Newsletter
Latest articles
DNS in Practice: History, Functioning, and Its Role in Cybersecurity

DNS in Practice: History, Functioning, and Its Role in Cybersecurity

by Alex de Oliveira
June 5, 2025
16-minute read

The Invisible Maestro Behind the Connections

IT professionals often observe the "magic" that happens behind the scenes when a user types an address like lumiun.com into a browser and, in seconds, the page loads. Behind this apparent simplicity lies a robust and fundamental system for the internet as we know it: the DNS, or Domain Name System . For the IT community, understanding DNS is not just a technical curiosity, but a fundamental point for ensuring the security and efficiency of the networks under their responsibility.

In this article, we propose a detailed analysis of DNS. We will address its origin, understand its operation clearly and with analogies that facilitate understanding, explore its benefits and, very importantly, the associated risks, especially in the context of information security. The goal is that, by the end of the reading, the IT professional will have a solid understanding of how this system governs internet traffic and how it can be used to protect corporate networks.

 

Prefer to watch? We've prepared a complete video on the topic:

YouTube player

Once upon a time, before DNS: The Internet in its Early Days

Imagine a digital world where, to visit your favorite website, you needed to memorize a complex sequence of numbers, something like 172.217.160.142 instead of simply google.com . Sounds like a nightmare, doesn't it? Well, that was the reality in the early days of the internet, before the emergence of our hero, the DNS .

The Arpanet Challenge and the HOSTS.TXT File

In the 1970s, Arpanet, the precursor to the internet as we know it, was a relatively small community with a few hundred computers (called hosts ). To allow these machines to find each other, there was a central file called HOSTS.TXT . Think of it as a single, manual phone book for the entire network. This file contained the name and numerical address (the IP address) of each connected computer.

Maintaining this file was a complex task, centralized in the Network Information Center (NIC), located at the Stanford Research Institute (SRI). Network administrators would email updates (a new computer added, a change of address) and, periodically, the NIC would compile everything into a new version of HOSTS.TXT. Each host on the Arpanet then needed to download this updated list to know "who was who" on the network.

However, the success of Arpanet and the subsequent adoption of TCP/IP protocols caused the network to "explode" in size. What was a viable solution for hundreds of hosts became a gigantic bottleneck. The problems were many:

  • Unsustainable Traffic and Load: The size of HOSTS.TXT grew exponentially with the number of hosts. Worse still, the traffic generated by each machine downloading frequent updates overloaded the network and servers.
  • Name Collision: How to ensure that two different administrators did not choose the same name for their computers? The NIC attempted to manage unique numerical addresses, but it had no authority over names. A new host with a duplicate name could simply "break" access to an already existing host.
  • Consistency Compromised: Keeping the HOSTS.TXT file perfectly synchronized with the reality of a constantly changing network was a nearly impossible task. By the time the file was finally updated and distributed, some host might have already changed address, or a newly added host might have caused connection problems.

Ironically, Arpanet's own success made the HOSTS.TXT system obsolete. The internet needed something smarter, more distributed, and more scalable.

The Need for a New Solution

The pioneers of Arpanet knew they needed an alternative. The goal was to create a system that would solve the problems of HOSTS.TXT, allowing for decentralized name management. Each local administrator could manage the names of their own hosts and make this information available to the rest of the world, without depending on a central entity for every small change. This would not only alleviate traffic and processing bottlenecks but also make updates much faster. Furthermore, the new system should use a hierarchical naming structure, ensuring that each name was unique in the internet universe. The seed of DNS was planted!

The Birth of DNS: A Silent Revolution

The HOSTS.TXT crisis catalyzed innovation. The Arpanet community needed an elegant and robust solution, and it came from a visionary.

Paul Mockapetris and the Creation of the Domain Name System

The person responsible for designing the solution that would forever change how we navigate the internet was Paul Mockapetris , from the Information Sciences Institute (ISI) at the University of Southern California. In 1983, he published RFCs (Request for Comments) 882 and 883, which described the Domain Name System (DNS) . These documents were the precursors to the specifications that would become the standard, RFCs 1034 and 1035, released in November 1987, which are still the basis of the DNS we use today.

The brilliance of Mockapetris' proposal lay in a hierarchical and distributed system. Instead of a central archive, there would be a network of servers, each responsible for a part of the internet's "map." Names would be organized into domains and subdomains (such as lumiun.com , where .com is the top-level domain and lumiun is a subdomain), ensuring uniqueness and allowing administration to be delegated.

DNS History

Evolution and Standardization

The introduction of DNS was not an isolated event, but the beginning of a continuous evolution. One of the first and most important implementations of DNS server software was BIND (Berkeley Internet Name Domain) , developed by students at the University of California, Berkeley, in 1984. BIND quickly became the most widely used DNS implementation on the internet, a status it maintained for many years.

Over time, DNS continued to evolve to meet the growing demands of the internet. Mechanisms such as:

  • NOTIFY: Allows a primary DNS server to notify its secondary servers about updates, preventing them from having to make periodic queries to check for changes.
  • IXFR (Incremental Zone Transfer): Allows only changes within a specific DNS zone to be transferred, instead of the entire zone, thus optimizing updates.
  • DNSSEC (Domain Name System Security Extensions): Adds a layer of security to DNS, helping to prevent certain types of attacks, such as cache poisoning (we'll talk more about this later).

This capacity for adaptation and continuous improvement is one of the reasons why DNS remains so vital, even decades after its creation.

How Does DNS Work in Practice? Demystifying the Magic!

Now that we know the story, let's get to what interests many IT professionals: how does this "magic" of translating names into numbers actually happen? The good news is that, despite seeming complex, the fundamental concept is quite intuitive, especially with the right analogies.

The Analogy of the Telephone Directory (or Library Catalog) of the Internet

The most classic – and still very effective – analogy is to think of DNS as the internet's phone book . In the old days (some of us still remember!), to call someone, you looked up their name in the directory and found the corresponding phone number. DNS does something very similar: you type in a domain name (e.g., lumiun.com ), which is easy for us humans to remember and use, and DNS translates it into an IP address (e.g., 192.0.2.42 ), which is the "phone number" that computers and servers use to find each other on the network.

Another useful analogy is that of a gigantic library catalog . You want a specific book (the website), but you only know the title (the domain name). The DNS is the cataloging system, and the librarians guide you step by step through the correct section (top-level domain), the right shelf (domain), until you find the exact book (the server with the IP address).

telephone directory

The Key Players in DNS Resolution (The Journey of a Query)

For this translation to occur, a series of "characters" (specialized DNS servers) come into play. Let's get to know the main actors in this game:

  1. The User and the Browser: It all starts with you, the user, typing a domain name into your browser (or clicking on a link).
  2. Recursive DNS resolver (or DNS resolver): This is the first server your computer contacts. It's usually provided by your internet service provider (ISP) or it can be a public service like Google DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1). Think of it as the helpful librarian who receives your request and takes care of finding the information. An important feature of the resolver is local caching : if it has resolved that domain name recently, it may have the IP address saved and respond immediately, speeding up the process.
  3. Root Server (Authoritative Server): If the resolver doesn't have the information cached, it queries a Root Server. There are only 13 "root server addresses" in the world (operated by various organizations and replicated globally). They don't know the final IP address, but they know who is responsible for the top-level domains. It's like the large master index of a library , which points to the major sections. On the root-servers.org you can view a map showing where the root servers are located.
  4. Authoritative TLD (Top-Level Domain) Server: With the indication of the root server, the resolver queries the corresponding TLD server. The TLD is the final part of the domain, such as .com , .org , .net , or country codes like .br , .pt . This server knows who is responsible for the domains within that specific TLD (e.g., who is responsible for lumiun.com within .com ). It's like a specific shelf in our library.
  5. Authoritative Name Server: Finally, the resolver contacts the Authoritative Name Server for the domain in question. This is the server that holds the official and definitive information about that specific domain, including its IP address. It is the final dictionary on the shelf , containing the "definition" (the IP address) of the name you searched for.

Step-by-Step Guide to a DNS Query (Without Caching)

Let's visualize the complete journey of a DNS query, assuming the information is not in any cache:

  1. You type www.google.com into your browser. Your computer sends the query to the configured DNS resolver.
  2. The recursive DNS resolver asks an authoritative root server: "Hey, who knows about .com ?"
  3. The authoritative Root Server replies: “The TLD server for .com knows. Its address is 192.5.6.30 .”
  4. The recursive DNS resolver asks the .com : "Hello, who is responsible for google.com ?"
  5. The authoritative TLD server for .com responds: “The authoritative name server for google.com is 216.239.32.10 .”
  6. The DNS resolver asks the authoritative name server for google.com : "What is the IP address for www.google.com ?"
  7. The Authoritative Name Server responds: “The IP address is 172.217.29.196 .”
  8. The DNS resolver assigns this IP address to your computer.
  9. Your browser now knows the "phone number" of the website www.google.com and can finally connect to it to load the page!

Flowchart

DNS Caching: Speeding Up Browsing and Relieving Load! If every DNS query had to go through all these steps every time, browsing would be much slower! Fortunately, DNS caching comes into play. Your operating system, your browser, and the resolver servers themselves store DNS responses for a period of time (defined by the TTL – Time To Live – of the DNS record). So, if you or someone else on the same network has recently accessed www.google.com , the response may come directly from the cache, making everything much faster and reducing the load on global DNS servers. It's the system's intelligence working to optimize the experience!

DNS: Much More Than Names and Numbers – Essential Benefits

DNS is much more than a simple translator of names to IP addresses. It is one of the pillars that support the usability and robustness of the modern internet, offering a number of important benefits for end users, system administrators, and developers alike.

  • Ease of Internet Use: This is the most obvious and perhaps the most impactful benefit for everyday life. Thanks to DNS, we don't need to be memory geniuses to navigate the web. Domain names like lumiun.com/blog are intuitive, easy to remember and share, making the online experience accessible to everyone. Without it, the internet would be a tangled mess of indecipherable numbers.
  • Scalability and Decentralization: The distributed and hierarchical nature of DNS is what allows the internet to grow exponentially without collapsing. New domains and servers can be continuously added anywhere in the world, and the DNS system efficiently propagates this information. There is no single point of failure that would bring down the entire internet (although attacks on root servers can cause major disruptions, as we will see).
  • Flexibility and Simplified Management: For those who manage IT infrastructure, DNS offers immense flexibility. If you need to change the server hosting your website to a new IP address, for example, simply update the corresponding DNS record. Users will continue to access it using the same domain name, without even noticing the change behind the scenes. This simplifies migrations, maintenance, and infrastructure upgrades.
  • Possibility of Additional and Intelligent Services: DNS is not limited to mapping a name to a single IP address. It supports various record types that enable a range of advanced services, such as:
    • Load Balancing: A single domain name can be associated with multiple IP addresses on different servers. DNS can distribute requests among these servers, helping to avoid overloads and improving the performance and availability of web applications.
    • Geolocation and Content Delivery Networks (CDNs): It's possible to configure DNS to direct users to the geographically closest server. This is crucial for CDNs, which store copies of websites in multiple locations around the world to speed up page loading and reduce latency.
    • MX Records for Email: Mail Exchange (MX) records in DNS specify which servers are responsible for receiving emails for a given domain, and are fundamental to the functioning of email.
    • TXT Records for Verification and Security Policies: Text (TXT) records are used for various purposes, such as verifying domain ownership for third-party services (Google Search Console, for example) and implementing email security policies like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance), which help combat spam and phishing .

In short, DNS is a silent but powerful cog that makes the internet more user-friendly, resilient, and capable of supporting a myriad of complex services we use daily.

The Dark Side of DNS and the Network's First Line of Defense

Despite being a fundamental and ingenious component of the internet, DNS, by its very nature and ubiquity, has also become a vector and a strategic control point in the cyber threat landscape. Understanding the risks associated with DNS and, more importantly, how it can be used as a powerful first line of defense, is essential to protecting networks and the data that travels through them.

Why is DNS a critical point in security?

DNS is essentially the internet's routing system. Almost every connection to an external resource (a website, an update server, a cloud service) begins with a DNS query. If an attacker manages to compromise or manipulate DNS responses, they can redirect users wherever they want. However, this very reliance on DNS to initiate connections makes it an ideal choke point for security: if an attempt to connect to a known malicious destination can be blocked before the DNS query even resolves to a dangerous IP address , the threat can be neutralized at its earliest stage.

Threats that exploit DNS directly

There are threats that directly target the DNS infrastructure and protocol:

  • DNS Cache Poisoning / DNS Spoofing : An attacker inserts false information into a DNS server's cache, causing it to provide a malicious IP address instead of the legitimate one. Users attempting to access trusted websites are redirected to fake sites to steal credentials, banking data, or install malware.
  • Denial-of-Service (DoS/ DDoS ) attacks against DNS servers: These attacks render DNS servers unavailable, preventing the translation of domain names into IP addresses and making websites and services inaccessible.
  • DNS Hijacking: The criminal alters the DNS settings of the user, router, or even the domain registrar to redirect traffic to malicious destinations.
  • DNS Amplification: A type of DDoS attack where attackers use open DNS servers to send massive responses to a victim, overloading their network.
  • DNS Tunneling: The DNS protocol is used to encapsulate other types of traffic, creating secret channels for data exfiltration or communication with malware Command and Control (C&C) servers.

DNS Filtering: A Broad Layer of Protection Against Diverse Threats

It's important to understand that the importance of DNS for security goes far beyond protecting against attacks that directly the DNS protocol. DNS filtering emerges as a proactive and highly effective security tool for blocking a wide range of threats that, while not essentially "DNS attacks," rely on domain name resolution to achieve their goals. By controlling which domains can be resolved, companies can prevent users and systems from connecting to dangerous destinations on the internet. This includes:

  • Malware and Ransomware : Many types of malware and ransomware need to communicate with Command and Control (C&C) servers to receive instructions, send stolen data, or obtain encryption keys. DNS filtering can block access to these known C&C domains, effectively neutralizing or hindering the malicious software's actions.
  • Phishing and Fraudulent Websites: Phishing websites are designed to trick users and steal credentials or financial information. DNS filtering can prevent access to these known fraudulent websites, protecting users even if they click on a malicious link in an email or message.
  • Botnets: Infected devices (bots) on a network communicate with a C&C server to form a botnet, which can be used for DDoS attacks, spamming, etc. Blocking the domains of C&C servers via DNS can dismantle or isolate these zombie networks.
  • Newly Registered or Suspicious Domains (NRDs): Many attacks use recently registered domains because they have not yet been classified as malicious. Some DNS filtering solutions can identify and block or alert about access to these NRDs, which have a statistically higher probability of being dangerous.
  • Unwanted or Unproductive Content: In addition to security, DNS filtering also allows companies to implement internet usage policies, blocking access to categories of websites that may be inappropriate for the work environment, such as social networks, games , adult content , unauthorized file-sharing sites, etc., increasing productivity and reducing legal risks.

Threats

The Real Impact: Consequences of a Successful DNS Attack. Don't underestimate the power of a DNS attack. The consequences can range from the frustration of users who cannot access a service to significant financial losses due to fraud, theft of intellectual property, damage to brand reputation, and high costs to remedy the situation and restore trust. For businesses, a DNS-related security incident can be devastating.

Protecting the Internet Gateway: DNS Security in Focus

If DNS is the gateway to the internet, then protecting that gateway is essential. For businesses and IT professionals , ensuring DNS security is not a luxury, but an absolute necessity to maintain data integrity, business continuity, and user trust.

The Importance of DNS Security for Businesses and IT Professionals

Ignoring DNS security is like leaving your company's front door unlocked and expecting nothing to happen. The threats are real, and the impacts can be severe. A robust cybersecurity strategy must include specific measures to protect DNS infrastructure and queries.

Mechanisms and Best Practices for Protection

Fortunately, there are several tools and practices we can adopt to strengthen DNS security:

  • DNSSEC (Domain Name System Security Extensions): Think of DNSSEC as a seal of authenticity for DNS responses. It uses digital signatures to ensure that the DNS information received by your computer is genuine and has not been tampered with along the way. The adoption of DNSSEC by both domain owners and DNS resolvers helps mitigate cache poisoning attacks.
  • DNS Firewall and Content Filters: This is an extremely effective proactive layer of protection. One DNS FirewallOften integrated with web content filtering solutions, it works by inspecting DNS requests and blocking access to domains known to be malicious (hosting phishing, malware, botnet command and control servers, etc.) before the connection is even established. Beyond security, these tools can also be used to control access to categories of websites that may be unproductive or inappropriate for the work environment (social networks, games, adult content, etc.).
    • Solutions like Lumiun DNS offer robust layers of protection, acting as a proactive shield that filters threats before they even reach the company network, ensuring safer and more productive browsing for teams, including in remote work scenarios.
  • Monitoring DNS Query: Analyzing DNS traffic logs can reveal suspicious patterns, such as a large volume of queries to unknown or malicious domains, indicating a possible malware infection or an attempt to exfiltrate data via DNS tunneling. SIEM (Security Information and Event Management) tools can help correlate these events.
  • Use of Reliable and Secure DNS Resolvers: Opt for using DNS resolver servers from trusted providers that implement good security practices, such as DNSSEC validation and protection against DDoS attacks. Many internet providers offer this, but public services like Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9) are also good alternatives, focusing on security and privacy.
  • Keep Software and Systems Updated: This includes the operating system of clients and servers, the firmware of routers and firewalls, and the software of the DNS servers themselves (such as BIND). Updates often fix known vulnerabilities that could be exploited in attacks.
  • Secure DNS Server Settings: If you manage your own DNS servers, ensure they are properly configured to prevent them from being used in amplification attacks (by disabling recursion for external clients, for example) and that they are protected against unauthorized access.

DNS threats

The Role of IT Professionals in Ensuring DNS Security. As an IT professional, you are on the front lines of cybersecurity defense. Educating users about risks, implementing appropriate protection tools, actively monitoring DNS traffic, and staying up-to-date on new threats and solutions are crucial responsibilities. A proactive stance towards DNS security can make all the difference between a secure network and a costly security incident.

Conclusion: DNS as a Pillar of the Modern Internet and Network Security

Our journey through the world of DNS has taken us from the early days of the internet, with the humble HOSTS.TXT file, to the complex and vital infrastructure we have today. We've seen how Paul Mockapetris revolutionized the way we connect, creating a hierarchical and distributed system that allowed the internet to scale to billions of users and devices.

We demystify the "magic" behind a DNS lookup, understanding the role of each server in translating friendly names into IP addresses. We explore the numerous benefits that DNS provides, from simple ease of browsing to enabling advanced services such as load balancing and CDNs.

However, we also faced the dark side: the various threats that exploit DNS, such as cache poisoning, hijacking, DDoS attacks, and tunneling, and the significant impact they can cause. But, more importantly, we saw that there are robust mechanisms and best practices to protect this essential gateway to the internet, with particular emphasis on solutions such as DNSSEC and DNS Firewalls, which act as proactive guardians of our browsing.

For you, the IT professional, DNS is not just another protocol. It's a fundamental pillar of the modern internet and a critical component of any network's security. A deep understanding of its workings, benefits, and risks is essential for building and maintaining more secure, resilient, and efficient digital environments. May this knowledge empower you to become an even better architect of the security and performance of the networks under your responsibility, ensuring that the "invisible conductor" continues to guide the internet harmoniously and securely.

References

  • RFC 1034: DOMAIN NAMES – CONCEPTS AND FACILITIES
  • RFC 1035: DOMAIN NAMES – IMPLEMENTATION AND SPECIFICATION
  • Articles and documentation from Cloudflare, Kaspersky, IBM, and Microsoft about DNS and DNS security.
  • Lumiun's blog content about DNS security and content filtering.
Try Lumiun DNS for free
Author
Alex de Oliveira
Hello, my name is Alex de Oliveira and I am the CTO and co-founder of Lumiun. At Lumiun, I lead the technical team responsible for creating and implementing information security solutions for companies of all sizes. If you need help implementing information security solutions for your company, you can count on me and the Lumiun team. We are always ready to help our clients achieve their goals securely and efficiently.
Related Posts