DNS Resolution Flow

Marcelo

Marcelo

3 min read
DNS Resolution Flow
Photo by Jordan Harrison / Unsplash

Have you ever wondered what happens before a request reaches a server? This post attempts to describe some of these processes and practical use cases linked to them.

USE CASE 1: Modern Website Visit (IPv4 + IPv6)

Real Example: You're browsing to netflix.com

  • What happens: Your browser tries both IPv4 (A) and IPv6 (AAAA) records simultaneously
  • IPv6 preference: If you have IPv6 connectivity, modern browsers prefer IPv6 for better performance
  • CAA check: Your browser (or certificate authority) verifies that only authorized CAs (like DigiCert) can issue certificates for Netflix
  • TLSA validation: Advanced security setups verify the actual certificate matches the cryptographic hash stored in DNS

Who does this: Every internet user, automatically, billions of times per day

USE CASE 2: Complete Email Security Stack

Real Example: Your company acmecorp.com is setting up professional email

  • What the admin does:
    • Sets up MX records pointing to mail.acmecorp.com
    • Configures SPF to specify which servers can send email for the domain
    • Sets up DKIM with a private key on the mail server and public key in DNS
    • Configures DMARC policy (reject, quarantine, or monitor suspicious emails)
    • Adds TLSA records for the mail server's SSL certificate

Who does this: IT administrators, email service providers (like Google Workspace, Microsoft 365)

USE CASE 3: Service Discovery (SIP/VoIP)

Real Example: Your company uses a VoIP phone system

  • What happens: When someone calls john@acmecorp.com, the phone system:
    • Looks up _sip._tcp.acmecorp.com SRV record
    • Finds the SIP server at voip.acmecorp.com:5060
    • Establishes the call connection

Who does this: VoIP administrators, telecommunications companies, unified communications platforms

USE CASE 4: Gaming/Minecraft Server Discovery

Real Example: A Minecraft server owner wants a clean domain

  • What they do: Instead of telling players to connect to mc.example.com:25565, they set up:
    • SRV record: _minecraft._tcp.play.example.commc.example.com:25565
    • Now players can just connect to play.example.com and Minecraft automatically finds the right server and port

Who does this: Game server administrators, gaming communities, hosting providers

USE CASE 5: Enterprise Services (Exchange/Office365)

Real Example: Setting up Outlook email clients in a company

  • What happens: When you enter your email in Outlook, it:
    • Queries _autodiscover._tcp.yourcompany.com SRV record
    • Finds the autodiscover server (like autodiscover.outlook.com)
    • Automatically configures server settings, ports, encryption
    • User doesn't have to manually enter server details

Who does this: IT departments, Microsoft Exchange administrators, Office365 migrations

USE CASE 6: SSH Security Verification

Real Example: A security-conscious sysadmin connecting to servers

  • What they do:
    • Set up SSHFP records with SSH key fingerprints in DNS
    • When connecting via SSH, the client can verify the server's identity against DNS
    • Prevents man-in-the-middle attacks even on first connection
    • Command: ssh -o VerifyHostKeyDNS=yes user@server.com

Who does this: Security engineers, DevOps teams, high-security environments

USE CASE 7: DNS Security (DNSSEC)

Real Example: A bank wants to prevent DNS hijacking of their website

  • What they do:
    • Sign all their DNS records with cryptographic signatures (RRSIG)
    • Publish public keys (DNSKEY) in DNS
    • When users visit the bank's site, DNSSEC-aware resolvers verify the signatures
    • If someone tries to hijack the DNS, the signature verification fails

Who does this: Financial institutions, government agencies, security-critical organizations

USE CASE 8: Zone Administration

Real Example: A DNS administrator managing company.com

  • What they actually do:
    • Check SOA serial number: See if DNS changes have propagated (dig company.com SOA)
    • Monitor refresh intervals: Ensure secondary DNS servers are syncing properly
    • Track zone transfers: Know when the last zone update occurred
    • Troubleshoot replication: When DNS changes aren't appearing on all servers

Daily tasks:

  • "Why isn't the new A record showing up on our backup DNS server?"
  • "When did we last update the DNS zone?"
  • "Are our secondary DNS servers getting updates?"

Who does this: DNS administrators, hosting providers, domain registrars, enterprise IT teams

USE CASE 9: Reverse DNS & Geographic Info

Real Example: Email server administration and network troubleshooting

  • Reverse DNS (PTR):
    • Email admin sets PTR record so 192.168.1.100 resolves to mail.company.com
    • Prevents emails from being marked as spam
    • Network admin uses nslookup 192.168.1.100 to identify mystery servers in logs
  • Geographic Info (LOC) - Rarely used, but when it is:
    • University network admin documents server locations for inventory
    • ISP marks network infrastructure locations for planning
    • Research networks studying internet topology

Who does this: Email administrators, network engineers, security analysts, ISP technicians

Each of these represents real work that thousands of people do every day to keep the internet running smoothly!

Read more