Public vs. private DNS: What’s the difference?

Both work in the same business: decoding names and addresses. A name server exists on the internet and functions much like a type of telephone directory, exchanging human-readable domain names (for example, ibm.com) into numerical IP addresses, which machines can then interpret. It’s an essential matchmaking process that enables web browsers to find exactly the right web destinations that users seek.

Here are the steps that go into making public DNS operate: 

1. Name resolution activities begin when a user requests a domain name. Users enter DNS requests by typing a website address into their preferred browser.
2. The user’s device (also known as an endpoint) performs a local DNS check to see whether the device’s cache or local DNS servers already contain an IP address that matches that domain.
3. When the local DNS check fails to find a match, the request is forwarded on to a recursive DNS resolver. The resolver is often supplied by an Internet Service Provider (ISP) or a public DNS service, such as through DNS providers like Google or Cloudflare.
4. The resolver contacts a root name server that directs DNS queries by guiding them to a top-level domain (TLD) server capable of handling the request.
5. The next step sees the resolver sending a query to the TLD server, which in turn refers to the authoritative name server for that particular domain.
6. The authoritative name server in question reserves that IP address for the website and delivers it back to the recursive resolver.
7. The resolver loads the DNS data into the DNS cache for later usage while also sending the approved IP address back to the device that issued the original request.
8. The DNS resolution process is now complete. The browser in the device is now enabled to connect to the web server through this IP address and download the website’s content.

Now, that’s a fair amount of back-and-forth routing just to obtain a usable URL address. The amazing thing about it is how fast all these DNS responses are performed.

How fast? It depends somewhat on performance-related issues like connectivity and transmission latency, but at its slowest, the public DNS process could require a few seconds. However, at top speed, that same process might take milliseconds.

Once the IP address has been properly negotiated and settled, the user accesses the IP address. Before content starts being downloaded as a DNS record, it’s assigned a Time to Live (TTL) designation—a setting that controls how many times the same DNS records can be downloaded.

TTLs are installed to keep content from existing online for excessively long periods of time. TTLs function like a counter that ticks down each time that online content is accessed. When the counter reaches zero, that content becomes unavailable to the user.

When an organization or individual opts for maximum privacy by operating their own DNS, the process governing how it functions requires fewer incremental steps. The process also tends to move considerably faster than the operational speed of public DNS services. It achieves this feat largely through imposed isolation.

The term “private DNS” has two specific meanings, depending on where and how the private DNS is implemented. It can refer to private DNS zones being operated inside a cloud computing environment so they can access internal resources. Alternatively, it can also mean a private, internal DNS service being operated on a user’s device to guard against specific content and help with the encryption of queries.

The name lookup and resolution process for private DNS zones comes down to the following steps:

1. The user enters a web address (for example, www.example.com) into their web browser.
2. The device being operated issues a DNS query, searching for the IP address that matches that website.
3. This point is where the paths of public DNS and private DNS completely diverge. The device uses an encrypted tunnel to reach out to a private DNS server (as opposed to public DNS where an encrypted query would be used instead). Secure internal protocols like DNS over TLS (DoT) or DNS over HTTPS (DoH) provide the safe channels required. Virtual private networks (VPNs) fulfill the same encryption functionality with the help of a VPN provider.
4. The private DNS server gets the encrypted request and processes it by locating the correct IP address and transmitting it back to the original device by using the same securely encrypted connection.
5. With the correct IP address sent back to the device, the device then connects securely to that website’s server.

Six areas of direct comparison accurately convey the major differences (and subtle similarities) between public DNS and private DNS.

The general purpose of both public DNS and private DNS is strikingly similar. Both translate domain names.

A public DNS decodes public domain names into proper public IP addresses so users can access those sites on the internet.

Meanwhile, a private DNS translates internally used DNS names into internal IP addresses, thus allowing different entities within that group or organization to interact effectively.

Security is an important factor in this comparison. After all, security is the primary reason why we have private DNS technology. Organizations requiring peak security usually opt to use private DNS, which hides network details from the public internet.

Public DNS security offers significantly fewer protective measures but offsets that imbalance with other features designed to guard against phishing and malware attempts.

Developers routinely use Domain Name System Security Extensions (DNSSEC) to strengthen DNS security protocols by adding digital signatures. Traditional internet security measures like firewalls can be implemented with both public DNS and private DNS. 

When it comes to who can access a particular DNS, it all depends on what type of DNS we’re talking about. If it’s public DNS, then it’s accessible by anyone with a device that has internet access.

In contrast, within a private DNS, access is typically tightly controlled and rooted in on-premises access. Also, access is limited to the specific users of an internal network, such as the workers serving at a company location or through a virtual private cloud.

For behind-the-scenes access, network administrators use a query tool like nslookup (name server lookup) to seek IP addresses and execute general troubleshooting activities through command-line prompts.

Who controls and operates the server that will be used? It’s a simple answer for private DSNs: It’s the company or group operating that internal network. They maintain any private DNS servers and control them.

For public DNS, an internet service provider (ISP) or some third-party provider such as Cloudflare or Google operates the server. In either case, an outside entity maintains direct control over the server.

Performance is not the cut-and-dry issue it once was. It used to be a foregone conclusion that private DNS offered faster performance than public DNS. After all, the information being sought through internal queries had less distance to travel if it was being contained on a private network. This made latency less of an issue.

However, now the level of performance needed to achieve lightning-quick speeds on public DNS is often more feasible, depending on the service provider. This boost is thanks to global networks that offer greater network speed and more stable transmission. Deciding whether public DNS or private DNS offers better performance usually depends largely on the network in question.

This area is one where private DNS offers considerably more options than public DNS. A private DNS enables a group or company to create custom configurations based on their needs of that outfit. Custom DNS might include the ability to execute custom domain naming schemes or even perform content filtering.

Alternatively, public DNS is limited in what customization options it offers. Developers create configurations for it in a standard form for all public DNS users.

Significant changes have occurred in DNS and will keep happening as the related technology continues to advance and tries to keep pace with the ongoing global expansion of users.

For example, take the IPv4 internet routing protocol. IPv4 (Internet Protocol version 4) was developed during the 1970s and formally introduced in the early 1980s, predating the Internet Revolution. IPv4 addresses are 32-bit numerical labels that can be assigned to any device connecting to a computer network and are essential to serving communication and routing purposes. IPv4 addresses are expressed as long strings of numbers, separated at various intervals by using periods.

Based on laws of probability, we can calculate that with the number of integers contained in each IPv4 address, approximately 4.3 billion addresses are possible. And even that massive number has turned out to be insufficient to match the ever-increasing pool of tech devices that need to be connected to networks.

Enter IPv6 (Internet Protocol version 6), introduced in 1995 to mitigate this “overcrowding” situation. The first thing that you notice when comparing the two protocols is how much larger IPv6 is, offering 128-bit addresses that are exactly 4 times larger than their IPv4 counterparts.

This increase leads to a pool of possible addresses so deep it’s challenging to envision. That figure is 340 undecillion, which is calculated as 3.4 x 10 to the 38th power and expressed numerically as 3.4 followed by 38 zeros. It’s difficult to imagine a pool with this much water would ever find itself fully drained. But such is the state of computer usage across the globe that its unprecedented growth would prompt such an enormous response.

In addition to providing four times the address space of IPv4, IPv6 includes Stateless Address Autoconfiguration (SLAAC). This feature lets devices configure their own IP addresses without relying on an external DHCP server, which also reduces network traffic.

IPv6 also uses an enhanced type of DNS record that matches a domain name with a suitable IPv6 address. That DNS record is called “AAAA,” and represents a significant step up from “A record,” which is the DNS record that holds an appropriate IPv4 address. The difference between an AAAA record (sometimes called Quad-A-Record) and A record is largely one of increased capacity so that AAAAs can accommodate the hefty 128-bit identifier being used.

One way in which A records and AAAA records can be effectively trumped is by creating a CNAME (which stands for canonical name). A CNAME is a type of DNS record that operates as an alias for certain domains or subdomains. One minor restriction that should be noted is that a hostname with a CNAME can’t enable A records or AAAA records that already bear that name.

IPv6 isn’t the only key protocol that’s been updated over time. The Transport Layer Security (TLS) is a highly encrypted protocol that safeguards web-based and other network communications. TLS is a 1999 upgrade of an earlier protocol called Secure Sockets Layer (SSL). Like SSL, TLS provides a means of authenticating users, stopping unauthorized access and upholding and checking data integrity.