What is DNS?

DNS returning the website you want to visit.

The Domain Name System (DNS) acts as the phone directory of the Internet. Instead of phone numbers, computers communicate using numeric addresses called IP addresses that look like

Numbers are fine for computers, but humans are terrible at remembering them. Imagine having to know that to reach Google, you’d have to type in And that’s just one site—there are millions more on the internet! You’d need a great memory or a massive notebook and an awful lot of patience to remember them all. Do you remember all of your friends’ phone numbers?

DNS solves the memory issue as it provides a way for a computer to accept a human-readable name (such as www.expressvpn.com) and convert it into an IP address.

So far so good, but here’s the catch: To find out what IP address goes with which name, you must ask a DNS server. By default, you’re most likely using your Internet Service Provider’s (ISP) DNS servers, and therefore you’ll be asking their DNS server to find the IP address for you.

The problem is that to locate the IP address you want, you must tell your ISP who you want to talk to. So even though they might not see what you’re sending to and from that site, they know which sites you tried or wanted to visit, because you looked up that site’s IP address.

What is DNS caching?

DNS caching temporarily stores DNS records of the domain names you’ve recently visited on your device or a web browser. This removes the need for making new DNS queries and returns the website you want to visit more quickly.

  • Browser DNS caching: Browser DNS caching captures your recent DNS queries and saves them on a web browser, like Google Chrome or Firefox.
  • Operating system (OS) level DNS caching: Operating system DNS caching operating systems such as macOS, Windows, and Linux.

Jump to…
How does DNS work?
What is a DNS resolver?
What are the types of DNS queries?
Steps in a DNS lookup
What does DNS allow ISPs to see when you visit a website?
Protect your DNS traffic with ExpressVPN
FAQ: About DNS (Domain Name System)

How does DNS work?

Let’s take google.com, the most visited website in the world, to explain how DNS works.

When you want to visit google.com, your device needs to find the IP address associated with google.com. Your device makes a DNS query via a DNS client, usually a web browser, like Chrome.

The DNS query goes to a recursive DNS server (also known as a recursive resolver) which asks other DNS servers to resolve google.com with its IP address. The servers which hold such information are called authoritative name servers.

After an initial DNS query is made, the search goes to a root server. Root server holds information on top-level domains, which is the last segment of a domain name (the .com in google.com) as well as country domains. Root servers are located around the world, so the request will pick the closest one to you.)

After reaching the correct root server, the search goes to a top-level domain server (TLD nameserver). It stores information for the second-level domain, which is, in our example, google. The request then goes to a domain nameserver, which looks up the IP address and shows you google.com on your device. And this all happens in a matter of milliseconds!

The four DNS servers involved in showing you a website

When you enter a website into a web browser’s address bar, there are four DNS servers working together in the background to load up the website for you. They are recursive resolvers, root nameservers, TLD nameservers, and authoritative nameservers.

DNS recursor

A DNS recursor is the first stop in a DNS query, acting as a middleman between your device and a DNS nameserver. It will either respond with cached data, which is stored information about the websites you’ve already visited, or treat the query as a new request and allow other servers in line to handle it.

Root nameserver

The root server is responsible for converting human-readable hostnames to IP addresses. It has information on where the websites are located on the server and points in their direction. It will return a list of TLD servers so your device can continue with the query by handing it over to a TLD server.

Top Level Domain nameserver

A TLD nameserver has information for all the domain names that share a common domain extension, like .com or .org. TLDs are divided into two categories: organizational hierarchy and geographical hierarchy. Organizational examples include .com, .gov, and .edu. For example, a .com TLD nameserver contains information about all the websites ending in .com. Geographical TLDs are localized to certain geographical areas of operations.

Authoritative nameserver

The authoritative nameserver is the last step a DNS query reaches out to. It contains information specific to the domain name and provides a recursive resolver with the IP address.

An authoritative nameserver satisfies the DNS query from its own data without having to pass the query to other servers; it is the final source of truth.

What is a DNS resolver?

A DNS resolver, also known as a recursive resolver, acts as the middleman between a DNS client, which is usually your web browser, and DNS nameservers which has information on the IP address for the website you want to visit.

The DNS resolver receives the website you’ve typed in into a web browser’s address bar. It starts its job of tracking down its IP address, first by looking in its local cache to see if you’ve visited the website in the past. If it can find the website in the local cache, the query is resolved immediately.

If it can’t find the hostname, the DNS resolver sends the request to a root server, which has information on where websites are located on the server and points to their direction.
After that, it’ll receive more information from the TLD nameserver and authoritative nameserver. When the DNS resolver finally receives the IP address, it’ll show you the website you want to visit.

Differences between an authoritative DNS server and a recursive DNS resolver

The difference between an authoritative DNS server and a recursive DNS resolver is that they have different functions in a DNS query to return the website you want to visit.

Let’s use the phone book analogy, and think of IP addresses as phone numbers and domain names are people’s names. To make matters more interesting, let’s imagine you have a few phone books at hand. A recursive DNS resolver is responsible for finding the right phone book for you, while an authoritative DNS resolver holds the right phone book for the number you’re looking for.

What are the types of DNS queries?

A DNS query is a message sent by the client to the DNS server, which contains a list of “questions” that the DNS server will reply to with an answer. There are 3 common types of DNS queries.

Recursive query

When a DNS client (such as a web browser) makes a recursive query, the DNS resolver must hunt down the answer. It’ll start by querying the root server until it finds the authoritative nameserver with the answer.

Iterative query

When a DNS client makes an iterative query, the DNS resolver simply tells the DNS client what it knows instead of having to hunt down the answer itself. This means that it can either deliver a local cache record or refer the DNS client to the root server or an authoritative nameserver. Once referred, the DNS client will repeat the query to the DNS server it was referred to.

Non-recursive query

A non-recursive query takes place when the DNS resolver already knows the answer. This means it either returns a DNS record immediately because it’s stored in a local cache or it can reach the authoritative DNS nameserver that holds the correct IP address for the hostname. There’s no need for additional rounds of queries.

Steps in a DNS lookup

  1. You enter a website into your web browser’s address bar. This starts a DNS query, which is picked up by the DNS recursive resolver.
  2. The DNS resolver sends the query to a root nameserver.
  3. The root server responds to the DNS resolver with the address of a Top Level Domain (TL) nameserver. For example, if you want to visit expressvpn.com, the query will go to a TLD which has information about websites ending in .com.
  4. The DNS resolver makes a request to the .com TLD.
  5. The TLD server responds with the IP address of the website you want to visit.
  6. Lastly, the recursive resolver sends a query to the authoritative nameserver.
  7. The authoritative nameserver returns the IP address of the website you want to visit to the DNS resolver.
  8. The DNS resolver responds to the web browser with the IP address of the website.

Is DNS secure?

No, it’s not. Without a VPN, you’re using the DNS servers provided by your internet service provider—which are not secure. As they usually have no built-in security features, attackers can quite easily hijack them to redirect you to websites different from the ones you are intending to visit, usually to steal your personal information or infect your device with malware. This malicious attack is called DNS hijacking.

Thankfully, VPN providers run their own DNS servers to protect your internet traffic. When you’re connected to ExpressVPN, you’ll use its secure DNS servers, keeping your internet traffic protected.

What does DNS allow ISPs to see when you visit a website?

Think of DNS as calling directory inquiries (we assume that’s still a thing!?). The operator will ask you who you are looking for and they will then give you that person’s phone number. If you don’t provide them with the name, they obviously can’t look up that phone number.

But that’s not all; the phone company will also know the following metadata:

  • Who you want to call (because you told them)
  • What time you made the request
  • Likely your phone number and where you called from

Altogether, they can say: “A person with phone number xxx called at 7:05 pm on September 18, and asked for John Smith’s phone number”. That’s quite a lot of information about you.

What’s worse is that a third party can assume that if you make a call to directory inquiries for a John Smith’s number, you also want to speak to said John Smith—and it’s entirely possible that he might be a person of interest to someone who is spying on you.

But how do directory inquiries relate to an internet-based scenario? If you want to visit www.expressvpn.com, then the following will occur:

  • Type the URL into your browser
  • Your computer will send a request to your DNS server to ask for the IP address
  • The DNS server will find the IP address and return it to your computer

The DNS server can see that a computer at IP address looked up the IP address for www.expressvpn.com at 7:06 pm on September 18, 2017.

The only reason your computer would attempt to look up that name would be if you were trying to connect to it. So, much like the phone number analogy, it can be assumed that it’s a website you want to visit.

Protect your DNS traffic with ExpressVPN

The good news is that when you connect with ExpressVPN, our servers handle all of your DNS requests—not your ISP.

In fact, because ExpressVPN secures your traffic, your ISP can’t even tell if you make a DNS request. We never log DNS requests, and when we look up a name on your behalf, all any other DNS server can see is our server address—they can never see you.

As everyone on the same server shares the same DNS server as you, all the requests come from a single source, mingling your requests in with everyone else’s. Even if someone were to be interested in DNS traffic, they wouldn’t be able to isolate any particular user.

Let’s run through the directory enquire scenario again, but this time for a user secured with ExpressVPN:

  • Type www.expressvpn.com into your browser
  • The DNS lookup goes to an ExpressVPN DNS server
  • Your ISP cannot see it or even identify it as DNS traffic
  • Our DNS server makes the request on your behalf

What this then looks like to another DNS server is: An ExpressVPN server requested the address for www.expressvpn.com at 7:09 pm September 18, 2017. In short, it tells them nothing about who actually made the request, and thus your privacy is secured.

FAQ: About DNS (Domain Name System)

What is DNSSec?
What is DNS over HTTPS (DoH)?
How do I find my DNS server?
What are common DNS records?
Is 1.1 1.1 still the fastest DNS?
Should I use 8.8 8.8 DNS?
What is the difference between DNS and IP?
The devs are the backbone of ExpressVPN and occasionally contribute their otherworldly wisdom to the blog.