Home Topics DNS Server What is a DNS server?
Explore our DNS solution Subscribe for AI updates
Illustration with collage of pictograms of gear, robotic arm, mobile phone

Published: 30 January 2024
Contributors: Camilo Quiroz Vazquez, Michael Goodwin

What is a DNS server?

DNS servers translate the website domain names users search in web browsers into corresponding numerical IP addresses. This process is known as DNS resolution. 

The Domain Name System (DNS) allows users to access websites using domain names and URLs rather than complex numerical internet protocol (IP) addresses. DNS is made possible by four types of integrated DNS servers—recursive DNS servers, root name servers, top level domain name servers and authoritative name servers.

A user initiates a DNS query by entering a host name, such as www.example.com, into a search browser’s address bar. When this happens, a series of functions called DNS lookup begin to match the domain name with its designated IP address. An IP address is a numerical identification number used to identify every device and network that connects to the internet. IP addresses are either IPv4, such as, or IPv6 addresses like 2001:db8:3333:4444:5555:6666:7777:8888. 

While complex numbers like these help keep domains organized, users cannot be expected to keep track of these numbers or easily search the internet by using them. DNS allows domain names to be customized for functional purposes like branding and a simplified user experience. DNS servers are designed to make this process seamless for users while accommodating high traffic volume, changing domain names and IP addresses. The process of DNS resolution depends on variables such as load-balancing, server and user location and internet connection strength.

Improve performance with global server load balancing

See how DNS and Real User Monitoring (RUM) data provides greater functionality at a lower cost.

Related content

Register for the ebook on observability myths

Types of DNS servers

There are four types of DNS servers involved in the process of translating user searches into IP addresses. The servers work interdependently, each taking on a different function, which is intended to keep the process fast and secure. 

A DNS query passes through these four servers in the order they are listed: 

Recursive DNS server

Also known as a DNS recursor or recursive DNS resolver, this is the first stop for a recursive query—the process of one DNS server communicating with other DNS servers to locate and return an IP address. This server receives a DNS query and can connect a user to the desired site using cached data, or if site data is not cached, send a follow-up request to DNS name servers.

Once it receives the information back from the name server, the recursive resolver connects the user to the correct site. With each search, servers create DNS caches that save data. This accelerates the search and return process and gives users faster access to the correct web page. Most DNS recursors are provided by internet service providers (ISP). 

Root name server

When a recursive DNS server does not have cached data, it sends a DNS query to the DNS root name server. The root name server accepts the query and forwards it to a top level domain (TLD) name server. Which TLD server the query is forwarded to depends on the desired sites extension: .com, .org or .net, for example. There are 13 main DNS root servers operated by the Internet Corporation for Assigned Names and Numbers (ICANN).

Top level domain (TLD) name server

TLD name servers contain data related to domain names with the same extension. This means there are designated TLD servers for websites with the extensions .com, .org and .net. Once the query reaches the correct TLD name server, it is then directed to the authoritative name server. 

Authoritative name server

Generally the final step in the process of retrieving an IP address, authoritative DNS servers store information related to specific domain names in DNS resource records. These DNS records contain information about a specific domain and its corresponding IP address. When the correct IP address is found, it is sent back to the recursive resolver. If it is not located, the user will receive an error message. 

While each of their functions is complex, properly functioning DNS services should be imperceptible to users and the retrieval process should only take seconds. Having four types of servers helps the process of load-balancing, or distributing network traffic across multiple servers so that no one server is overworked.

How do DNS servers work?

DNS is often considered "the phonebook of the internet," holding a record of domain names and their associated IP addresses. DNS servers are the engines that drive IP address retrieval for DNS clients. DNS clients are built into routers and operating systems in smartphones or desktop devices and act as a conduit between local devices and servers. Most routers have primary and secondary DNS servers configured through their internet provider to protect against failures.

When a user searches for a domain, the DNS request initiates a DNS query that is directed to DNS servers. From here, two things can occur. The first is a query return from DNS caching. DNS caching is the temporary storage of DNS records from previous searches on DNS servers or other devices. A DNS cache allows a query to skip a long DNS lookup and provide a faster response by returning a DNS record that is already stored in a temporary DNS cache. Based on DNS settings, web servers cache this information for a specificed amount of time, known as time-to-live (TTL).

If there is no cached information, the DNS query passes through four types of servers (process noted in section above) to find and return the correct IP address.  

Public DNS vs. private DNS

DNS can be public or private. Public DNS servers are available to anyone using the internet and are generally set up by internet service providers. Public DNS services help manage authoritative name servers by supporting traffic steering and load balancing, which improve network performance.

Private DNS is set up behind a firewall and maintains records on internal websites. These are often connected through a virtual private network (VPN) that only stores internal IP addresses. A private DNS can only be accessed by authorized members of an organization, which limits exposure to external threats, but it must be managed by the organization or a private DNS provider.

DNS security

DNS servers can be subject to attacks that deny access to domains, overwhelm servers with traffic or take over DNS infrastructure. DNS providers such as IBM® NS1 Connect offer managed DNS services to protect against these types of attacks.

Common types of DNS attacks include:

Flood attack

Distributed denial of service (DDoS) attacks overwhelm authoritative name servers with a flood of traffic. Authoritative servers are unable to fulfill legitimate DNS queries because they are inundated with malicious traffic.

Random subdomain attack

This is a denial of service attack that's also referred to as a NXDomain attack. This attack sends authoritative name servers requests for nonexistence subdomains making them unable to respond to real queries.

DNS amplification attack (DNS flood)

A tool to amplify DDoS attacks, DNS floods can cause disruption by artificially inflating the workload DNS servers must execute to complete a query.

Cache poisoning

In this attack forged DNS data infiltrates the cache of a DNS resolver creating an incorrect IP address for a domain that brings users to an unexpected website. These websites can subject users to malware or phishing attempts.

DNS protocol attacks

An attack that targets DNS servers by causing them to process malformed packets. This makes them unable to process legitimate queries.

BGP hijacking attack

This attack reroutes users through the Boarder Gateway Protocol (BGP) from legitimate domains to ones that are often set up for malicious purposes.  

DNS tunneling

In this attack DNS infrastructure becomes a pathway to pass malware or stolen data past a firewall.

DNS hijacking (credential theft)

This is an attack that alters or destroys DNS zone data by gaining unauthorized access the management of DNS servers.  

Domain theft

In a domain theft, attackers take ownership of a domain name through unauthorized access to the registrar of a domain. 

Related solutions
IBM® NS1 Connect

IBM NS1 Connect provides fast, secure connections to users anywhere in the world with premium DNS and advanced, customizable traffic steering.  Always-on, API-first architecture enables your IT teams to more efficiently monitor networks, deploy changes and conduct routine maintenance.

Explore IBM® NS1 Connect 

IBM NS1 Connect Managed DNS

IBM NS1 Connect Managed DNS service delivers resilient, fast, authoritative DNS connections to prevent network outages and keep your business online, all the time.

Explore IBM NS1 Connect Managed DNS

DNS observability with IBM NS1 Connect

Quickly identify misconfigurations and security issues with customized, real-time reports based on DNS observability data. 

Explore DNS observability with IBM NS1 Connect
Resources What is the Domain Name System (DNS)? 

The DNS makes it possible for users to connect to websites using URLs rather than numerical internet protocol addresses.

What is networking?

Learn about how computer networks work, the architecture used to design networks and how to keep them secure.

What are cyberattacks?

Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.

Take the next step

IBM NS1 Connect provides fast, secure connections to users anywhere in the world with premium DNS and advanced, customizable traffic steering. NS1 Connect’s always-on, API-first architecture enables your IT teams to more efficiently monitor networks, deploy changes and conduct routine maintenance.

Explore NS1 Connect Book a live demo