Skip to content

DNS System — Detailed#

flowchart TB
  subgraph Client
    OS[OS Stub resolver]
    BR[Browser cache]
  end

  subgraph Recursive[Recursive resolvers]
    ISP[ISP resolver]
    PUBL[Public 1.1.1.1 / 8.8.8.8]
    CACHE[Cache TTL]
    DNSSEC[DNSSEC validation]
    DOH[DoH / DoT - encrypted transport]
  end

  subgraph Auth[Authoritative tier]
    ROOT[Root . servers]
    TLDS[TLD servers]
    APEX[Apex servers - example.com]
    SUB[Sub-zone servers]
    ANYC[Anycast deployment]
  end

  subgraph Zones[Zones & records]
    A[A / AAAA records]
    CNAME
    MX
    TXT
    NS
    SOA
    SRV
    CAA
    TLSA
  end

  subgraph Ops
    PROV[Provisioning API]
    GIT[Zone file as code]
    SYNC[Secondary NS via AXFR/IXFR]
    GSLB[GSLB / latency-based routing]
    LOG[Query logs / analytics]
  end

  Client --> Recursive --> Auth
  Auth --> Zones
  Ops --- Auth

    classDef client fill:#dbeafe,stroke:#1e40af,stroke-width:1px,color:#0f172a;
    classDef edge fill:#cffafe,stroke:#0e7490,stroke-width:1px,color:#0f172a;
    classDef service fill:#fef3c7,stroke:#92400e,stroke-width:1px,color:#0f172a;
    classDef datastore fill:#fee2e2,stroke:#991b1b,stroke-width:1px,color:#0f172a;
    classDef cache fill:#fed7aa,stroke:#9a3412,stroke-width:1px,color:#0f172a;
    classDef queue fill:#ede9fe,stroke:#5b21b6,stroke-width:1px,color:#0f172a;
    classDef compute fill:#d1fae5,stroke:#065f46,stroke-width:1px,color:#0f172a;
    classDef storage fill:#e5e7eb,stroke:#374151,stroke-width:1px,color:#0f172a;
    classDef external fill:#fce7f3,stroke:#9d174d,stroke-width:1px,color:#0f172a;
    classDef obs fill:#f3e8ff,stroke:#6b21a8,stroke-width:1px,color:#0f172a;
    class ANYC,GSLB edge;
    class OS,ISP,PUBL,CACHE,DNSSEC,DOH,ROOT,TLDS,APEX,SUB,A,PROV,GIT,SYNC service;
    class BR cache;
    class LOG obs;

Resolution path#

  1. Client stub asks recursive.
  2. Recursive checks cache; if miss, walks: root → TLD → authoritative.
  3. Caches with TTL.
  4. Returns answer.

Anycast everything#

  • All major recursive + auth NS run anycast for low latency + DDoS resilience.

DNSSEC#

  • Chain of trust from root → TLD → zone.
  • Signatures on RRsets; validated by recursive.

Glossary & fundamentals#

Concepts referenced in this design. Each row links to its canonical page; the tag column shows whether it is a high-level (HLD) or low-level (LLD) concept.

Tag Concept What it is Page
HLD Load balancer / GSLB L4/L7 traffic distribution and failover load-balancer