Table of Contents:
DNS: one of the core services that anyone with a computer relies upon to access resources outside of that computer. Whether it’s a phone browsing TikTok, or a corporate server getting operating system updates, they all use DNS in the background to make those things happen.
But what is it? Do I need to know?
DNS: The internet’s address book
DNS, or to give it its full name: Domain Name System. Simply put, is a service hosted by several places on the internet, that translates a name (or a URL) into a number, the number being the number allocated to the resource you want to access.
Uh.. what?
Consider this scenario: You’re using a web browser to look at eBay, looking for a pair of shoes, for example. As it’s eBay, it’s quite possible that you might have an app for it on your phone or tablet, but let’s assume you’re using a web browser like Edge, Firefox or Chrome.
How did we access that website? It’s possible that we could have typed www.ebay.com into the browser address bar, or there may be a favourite saved for www.ebay.com. Either way, the browser input was www.ebay.com. Not long after “enter” or “go” is pressed (or clicked), the eBay website appears. But how does the browser know where that website is?
Internet addressing
To explain that, we need to look at internet addressing. (We won’t however, be looking at load balancing, or resource direction through http headers. That’s for another post. Maybe.)
For every internet facing resource (like eBay.com or aldi.com) there must be a physical point to which your browser can make a connection. (There will be other stuff going on the background, but again, that’s not for this post.) That physical point will likely be a network interface (e.g. a firewall) located in a datacentre, on a big virtual platform. That physical point will have what’s known as an IP address.
That IP address is a number string comprised of four sets of numbers separated by a decimal point, like this: 23.48.165.141 – this is a known standard for addressing on the internet. There are caveats, such as each set of numbers must not exceed 255, but we’re not interested in that right now. The point is, a unique set of those numbers (23.48.165.141 or 18.245.143.41) are allocated to the network interfaces of resources on the internet.
That’s it then, right? Not quite.
If you typed in those numbers (the IP Address) into a web browser’s address bar and hit enter (or go) then yes, you might arrive at the website it’s allocated to. (More than likely not however, as that’s not the current accepted format for a web URL nowadays and will probably fail.)
The URL
What is a URL? A URL is reference to a resource located on the internet (such as eBay.com) and – crucially – a mechanism of how to get there. The mechanism that we use almost all the time nowadays is either http (or https).
In fact, so common is it nowadays that we don’t even have to type that bit into a web browser any longer, it does it automatically for us. So when we type “ebay.com” what actually appears in the browser address bar (and in the properties of a saved favourite) is: https://ebay.com
I’m not going into depth with transport protocols in this post, other than to say that think of the http and https protocol as a delivery driver. When we type ebay.com into the browser, the delivery driver takes that packet of information from the browser and drives it to where the network interface mentioned earlier is physically located and then comes back with a web page. Of course that’s all done through Wi-Fi and wires.
And that (finally) brings us to DNS!
A DNS server
We have talked about IP addresses and we have talked about URL’s. What we haven’t talked about (yet) is how the imaginary delivery driver of the above paragraph knows where the network interface of ebay.com is physically located.
And that is where the Domain Name Server (DNS) comes in. I mentioned that all of the internet facing resources have network interfaces with a unique number (the IP address) attached to them. They don’t have names, like ebay.com or aldi.com.
Why not?
The simple answer is because computers and network devices aren’t human and communicate using numerical identifiers. These are more efficient for routing data across the internet. Here’s why:
- Machine Readability – Computers process numbers much faster than text. IP addresses are structured numerical formats optimized for network routing.
- Uniqueness & Precision – Each device on a network has a unique IP address, ensuring precise identification. Names (like domain names) could be ambiguous, but IPs are exact.
- Routing Efficiency – Internet routers and networking hardware are designed to handle numbers efficiently. They use IP addresses to determine the best path for data packets.
- Scalability – The internet consists of billions of devices. A structured numerical system like IP addressing allows for scalable and hierarchical addressing.
Think of it as a postal code, but one that’s unique to each interface, rather than a group of them.
Enter DNS
While humans prefer names (like ebay.com), the DNS system translates domain names into IP addresses, allowing users to type easy-to-remember names while computers use the underlying numerical system to route the traffic to where it needs to go. Hence the use of specific servers (DNS Servers) that stores that information and will respond to anyone who asks.
But consider this: You could be anywhere in the world and want to visit ebay.com. If only one DNS server held that information about ebay.com, then it would be a pretty busy server and would probably take a while to respond to the millions of queries at any one time.
To alleviate that, there is a whole network (millions of them) of DNS servers dotted all around the globe that hold copies that name-to-IP information. But not every server holds a complete set of name-to-IP information (it would be a pretty big server), but they do store information about where to find the information. That way, the information is spread around several servers, so that if some are unavailable, others can reply on their behalf.
The other benefit of having multiple DNS servers is that if a record get updated, that update will be propagated throughout the DNS network automatically.
Our imaginary data delivery driver now has a starting point (our browser) and an end point (ebay.com). But at the moment, doesn’t know how to get there.
How *does* the traffic know where to go?
Sticking with the ebay.com example again, between my house and where the ebay.com server is, could be hundreds, or even thousands of miles. Consider the networks that are in between my house and ebay.com – there isn’t just one wire that runs between me and eBay. No, no! There are billions of wires, networks routers and other internet based and facing devices that all share the same global interconnected information superhighway (as it used to be called).
So how does my imaginary delivery driver take my data packets from my computer to ebay.com?
Like this:
- The imaginary delivery driver uses my nearest DNS server to get the IP address of ebay.com. My nearest DNS server will be my ISP’s. My ISP’s DNS server will probably have the information already in it’s cache (or memory), as someone else might have already asked for it. If not, it’ll go and ask other DNS servers (called forwarding) where ebay.com is. If the next one doesn’t know, that one will ask another one. And so on and so forth, until it gets an answer.
- Now my imaginary delivery driver knows where it wants to go, but doesn’t know how to get there. Yet. But it does know how to get to my Internet Service Provider (ISP) router, as my ISP has automatically configured that for me as part of my broadband installation. With the eBay Ip address clutched firmly in it’s imaginary hand, my imaginary delivery driver heads towards my home broadband router (usually the box that the ISP supplied when the broadband package was bought).
- From there, it’s stuck. So it asks the router where ebay.com is (but quotes the IP address number, rather than the name). The router replies with a “sort of” answer. Sort of, meaning that it knows where part of the IP address is supposed to go, as it has that listed in a routing table. Consider a routing table as a local map of the area where you live. It knows where the local amenities are, but is not aware of what’s over in the next City. It does, however know how to get there. Our imaginary delivery driver now has some directions to help it along the way, so off it goes.
- Directed to the next router, our imaginary delivery driver asks the same question again – where is ebay.com (using the IP address). This router does the same as the last one and replies with the same “sort of” answer, and directs our imaginary delivery driver over to another router.
- That process repeats over and over again, ever getting closer to ebay.com. The routing tables in the routers have that directional information required to bring our imaginary delivery driver right up to the network interface of ebay.com. From where I live, there are six routers between me and ebay.com – each router my imaginary delivery driver speaks to is called a hop. So there are six hops.
- Once my imaginary delivery driver is at ebay.com, he delivers my data packets and picks up a load more to bring back to me. This time, however, my imaginary delivery driver remembers the route it’s taken and so the return packets come back to me without the need to ask anyone (a router) for directions.
All this takes milliseconds, by the way.
In the browser, the ebay.com website appears and you we go and search for some new shoes.
Have you forgotten about secure DNS?
I haven’t. But it’s reasonably important to do some background on DNS first. If you did TL;DR, then DNS resolves names against IP addresses.
What is secure DNS?
Standard DNS queries are often unencrypted, meaning ISPs and attackers can monitor your browsing activity. Secure DNS services (e.g., DNS over HTTPS or DNS over TLS) encrypt your queries, preventing eavesdropping and enhancing privacy.
Secure DNS providers usually block access to malicious domains too, preventing phishing attacks, malware, and botnets. Some also offer real-time threat intelligence to protect against emerging threats, including the prevention of DNS Spoofing and Man-in-the-Middle Attacks.
Attackers can manipulate traditional (unencrypted) DNS to redirect users to fake websites (DNS hijacking). Secure DNS services validate responses using DNSSEC (Domain Name System Security Extensions), ensuring authenticity.
Some ISPs also block access to specific websites or inject ads into your browsing. Secure DNS can help bypass such restrictions and provide a more neutral internet experience.
And finally, you can get a slightly better performance and reliability from public secure servers. Secure DNS providers (like Cloudflare 1.1.1.1, Google 8.8.8.8, or Quad9) often have faster resolution times and higher uptime than ISP-provided DNS servers.
Do I use it?
Not in the corporate environment I used to work in. I ran (and built) many DNS servers on the networks that I was responsible for, however the forwarders that we used were set to forward to specific NHS DNS servers, that were isolated on a specialist network. At the time they didn’t support secure DNS, so even if I wanted to use a secure connection, I couldn’t!
How about at home?
For years, I just used my ISP’s DNS servers (for the internet stuff) and never bothered with anything else. Then, half way through writing a blog post about Raspberry Pi servers, the whole secure DNS thing clicked with me and I looked into it.
I looked into it, I researched it, I built proof of concept devices (on a Raspberry Pi) and now I’ve fully implemented it throughout my home network.
I think it’s made webpages load slightly faster (it could be my imagination). However, I now use secure DNS lookups for everything, all the time.
Should I use it? What if I’m not a computer-whizz?
You don’t have to be a computer-whizz to implement secure DNS at home. Popular browsers like Edge, Firefox and Chrome, on Windows and on Android phones/tablets have easy to find areas in their settings, that you can enable secure DNS and choose a public DNS provider (Google, Cloudflare etc.).
A quick internet search reveals that it’s also possible for Safari, iPhones and iPads, however it’s a bit more of a faff to do it (of course, it’s Apple rubbish! 😁).
Do remember that although your connection to that public secure DNS is encrypted, that DNS provider can still see (and possibly log) what you’re browsing for. But sometimes that’s better than your ISP seeing it!
Should you use it? Yes, you should, if you can. Odds-on you may never suffer from DNS spoofing or man-in-the-middle attacks, but better be safe than sorry.
A postscript:
I meant to incorporate the following bit in the main body of text – but of course forgot all about it! It’s about primary and secondary DNS settings and whether or not they should be used.
Primary and Secondary DNS settings
Most devices (Windows, Android etc.) can be configured with a primary and a secondary DNS address. Usually, this all happens in the background, especially in a home network environment, where these settings are set by the broadband provider.
In my home network, I am using my own internal DNS server to send DNS queries securely. Do I still need to configure a secondary DNS address, e.g. my router address, as a failover, in case the secure one fails?
No, is the answer to that one! An emphatic no, at that. I have one secure DNS server on my network, so I should only configure one DNS address for my internal clients and servers to use. Just the primary address.
The primary isn’t necessarily the only one used!
If you configure a primary and a secondary DNS address on your network clients, they will alternate between the two to perform their DNS lookups. Even though the implication is “use primary first and then secondary” it doesn’t work like that in real life.
I know this to be a fact on Windows machines, and I suspect this is also the case with other operating systems too. I have just the one secure DNS server, so I want my clients to use that, rather than alternate between the secure and non-secure (if that was configured as the secondary).
Of course the other advantage of configuring just the one primary DNS address is that I’ll know if the secure DNS server has a problem. Had I configured a secure primary and a non-secure secondary, it might be a while before I noticed my logging wasn’t logging!
Have two secure servers then?
Well yes, I suppose so. But is it really worth it on a home network? No, I think not.