DEV Community

Naval Kishor Upadhyay
Naval Kishor Upadhyay

Posted on

Walking the DNS Tree: From Root Zone to Your Website

Walking the DNS Tree: From Root Zone to Your Website

When you type example.com into your browser, your computer does not automatically know where that site is. Instead, it walks the DNS tree — a global system of servers. The walk starts at the Root Zone, goes through a TLD (Top-Level Domain) zone, and ends at the authoritative zone of the domain. There, the computer finds the real IP address.

This whole process usually takes only milliseconds, but a lot happens in that short time.

The Main Actors

  • Your browser and OS → check local memory (cache) and ask a DNS resolver.
  • DNS resolver (recursive) → does the step-by-step work for you. This can be your ISP’s resolver or a public one (like 1.1.1.1 or 8.8.8.8).
  • Root zone → knows where each TLD lives (.com, .org, .de, …).
  • TLD zone → knows which authoritative name servers are responsible for each domain.
  • Authoritative name servers → have the zone file, the final truth for the domain.

Walking the Tree (step by step)

Example: www.netflix.com

0) Preparing the name

  • The browser changes the name to lowercase.
  • International names (like münchen.de) are converted to Punycode (xn--mnchen-3ya.de).

1) Browser cache

  • The browser first checks its own DNS memory.
  • If it finds a valid IP that has not expired (TTL), it uses it.

2) OS cache and hosts file

  • If the browser does not have the answer, it asks the operating system.
  • The OS also checks its DNS memory.
  • It also checks the hosts file (manual entries in Windows/Linux/Mac).

3) Asking the recursive resolver

  • The OS sends the request to the recursive resolver.
  • Usually this is your ISP’s resolver. You can also use a public one like 1.1.1.1, 8.8.8.8, or 9.9.9.9.

4) Resolver cache

  • The resolver checks its cache.
    • If it has a saved answer, it returns it.
    • If it has a saved NXDOMAIN (domain does not exist), it also returns that.
  • If not, the resolver starts walking the DNS tree.

5) Root zone referral

  • Resolver asks a root server: “Where can I find .com domains?”
  • The root server does not know the final answer. It gives a referral:
    • A list of .com servers (NS records).
    • Glue records with their IPs, so the resolver can reach them.

6) TLD zone referral

  • Resolver asks a .com server: “Where is netflix.com?”
  • The .com server answers:
    • “Ask these authoritative servers: ns1.netflixdns.net, ns2.netflixdns.net.”
  • It may also give glue records for those NS names.

7) Authoritative zone (netflix.com)

  • Resolver asks: “What is the IP of www.netflix.com?”
  • Authoritative server looks in its zone and replies:
    • Often first a CNAME to a CDN hostname.
    • Then the resolver follows the CNAME and gets the final A/AAAA record.
  • Example: www.netflix.com → 52.23.45.67

8) Resolver caches and returns

  • Resolver saves the answer in its cache for the time set by TTL.
  • It also caches referrals (root → TLD → authoritative).
  • Then it sends the IP back to your OS and browser.

9) Browser connects

  • With the IP address, the browser connects to Netflix’s server.
  • The site loads.

👉 Even though this looks long, the whole process is finished in a few milliseconds.

When Walking the Tree Fails

Sometimes, one step in the DNS tree fails. Here are common cases:

Local / Resolver level

  • Wrong hosts file or stale cache → Only your computer is affected.

  • Fix: Clear cache or correct the hosts file.

  • ISP resolver down → Many users in your region cannot resolve domains.

  • Fix: ISP repairs it. Workaround: use 1.1.1.1 or 8.8.8.8.

  • Stale cache at resolver → Some users see old IPs.

  • Fix: Wait until TTL expires or ask the resolver operator to clear it.

Root & TLD level

  • Root server unreachable (very rare).

  • Fix: root operators; global redundancy helps.

  • TLD registry outage → Example: .com or .uk problem.

  • Fix: the TLD registry. Domain owners must wait.

Delegation problems

  • Parent zone and child zone mismatch (lame delegation) → Refers to NS that do not answer.

  • Fix: domain owner and registrar.

  • Wrong or missing glue records → Resolver cannot reach authoritative servers.

  • Fix: domain owner via registrar; registry publishes glue.

Authoritative zone

  • Servers down → Domain unreachable.

  • Fix: domain owner or DNS host. Always use at least two servers.

  • Bad records → Wrong IP or MX.

  • Fix: domain owner edits zone.

  • Domain expired → NXDOMAIN for everyone.

  • Fix: renew at registrar.

  • DDoS attack on authoritative DNS → site unreachable.

  • Fix: DNS provider with Anycast, DDoS protection.

Who Fixes What

  • You (browser/OS) → clear caches, check local hosts file.
  • ISP or public resolver → make sure recursive resolver works and caches correctly.
  • Root operators → keep the root zone safe and reachable.
  • TLD registry (e.g., Verisign for .com) → manage delegations and glue.
  • Registrar → publishes NS and glue to the registry.
  • DNS hosting provider → keeps your zone online.
  • Domain owner → ensures records are correct, uses multiple NS, renews domain.

Wrap-up

Every time you load a page, your computer runs down the DNS tree:

Root → TLD → Authoritative → Answer → Connect

Most of the time, this is instant thanks to caching and redundancy. When it fails, knowing which step broke helps identify who should fix it — from you clearing a cache, to a DNS provider repairing authoritative servers, to a registry fixing a TLD.

👉 Next time you type a URL, remember: your browser just walked the Internet’s tree of knowledge, from the root to the leaves, in less than a blink.

Top comments (0)