DNS (Domain Name System) is one of the most critical pieces of internet infrastructure. Without it, you'd need to remember IP addresses for every website. Understanding DNS helps you troubleshoot resolution failures, configure cloud services, and design resilient routing.
How DNS Resolution Works
When your browser needs to resolve app.example.com:
- Browser cache: Checks its own DNS cache first
- OS cache: Checks the system resolver cache
- Recursive resolver: Your ISP's or configured DNS server (e.g., 8.8.8.8) takes over
- Root nameservers: The resolver asks a root server "who handles .com?" → returns TLD nameserver IPs
- TLD nameserver: "Who handles example.com?" → returns authoritative nameserver IPs
- Authoritative nameserver: "What is app.example.com?" → returns the A record (IP address)
- The resolver caches the result according to the TTL and returns it to the client
DNS Record Types
| Record | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 address | example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Alias to another name | www.example.com → example.com |
| MX | Mail exchange | example.com → mail.example.com (priority 10) |
| TXT | Text data | SPF, DKIM, domain verification |
| NS | Nameserver for a zone | example.com → ns1.registrar.com |
| SOA | Start of authority (zone info) | Serial, refresh interval, etc. |
| PTR | Reverse lookup (IP → name) | 34.216.184.93.in-addr.arpa → example.com |
| SRV | Service location | Used by Kubernetes, SIP, XMPP |
| CAA | CA Authorisation (TLS certs) | Which CAs may issue certs for this domain |
| ALIAS / ANAME | A record at zone apex (Route 53) | example.com → ALB DNS name |
TTL (Time To Live)
TTL is the number of seconds a DNS record may be cached by resolvers and clients. Lower TTL means changes propagate faster but generates more DNS queries:
- 300 seconds (5 min): Before planned changes (failover, migration)
- 3600 seconds (1 hr): Standard for stable records
- 86400 seconds (24 hr): Rarely changing records (SPF, TXT verification)
CNAME Restrictions
A CNAME cannot be used at the zone apex (bare domain). You cannot have:
example.com CNAME myalb-1234.us-east-1.elb.amazonaws.com # INVALIDSolutions:
- Use an ALIAS record in Route 53 (maps zone apex to AWS resources — ALB, CloudFront, etc.)
- Use a subdomain:
www.example.com CNAME ...is valid
Route 53 Routing Policies
Amazon Route 53 offers several routing policies for intelligent traffic distribution:
| Policy | Behaviour | Use Case |
|---|---|---|
| Simple | Returns one or all records | Single resource |
| Weighted | Distributes traffic by weight (0–255) | Canary deployments, A/B testing |
| Latency | Routes to lowest-latency region | Global multi-region apps |
| Failover | Primary → standby on health check failure | Active-passive DR |
| Geolocation | Routes based on user's country/continent | Localisation, GDPR data residency |
| Geoproximity | Routes based on distance, with bias | Advanced geographic control |
| Multivalue | Returns multiple IPs with health checking | Simple load distribution |
| IP-based | Routes based on client IP CIDR | Route by ISP or corporate network |
DNS Troubleshooting
# Look up A record
dig app.example.com
nslookup app.example.com
# Look up specific record type
dig example.com MX
dig example.com TXT
dig example.com NS
# Check which nameserver is authoritative
dig example.com NS +short
# Trace the full resolution chain
dig app.example.com +trace
# Reverse lookup
dig -x 93.184.216.34
# Query a specific DNS server
dig @8.8.8.8 example.comNext: HTTP and TLS — how web requests work, the security layer on top, and what certificates are doing.