supdns

The Architecture of DNS

A deep dive into the system that translates human intent into machine connectivity.

The DNS Ecosystem

The Domain Name System (DNS) is a hierarchical, decentralized naming system for computers, services, and resources connected to the internet. While often compared to a "phone book," modern DNS is a globally distributed database that facilitates load balancing, geographic routing, and identity verification.

Recursive vs. Iterative Queries

In a recursive query, the resolver takes full responsibility for finding the answer and returns it to the client. In an iterative query, the server provides a referral to another server that might know the answer, requiring the requester to follow the chain themselves.

The Resolution Journey

1

The Stub Resolver

Your device (the "Stub Resolver") checks its local cache. If empty, it sends a recursive request to your configured DNS server (usually your ISP or a provider like Cloudflare).

2

The Root Servers

The recursive resolver queries one of the 13 root server clusters. The root server doesn't know the IP, but it knows who manages the Top-Level Domain (TLD) like .com or .org.

3

Authoritative Nameservers

After following the TLD referral, the resolver reaches the Authoritative Nameservers. These servers hold the final truth (the A, AAAA, or CNAME records) for the specific domain.

Privacy Protocols

DoH Port 443

DNS over HTTPS wraps queries in standard web traffic. This makes it nearly impossible for networks to block or monitor without disrupting the web itself.

DoT Port 853

DNS over TLS encrypts the raw DNS stream. It is the standard for "Private DNS" settings on mobile OSs like Android and iOS.

DoQ Next-Gen

DNS over QUIC (HTTP/3) eliminates "Head-of-Line" blocking, offering the fastest possible encrypted performance on unstable networks.

ODoH Anonymous

Oblivious DoH uses a proxy to hide the user's IP address from the DNS resolver, separating your identity from your query.

The Chain of Trust (DNSSEC)

While encryption protects privacy, DNSSEC ensures authenticity. It uses digital signatures to verify that the record you received is exactly what the domain owner published.

DS Record RRSIG DNSKEY NSEC3

Warning: Incorrectly configured DNSSEC is one of the leading causes of complete domain outages.

Performance & TTL

Anycast Routing: Modern DNS providers (like Cloudflare or AWS) use Anycast to announce the same IP address from hundreds of data centers globally. Your query is automatically routed to the nearest physical server, minimizing latency.

Stale-While-Revalidate

A modern resolver technique where it serves a cached (even expired) record immediately while fetching a fresh one in the background.

Negative Caching

If a domain doesn't exist (NXDOMAIN), resolvers cache that failure to prevent repeated fruitless lookups.