS data. Cybercriminals may need to break into your router or install malware on your device to successfully run this attack.
• Eavesdropping: Since DNS queries are often transmitted as plaintext over UDP protocols, anyone with the right technical knowledge can intercept and interpret this data. Your internet data could reveal what sites you’re visiting, posing security risks for users who would rather remain private online.

DNS over HTTPS (DoH) and DNSSEC: What they protect

Fortunately, measures exist to strengthen the security of your DNS lookups and continually guarantee their legitimacy. Of these, DNS over HTTPS and DNSSEC are notable examples.

DNS over HTTPS (DoH)

Protects against: DNS hijacking, eavesdropping, and spoofing attacks.

Basic DNS traffic is sent over relevant servers as unencrypted text. This makes data travel faster, but it also exposes the DNS traffic to threat actors. Even if the target website uses HTTPS, the DNS queries to the website would still be readable as plaintext.This is where DNS over HTTPS (DoH) comes in to tighten that security gap. Now, the DNS traffic data is encrypted during travel, making it unreadable to anyone who intercepts it. Since it’s unreadable, threat actors can’t copy or forge the data, making it impossible to inject malicious code or redirects into the DNS traffic.

DNSSEC

Protects against: DNS redirection, hijacking, spoofing, and man-in-the-middle attacks.

Domain Name System Security Extension (DNSSEC) ensures every DNS record requires a unique signature that identifies its legitimacy before executing on your computer. In other words, DNSSEC injects special keys into the name servers (usually the authoritative name server), which can be confirmed by your browser before accepting the returned DNS record.

On confirming the legitimacy of a key, your web browser can confidently send you to the website you intended to access. Otherwise, that connection is blocked as your web client notes that the digital key has either been altered or doesn’t exist anymore.There’ll always be a pair of keys associated with a DNS record: the public and private keys. The private keys are never shared and remain exclusively in the DNS zone where the records are kept. The public keys, generated at the same time as the private keys they’re pairing up with, can be requested by the DNS recursive server to validate the DNS records.

DNSSEC’s setup makes it an important mitigating factor against trust-based attacks like DNS hijacking and spoofing attacks. Thanks to the digital signatures, the recursive server doesn’t just accept any answer from the authoritative server but verifies it using the associated public key.

Common DNS problems and fixes

DNS servers are designed to be practically fail-safe. You can go years without ever remembering that they’re there. That’s how well they work in the background without needing any user input.

That said, they’re not without a few common problems:

• DNS resolution failure: This occurs when the DNS server can’t resolve your request. To solve this, first check your network connectivity. If that’s not the issue, you’ll have to wait for the website admin or domain registrar to fix the problem on their end.
• DNS cache issues: Your DNS server may keep serving you an older version of a webpage while there’s already a new one. You can solve this by clearing the cache from the browser’s settings, restarting the browser, or rebooting your device.
• DNS NXDOMAIN error: The NXDOMAIN error informs you that the website you’re trying to visit is non-existent. For example, I misspelled “ExpressVPN” as “ExpressVeePN” to trigger this error. The recursive server tried to find the DNS records for such a domain but couldn’t, since it hasn’t been configured yet.

If DNS issues persist after reconnecting to the internet and rebooting your device, then restart your router. If that doesn’t work, it’s best to contact your ISP—it might be a configuration issue on its end.

What does “DNS server not responding” mean?

You’ll get a “DNS server not responding” error when the web page you’re trying to access is down, maybe for some maintenance or because of attacks, such as (distributed) denial of service (DDoS).

You can also get this error when:

• You’re not connected to the internet.
• Your recursive server isn’t working.
• The browser cache needs refreshing.

If you’ve not changed any of your browser or device’s network settings, and you’re connected to a working internet connection, then a simple reboot should get the job done.

How to change your DNS settings on any device

You can change your DNS settings on iOS and Android smartphones and computers (Mac and Windows) for multiple reasons:

• To add a backup in case the primary DNS server fails.
• To filter content and enforce parental controls on your network.
• To switch to an internal or self-owned DNS network.
• To improve internet privacy and security.

If you’re doing it for internet privacy and security, then I recommend not bothering with highly technical steps. Instead, connect to a VPN server from a provider with private DNS servers, such as ExpressVPN.

Change your DNS settings on Windows

1. Connect to the network for which you want to change DNS settings. You can connect via Ethernet or Wi-Fi.
2. Go to Windows’s Control Panel.
3. Click Network and Internet.
4. Click Network and Sharing Centre.
5. Click Change adapter settings.
6. Right-click the connection, then click Properties.
7. You may be prompted for an admin password. Type it in.
8. Select Networking from the tab.
9. Under This connection uses the following items, choose between Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6).
10. Click Properties.
11. Click Use the following DNS server addresses.
12. Enter your Preferred DNS server and Alternate DNS server.
13. Click OK.

Remember to test if the connection works immediately. That way, you can fix the issue and stay connected to the internet.

Change your DNS settings on Mac

1. Go to your Mac’s Settings.
2. Click Network.
   
3. Click the connection for which you want to change the DNS settings. This could be a Wi-Fi or Ethernet network.
4. Click Details… on the connected network.
5. Click DNS.
6. Copy the existing DNS server address and keep it somewhere safe. This is crucial for troubleshooting.
7. Click the + icon to replace the existing DNS settings.
8. Add a new IPv4 or IPv6 address.
9. Click OK.

You can test if your new setup works by quitting your browser, relaunching it, and opening a webpage. That way, you’re sure that the browser isn’t just serving you a cached page but a fresh one resolved by the new DNS server.

Change your DNS settings on iOS (iPhone and iPad)

1. Connect to the Wi-Fi network for which you want to modify DNS settings and go to your iOS device’s Settings. Tap Wi-Fi.
2. Tap the i icon next to the connected Wi-Fi name.
3. Scroll and tap Configure DNS.
4. Change the settings from Automatic to Manual.
5. Click Add Server and enter the IPv4 or IPv6 address you want.

Change your DNS settings on Android

These settings require an Android 9 device or later.

1. Go to your Android device’s settings and tap Network and Internet.
2. Tap Private DNS.
3. Enter the DNS provider settings.
4. Tap Save.

Should you use a public or private DNS?

Public DNS servers are often maintained by ISPs and corporations (like Google and Cloudflare). Conversely, private DNS is often maintained, owned, and used internally by corporations. Individuals running large computer networks can also set up a private DNS server to maintain internet data security and privacy.

Most internet users rely on public DNS. However, as mentioned, this comes with various privacy risks. For extra privacy, you should choose a reliable no-logs VPN with an encrypted DNS service.