Network Security
DNS (Domain Name System)
DNS is the Domain Name System, the hierarchical, distributed naming system that translates human-readable domain names into the IP addresses and other records computers use to locate services on a network.
In plain terms
DNS is the internet’s phone book. You type a name like
example.com, and DNS finds the numeric address the network actually needs to reach it. Almost everything online starts with a DNS lookup, which is exactly why it matters for security.
The Domain Name System is the distributed directory that maps domain names to the records clients need to connect, most commonly the IP addresses behind a hostname. Without it, people would have to remember numeric addresses for every service, and those addresses could not change without breaking every reference to them. DNS adds a stable, human-friendly layer of names on top of an addressing scheme that is neither stable nor friendly.
DNS is hierarchical. At the top are the root servers, which delegate to top-level domain servers such as those for .com, .org, or country codes. Those in turn delegate to the authoritative servers for individual domains. A name like mail.example.com is read right to left as a path through this tree, and the answer for any zone is held by the servers that are authoritative for it.
Resolution usually involves several roles. A stub resolver on the client device asks a recursive resolver, often run by an ISP, an enterprise, or a public provider. The recursive resolver walks the hierarchy on the client’s behalf, querying root, TLD, and authoritative servers until it has an answer, then caches that answer for the duration of its time-to-live. Caching is what keeps DNS fast and keeps the root and TLD servers from being overwhelmed.
DNS carries more than addresses. Records include A and AAAA records for IPv4 and IPv6 addresses, MX records for mail routing, CNAME records for aliases, TXT records for arbitrary text used by many verification and policy systems, NS records for delegation, and others. Email authentication frameworks such as SPF, DKIM, and DMARC are published as DNS records, which means DNS is part of the trust fabric for messaging as well as for web traffic.
The security relevance of DNS is large because it sits in front of almost every connection and was originally designed without authentication or confidentiality. Classic DNS queries travel in plaintext over UDP, so they can be observed and tampered with on the path. An attacker who can answer faster than the legitimate server, poison a resolver’s cache, or alter records can redirect victims to malicious destinations while the displayed name looks correct.
Several attack patterns target DNS directly. Cache poisoning injects forged records into a resolver so that later lookups return attacker-chosen addresses. DNS hijacking changes the records at a registrar or authoritative server, or points a device at a rogue resolver. DNS tunneling encodes other protocols inside DNS queries and responses to smuggle data past controls that allow DNS but inspect little else. DDoS campaigns both target DNS infrastructure and abuse open resolvers for amplification.
Defenses layer naming integrity, transport protection, and monitoring. DNSSEC adds cryptographic signatures so resolvers can verify that records were not altered in transit, addressing integrity but not confidentiality. Encrypted transports such as DNS over HTTPS and DNS over TLS protect the query content from on-path observers. DNS filtering blocks resolution of known malicious or unwanted domains, turning the resolver into an enforcement point. Registrar locks, monitoring of record changes, and least-privilege access to DNS management reduce the risk of hijacking at the source.
DNS is also a rich source of security telemetry. Because nearly every connection begins with a lookup, resolver logs reveal which domains hosts are trying to reach. Newly registered domains, algorithmically generated domains, sudden spikes in failed lookups, and queries to known command-and-control infrastructure are all visible in DNS data. Many detection and threat-hunting programs treat DNS logs as one of their highest-value data sources for the breadth of coverage they provide.
For operators, DNS reliability is a first-order concern. A DNS outage can make otherwise healthy services unreachable, so resilient designs use multiple authoritative providers, sensible time-to-live values, and monitoring of both resolution success and record correctness. Misconfigured records, expired domains, and dangling records pointing at deprovisioned cloud resources are common operational failures, and the last of these can enable subdomain takeover.
In practice, DNS is best understood as critical shared infrastructure that is fast, cached, hierarchical, and historically trusting. Treating it as a control surface, protecting both its integrity and its confidentiality, and mining its logs for signal turns a foundational network service into a meaningful part of a security program rather than a blind spot.