System Design Space
Knowledge graphSettings

Updated: June 23, 2026 at 8:31 AM

Domain Name System (DNS)

medium

DNS hierarchy, zone delegation, caching, TTL, and the resolution path from client to authoritative server.

This chapter matters because in a real architecture DNS is not just a name directory. It is an early routing, caching, and delegation layer.

In practice, it helps you see the whole resolution chain: from local and recursive resolvers to TTL, stale records, and propagation delay that can keep the problem in caches rather than in the application.

In interviews and design discussions, it makes a hidden layer visible, one that almost every external call depends on and where resilience often breaks first.

Practical value of this chapter

Resolution path

Helps analyze the full lookup chain and understand when caching accelerates the system versus when it hides stale answers.

Availability risks

Makes TTL, stale records, and propagation delay explicit in resilience planning.

Global behavior

Shows how DNS decisions influence latency, geographic routing, and the path clients take to a service.

Interview scenarios

Improves case discussions where the hidden reliability bottleneck sits in name resolution rather than in application code.

RFC

RFC 1035 (DNS)

Foundational DNS specification: message format, record types, zone delegation, and resolver behavior.

Перейти на сайт

DNS is the control plane of the Internet. It maps names to addresses, routes queries through delegated zones, and through TTL decides when changes reach the caches. Any mistake in this control plane lands not in one service but everywhere at once.

The chain includes the local stub resolver, the recursive resolver, zone delegation, and often anycast for geographic distribution. As a result, DNS simultaneously shapes latency, the QPS pressure on authoritative servers, and how NXDOMAIN responses combined with negative caching behave. Investigating an incident without dedicated observability quickly goes the wrong way.

Core properties of DNS

Hierarchical delegation

Responsibility is spread across the tree: root servers know about TLDs, TLDs know about authoritative servers for a specific zone. No single party holds the full map, and that is a deliberate architectural choice.

Recursive resolution

A recursive resolver takes the delegation walk on itself: it collects referrals to the next step and hands back a single ready answer. The client never has to know how many hops that answer cost.

TTL and caching

Caching offloads authoritative servers and cuts latency — at the cost that changes never propagate instantly. In practice this means: any record switch is delayed by at least the TTL.

Multiple record types

A/AAAA, CNAME, NS, MX, TXT and other records describe not just an address but also delegation, mail routing, and domain ownership checks. Most domain incidents trace back to the wrong record type, not the wrong address.

Critical control plane

Almost every external call starts with a lookup, so a DNS outage looks like a massive failure of everything at once. It is a rare dependency with no quiet degradation mode.

How a DNS message header is structured

The header counters tell you how many questions, answers, and additional records the message carries. Those small fields shape cache behavior, response size, and whether the query can stay over UDP.

DNS Message Header

12 bytes + variable sections

ID

16 bits

Flags

16 bits

QDCOUNT

16 bits

ANCOUNT

16 bits

NSCOUNT

16 bits

ARCOUNT

16 bits

Question section (variable)

32 bits

Answer, authority, and additional sections (variable)

32 bits

The header is a fixed 12 bytes; everything after it is variable length. Those variable sections decide whether the answer still fits in a single UDP datagram, how it gets cached, and whether the query falls back to TCP.

DNS query lifecycle

Client query

The local stub resolver does not try to solve the problem itself — it hands the query off to a recursive resolver: ISP, corporate, or public.

Hierarchy traversal

If the answer is not in cache, the recursive resolver walks from root to TLD and then to the authoritative server for the zone. That walk shows up as latency on every first request to a domain.

Response and cache

The answer goes back to the client and lands in cache for the record TTL. From there, what wins is no longer network speed — it is cache size and hit rate.

Related chapter

OSI model

DNS lives at the application layer and benefits from layered troubleshooting.

Open chapter

DNS server hierarchy

The namespace is a tree: root, top-level domains, then the zone for a specific domain. Authoritative servers hold the truth about their zone, recursive resolvers keep a fresh snapshot in cache. No single party knows the whole system, and that is the only reason it scales at all.

DNS server hierarchy

Select a level to highlight its role in the lookup path

Recursive resolver

Accepts the client query, walks the hierarchy, and caches the answer

Root name servers

Points the resolver to the correct top-level domain

TLD name servers

Shows which server is authoritative for the target zone

Authoritative servers

Holds the final zone records and returns the answer

Root and TLD servers delegate responsibility further down the hierarchy.
Authoritative servers answer only for the specific zone they own.

How domain name resolution works

The recursive resolver starts from a known list of root servers and follows the referrals — root, TLD, authoritative server for the zone. A successful answer lands in cache for the record TTL, and from that moment what wins is not the network anymore but a lucky cache hit.

Domain name resolution

Run the lookup step by step or play the full chain from the client to the authoritative server

Current step

Click "Start" to run the domain name resolution flow.

Client
Recursive resolver
Root servers
TLD servers
Authoritative server

Cache

Both the client and the recursive resolver keep recent answers in cache so they do not have to walk the tree on every query.

The resolution path is only half the picture. The other half is cache dynamics: record TTL, hit ratio, and how the pressure on authoritative servers grows during traffic spikes and frequent changes.

DNS cache and latency dynamics under load

Step through how TTL, cache hit ratio, and authoritative pressure change resolution time.

StepInterval 1 (1 of 6)
Cache hit (%)Authoritative load (%)Lookup latency (ms)

Phase

Warm cache

Cache hit ratio

93.0%

Average lookup

12 ms

Authoritative load

0.8k QPS

NXDOMAIN

0.3%

TTL policy: Default TTL

What is happening: Most requests are served from recursive cache and authoritative servers stay lightly loaded.

Abbreviations

  • QPS (queries per second) — number of DNS queries served each second.
  • NXDOMAIN — the requested domain name does not exist.

Metric decoding

  • Share of requests served from recursive cache without full hierarchy traversal.
  • Average end-to-end DNS resolution time observed by the caller.

Related chapter

Load Balancing

DNS often acts as the first region or site selection layer before L4/L7 balancing.

Open chapter

How network and routing shape DNS behavior

Cache miss and extra traversal

A cache miss turns into several extra network hops to the authoritative zone. That latency does not hide behind the HTTP abstraction — the user sees it as a slow first request.

TTL trade-off

Low TTL speeds up change propagation, but authoritative QPS and the bill for the infrastructure grow in lockstep. The right value is always a negotiation between speed and load.

Anycast and geography

Globally distributed resolver and authoritative nodes remove the heaviest cross-continent traversals. On the long tail this moves p99 more visibly than tuning the application itself.

Packet loss and TCP fallback

Truncation or packet loss pushes part of the traffic to TCP, and a single UDP datagram exchange becomes a full handshake. Response time and cost rise together.

DDoS and anomalous traffic

Without strict rate controls, an NXDOMAIN storm or an amplification attack takes down DNS infrastructure faster than any user-facing alert fires.

Where DNS matters most

  • Service discovery for client and internal services
  • Regional steering, weighted balancing, and failover decisions
  • CDN routing and nearest edge selection
  • Domain ownership checks and email routing (MX, TXT, SPF, DKIM)
  • Resolver-level security and filtering policies

Why this matters for system design

  • Name resolution adds latency before the first network call — and lands directly in user-facing p95 and p99 metrics.
  • TTL policy is an explicit trade: change propagation speed in exchange for load on authoritative infrastructure.
  • DNS configuration mistakes masquerade as application incidents. Without dedicated observability, the investigation goes the wrong way.
  • Solid DNS design shrinks incident blast radius and keeps a multi-region system standing when one region falls over.

Common mistakes

Setting a very low TTL for fast switches without estimating what it does to authoritative load at peak hour.

Forgetting about negative caching and getting hit by retry storms for names that simply do not exist.

Debugging an application incident without separate visibility into cache hits and lookup time. The symptoms in the app and the cause in DNS look identical.

Keeping DNS with a single provider and no fallback plan: a hidden single point of failure that only surfaces during an incident.

Related chapters

  • OSI model - positions DNS as an application-layer protocol and improves layer-by-layer troubleshooting.
  • IPv4 and IPv6: evolution of IP addressing - shows how A/AAAA records and addressing behavior shape DNS publication and routing strategy.
  • UDP protocol - explains why DNS usually rides over UDP and why packet loss immediately affects lookup time.
  • TCP protocol - explains when DNS falls back to TCP, for example on truncation or zone transfer.
  • HTTP protocol - reminds you that every HTTP request first hits name resolution — DNS has to answer before the application even starts.
  • Load Balancing - shows how DNS often becomes the first region or site selection layer before L4/L7 balancing.
  • Case study: CDN infrastructure - shows the practical side of global steering through DNS and edge infrastructure.
  • Why distributed systems and consistency matter - connects DNS decisions to resilience, traffic distribution, and distributed-system blast radius.

Enable tracking in Settings