What is DNS in one sentence?

DNS is the internet's address book: a distributed system that translates a human-friendly domain name like example.com into the numeric IP address a computer needs to actually connect to the server.

An A record maps a domain name to an IPv4 address; an AAAA record maps it to an IPv6 address. They are the most fundamental records, telling clients which server to contact for a given name.

What is a TTL in DNS?

TTL, or time to live, is how long a resolver is allowed to cache a DNS record before checking again. A low TTL means changes propagate quickly but generates more lookups; a high TTL is efficient but slows down changes.

What is a CNAME record?

A CNAME record makes one name an alias for another, so www.example.com can point at example.com and inherit its address. It is widely used to point custom domains at hosted platforms and CDNs.

DNSSEC adds cryptographic signatures to DNS records so a resolver can verify a response really came from the authoritative source and was not forged. It defends against cache poisoning and spoofing, which plain DNS cannot detect.

Glossary · Infrastructure

What is the Domain Name System (DNS)?

DNS is the internet's address book. Computers find each other using numeric IP addresses, but humans remember names — so DNS is the globally distributed system that translates a name like quantlabusa.dev into the address a machine can actually connect to. Almost every click, email, and API call begins with a silent DNS lookup, which is why DNS problems tend to look like "the whole internet is down."

How a lookup actually works

When you type a name, your device asks a recursive resolver — usually run by your ISP or a service like Cloudflare's 1.1.1.1 — to find the answer. If it is not cached, the resolver walks the hierarchy: it asks a root server who handles ".dev," asks that top-level-domain server who handles "quantlabusa.dev," then asks that domain's authoritative name server for the actual record. The answer flows back and gets cached at each hop. This whole chain typically completes in tens of milliseconds, and the caching is what keeps the root servers from melting under the weight of the entire internet.

The records you will actually edit

A handful of record types cover most real work. A and AAAA records point a name at an IPv4 or IPv6 address. CNAME records make one name an alias for another — the standard way to point a custom domain at a hosting platform or CDN. MX records direct email to the right mail servers. TXT records hold arbitrary text and have become the home of email authentication (SPF, DKIM, DMARC) and domain-ownership proofs. NS records delegate a zone to its authoritative servers. Knowing these five gets you through almost every deployment.

TTLs and propagation

Every record carries a TTL — time to live — that tells resolvers how long they may cache it. This is the source of the famous "DNS propagation" delay: when you change a record, the old value lives on in caches around the world until its TTL expires. There is no magic propagation; it is just caches timing out. The practical move is to lower the TTL a day before a planned migration so the cutover is fast, then raise it again afterward for efficiency. Misunderstanding TTLs is behind a huge share of "I changed it but it is still pointing at the old server" confusion.

DNS as a security surface

Plain DNS was designed in a more trusting era and has no built-in way to verify that an answer is genuine, which opens the door to spoofing and cache poisoning. DNSSEC adds cryptographic signatures so resolvers can confirm a record really came from the authoritative source. Encrypted transports — DNS over HTTPS and DNS over TLS — stop eavesdroppers from seeing or tampering with your queries in transit. DNS is also a prime target for attackers: domain hijacking, dangling records that point at de-provisioned cloud resources, and DNS-based data exfiltration all show up in real incidents and during a thorough security review.

At QUANT LAB

DNS sits underneath everything we deploy. In our cloud infrastructure work we manage zones as code so records are reviewed and version controlled rather than hand-edited in a panic, and we use sensible TTLs around cloud migrations so cutovers are clean. During a penetration test we enumerate DNS aggressively — subdomain discovery routinely surfaces forgotten staging hosts and dangling records that point at resources an attacker can claim. Boring, well-managed DNS is a quiet sign of an organization that has its infrastructure in order.

Running DNS without drama

The operational rules are simple but easy to skip. Lock the domain at the registrar and enable two-factor authentication — losing control of the domain is losing control of everything. Manage records as code so changes are reviewable and reversible. Watch TTLs around migrations. Clean up records that point at resources you no longer own before someone else claims them. Enable DNSSEC where your registrar supports it. DNS rarely needs attention day to day, which is exactly why neglected DNS becomes a slow-burning liability that surfaces at the worst moment.

Long-form deep-dives that use this term

All posts

Related terms

Planning a migration or cleaning up DNS?

We manage DNS and cloud infrastructure as code, with clean cutovers and no dangling records. Book a 30-minute call.

Cloud infrastructure