Field Guide · Networking
DNS turns names into addresses (and more). It is one of the highest-frequency root causes of "the network is broken" reports — and most of those are caching or resolver-selection problems, not DNS being "down." This guide is the deep-dive on how resolution actually works and how to troubleshoot it: the resolution path and its caches, why "propagation" is the wrong word, the record types, and a method built on one question — which resolver answered, and does it match the authoritative truth?
One principle runs through the whole guide: the authoritative server is the source of truth, and everything between it and the client is a cache of that truth. Almost every DNS fault is a stale cache, the wrong resolver, a hosts-file override, or a broken chain — not the authoritative data being wrong. Troubleshooting is mostly finding out which layer answered.
When an application resolves a name, the query passes through layers, each cached independently: the application or library cache, then the OS stub resolver (on Linux the lookup order — DNS, the hosts file — is set by nsswitch.conf, and /etc/hosts can short-circuit DNS entirely), then a recursive resolver. The recursive resolver is the workhorse: on a cache miss it walks the hierarchy on the client's behalf — root, then the TLD servers, then the zone's authoritative servers — and caches the answer for its TTL.
There is no propagation. An authoritative change takes effect immediately at the authoritative server. What you observe as delay is caches holding the old answer until their TTL expires. Three consequences follow, and they turn a vague "wait for DNS" into concrete actions:
| Record | Purpose |
|---|---|
| A / AAAA | Name to IPv4 address / IPv6 address. |
| CNAME | Alias: this name is really another name (the resolver follows the chain). Cannot coexist with other records at the same name. |
| NS | Delegates a zone to its authoritative name servers. |
| SOA | Start of Authority: the zone's primary server, serial, and timers — including the negative-cache TTL. |
| MX | Mail exchanger for a domain (with a priority). |
| PTR | Reverse lookup: IP to name (under in-addr.arpa for IPv4, ip6.arpa for IPv6). |
| TXT | Arbitrary text; carries SPF, DKIM, domain verification, and more. |
| SRV | Locates a service (host + port) — used by Active Directory, SIP, and others. |
| CAA | States which certificate authorities may issue certificates for the domain. |
A few behaviours that cause confusion: CNAME chains add lookups and must terminate at an A/AAAA; a name can have multiple A records, which clients pick from and cache — so this is crude round-robin, not real load balancing or failover; and MX and SRV carry priorities that clients are expected to honour.
Recursive vs authoritative are different jobs, and mixing up which one you are querying is a common troubleshooting error. A recursive resolver answers any query by chasing the hierarchy and caching; an authoritative server answers only for its own zones and does no chasing.
Forwarders: an internal resolver may forward unresolved queries to an upstream resolver instead of going to the root itself. Split-horizon (split DNS): the same name returns different answers depending on who asks — internal clients get internal addresses, external clients get public ones. Expect this inside organizations; "it resolves differently from home vs the office" is usually split DNS, not a fault. Public resolvers reachable at well-known anycast addresses sit topologically "everywhere," so two clients using the same resolver IP may hit different physical instances — which is why an intermittent failure can affect some users of "the same" resolver and not others.
The method is one comparison: identify which resolver answered, and check it against the authoritative answer. If they differ, the fault is in the resolver layer — a cache, the wrong server, or an override — not the zone data.
Read the response status, because each points at a different cause:
| Status | Meaning |
|---|---|
| NOERROR + answer | Resolved. |
| NXDOMAIN | The name does not exist — and this negative result is itself cacheable (§02). |
| NOERROR + no answer | The name exists but not for that record type (e.g. an AAAA query for an A-only name). |
| SERVFAIL | The resolver failed — broken upstream, DNSSEC validation failure, or unreachable authoritative server. A different cause from NXDOMAIN. |
| Timeout | The resolver itself is unreachable or not responding — wrong address, or udp/53 and tcp/53 filtered. |
A few faults and their signatures: the app resolves "wrong" while dig looks right (a different cache/resolver or a hosts entry — check nsswitch and the app's own config); a created record still "not found" (negative caching, or you're querying a cache not the authoritative server); works for small answers but fails for large ones or zone transfers (DNS uses UDP/53 normally but falls back to TCP/53 for large answers — a firewall permitting only UDP/53 breaks this); and SERVFAIL only for DNSSEC-signed zones (a validation failure — bad signatures, clock skew, or a broken chain of trust). The exact commands (dig, dig +trace, dig @server, resolvectl status, nslookup) are grouped on the Diagnostic Command Card.
Framed as specific threats and the residual risk each control leaves — never as a blanket "secure":
Rogue DHCP/DNS and resolver hijacking can point clients at attacker-controlled resolvers, a man-in-the-middle on every lookup. Mitigations live partly at Layer 2 (DHCP snooping) and partly in controlling and validating resolver configuration. Residual: none of this helps if a legitimate resolver is itself compromised.
DNSSEC lets a validating resolver cryptographically confirm that records came from the zone's owner and were not modified — mitigating spoofed and cache-poisoned answers. It provides authenticity and integrity, not confidentiality: queries and answers are still visible on the wire, and it only helps for signed zones reached through a validating resolver.
Encrypted transport — DoT, DoH, and DoQ — hides query contents from on-path observers. It does the opposite job from DNSSEC: it protects confidentiality, not the authenticity of the answer. DoH in particular blends into ordinary HTTPS, which complicates enterprise DNS visibility and filtering.
DNS as an exfiltration/C2 channel. Because DNS is almost always permitted outbound, attackers tunnel data through it. Monitoring query patterns — volume, name entropy, unusual record types — is a detection control, and it is a concrete reason egress control and DNS query logging matter. Filtering resolvers (Protective DNS / RPZ) can block resolution to known-malicious domains, which is the approach NIST's DNS security guidance (SP 800-81, currently revision 3 — verify the current revision) pairs with encrypted DNS so that encryption doesn't cost you all filtering visibility.
Name the threat each control addresses and what it leaves open: DNSSEC counters spoofing and poisoning but not surveillance; encrypted transport counters on-path interception but not a lying-but-authenticated resolver; egress monitoring counters tunneling but not a determined low-and-slow channel. "We enabled DNSSEC" and "we use DoH" are answers to different questions, and neither is a posture on its own.
App → OS stub (/etc/hosts, nsswitch) → recursive resolver (caches per TTL) → root → TLD → authoritative. Authoritative = truth; everything left of it is a cache.
A change is instant at the authoritative server; delay is caches holding the old answer until TTL expires. Lower the TTL before a change; query the authoritative server to confirm. NXDOMAIN is cached too (negative caching).
Compare what your resolver returns against dig @AUTH_NS HOST; if they differ, the fault is the resolver layer. Statuses: NOERROR+answer (ok) · NXDOMAIN (no such name) · NOERROR+no-answer (wrong record type) · SERVFAIL (upstream/DNSSEC) · timeout (resolver unreachable). DNS needs both UDP/53 and TCP/53.
DNSSEC = authenticity, not privacy. DoT/DoH/DoQ = privacy, not authenticity — complementary. DNS is a favourite exfil/C2 channel (monitor and log it). Nothing here is "secure" in the abstract.
The resolution path, caching/TTL behaviour, and record types are stable, standard DNS. The encrypted-transport specifics were verified this session: DoT is RFC 7858 (port 853), DoH is RFC 8484 (port 443), DoQ is RFC 9250; DNSSEC is consolidated in RFC 9364 (2023). NIST's DNS security guidance is SP 800-81 (currently revision 3) — confirm the current revision before citing it control-by-control. No control here is a posture by itself: each is tied to one threat (spoofing → DNSSEC, interception → encrypted transport, exfiltration → monitoring/PDNS) and leaves a named gap. Connects to Email Security (SPF/DKIM live in TXT records), and builds alongside Subnetting & CIDR and IP Routing; sits beneath "Networking — Follow the Packet"; commands are on the Diagnostic Command Card. Terms are in the Glossary; 00 · Start Here indexes the set.