How DNS Works: The Internet's Phone Book
Last updated: April 9, 2026
Learn how DNS translates domain names into IP addresses, why it's unencrypted by default, and how it became the internet's most common censorship tool.
When you type a web address into your browser—say, example.com—your device does not magically know where that website lives. Somewhere, a computer must translate the human-readable name "example.com" into a numerical address that routers can actually use to send data. That translation happens through DNS, the Domain Name System. Understanding DNS is essential to understanding both how the internet works and why it remains vulnerable to surveillance and censorship.
What DNS actually does
DNS is, at its core, a phone book. Just as a physical phone book lets you look up a person's name and find their phone number, DNS lets your device look up a domain name and find the numerical address—called an IP address—associated with it. An IP address is a unique identifier for a device on the internet, written as four numbers separated by dots, like 93.184.216.34. Without DNS, you would have to memorize IP addresses the way you once had to memorize phone numbers before smartphones existed.
When you visit a website, your browser does not contact that site directly. Instead, it asks a DNS server, "What is the IP address for example.com?" The DNS server responds with a number. Your browser then uses that number to connect to the actual web server and retrieve the page you requested.
The journey a DNS query takes
A single DNS lookup is not a simple point-to-point request. Your device usually does not know the answer to a DNS question, so it starts a chain of questions that moves through four different types of DNS servers. Understanding this chain is important because it shows where surveillance and filtering can happen.
First, your device contacts a recursive resolver. This is typically operated by your internet service provider (ISP), though you can configure your device to use a different one. The recursive resolver acts as a helpful librarian: it does not know the answer off the top of its head, but it knows how to find it. It then asks the root nameserver, "Do you know where example.com is?" The root nameserver does not know either, but it responds with directions: "I do not have that information, but ask the TLD nameserver for .com domains."
TLD stands for top-level domain—it is the suffix on a domain name, like .com, .org, or .uk. The recursive resolver now asks the TLD nameserver, "Where is example.com?" The TLD nameserver again does not have the specific answer, but responds with: "I do not know, but the authoritative nameserver for example.com can tell you." Finally, the recursive resolver asks the authoritative nameserver—the server that actually holds the records for example.com—and receives the real answer: the IP address.
This multi-step process seems inefficient, but it is actually elegant. It distributes the burden of answering billions of DNS queries across many servers worldwide. The root nameservers are duplicated and distributed globally specifically because they handle an enormous volume of traffic. Without this distribution, the internet would grind to a halt.
Why DNS is visible to everyone
Here is the problem: by default, DNS queries are sent in plain text. When your device asks a recursive resolver, "What is the IP address for example.com," that question travels across the internet in the same way as a postcard travels through the mail—anyone handling it can read what is written on it.
Your ISP operates the recursive resolver that your device typically uses. This means your ISP can see a record of every domain you look up. They know you visited example.com, newssite.org, and health-advice.net today. They can build a profile of your interests, your health concerns, your political leanings, and your hobbies—all from DNS lookups alone, without needing to see the content you actually viewed.
This is true even if you use HTTPS, the encryption protocol that scrambles the content of web pages. HTTPS encrypts what you do on a website, but DNS happens before HTTPS kicks in. An observer can see which websites you visit; they just cannot see what you do on them.
Encryption came to DNS, but it comes with tradeoffs
In recent years, two methods for encrypting DNS have emerged: DNS over HTTPS (DoH) and DNS over TLS (DoT). Both wrap DNS queries in encryption, making them unreadable to your ISP or other network observers. If you use DoH, your DNS queries are encrypted and often sent to a company like Cloudflare or Google instead of your ISP.
This is genuinely better for privacy—your ISP no longer sees your domain lookups. But it comes with its own tradeoff: you are now trusting a different organization with the same information. Some argue this is a reasonable exchange; others worry about concentrating DNS authority in a few large technology companies. There is no perfect answer. Encryption is better than visibility, but it moves the trust problem rather than eliminating it.
DNS filtering: the cheapest form of censorship
DNS is also why DNS filtering has become the most common censorship method globally. A government or ISP can block access to a website by misconfiguring the DNS server: when a user asks, "What is the IP address for blocked-site.com," the server responds with a wrong address, or no address at all. The user's device cannot connect because it has been given a dead end.
DNS filtering is appealing to censors because it is cheap and requires no sophisticated technology. It does not require monitoring internet traffic, scanning content, or blocking at the network layer. It simply requires control of the DNS infrastructure—something that governments in many countries already have. This is why DNS filtering is used in countries ranging from authoritarian regimes to democracies. It is a blunt tool, but it is effective, invisible to most users, and easy to deploy at scale.
What comes next
Understanding DNS is the foundation for understanding both internet censorship and internet privacy. The next step is learning how VPNs route your traffic through encrypted tunnels to bypass DNS filtering, and how technologies like encrypted SNI (Server Name Indication) work to hide even the domain name from network observers. You might also explore how DNSSEC works to verify that DNS responses are authentic, or how decentralized DNS systems attempt to remove central points of control entirely.
For now, remember this: DNS is the internet's phone book, it is readable by default, and controlling it is a powerful form of censorship. That simple fact explains much about how the modern internet is shaped and who has power over what you can see.
What DNS actually does
DNS is, at its core, a phone book. Just as a physical phone book lets you look up a person's name and find their phone number, DNS lets your device look up a domain name and find the numerical address—called an IP address—associated with it. An IP address is a unique identifier for a device on the internet, written as four numbers separated by dots, like 93.184.216.34. Without DNS, you would have to memorize IP addresses the way you once had to memorize phone numbers before smartphones existed.
When you visit a website, your browser does not contact that site directly. Instead, it asks a DNS server, "What is the IP address for example.com?" The DNS server responds with a number. Your browser then uses that number to connect to the actual web server and retrieve the page you requested.
The journey a DNS query takes
A single DNS lookup is not a simple point-to-point request. Your device usually does not know the answer to a DNS question, so it starts a chain of questions that moves through four different types of DNS servers. Understanding this chain is important because it shows where surveillance and filtering can happen.
First, your device contacts a recursive resolver. This is typically operated by your internet service provider (ISP), though you can configure your device to use a different one. The recursive resolver acts as a helpful librarian: it does not know the answer off the top of its head, but it knows how to find it. It then asks the root nameserver, "Do you know where example.com is?" The root nameserver does not know either, but it responds with directions: "I do not have that information, but ask the TLD nameserver for .com domains."
TLD stands for top-level domain—it is the suffix on a domain name, like .com, .org, or .uk. The recursive resolver now asks the TLD nameserver, "Where is example.com?" The TLD nameserver again does not have the specific answer, but responds with: "I do not know, but the authoritative nameserver for example.com can tell you." Finally, the recursive resolver asks the authoritative nameserver—the server that actually holds the records for example.com—and receives the real answer: the IP address.
This multi-step process seems inefficient, but it is actually elegant. It distributes the burden of answering billions of DNS queries across many servers worldwide. The root nameservers are duplicated and distributed globally specifically because they handle an enormous volume of traffic. Without this distribution, the internet would grind to a halt.
Why DNS is visible to everyone
Here is the problem: by default, DNS queries are sent in plain text. When your device asks a recursive resolver, "What is the IP address for example.com," that question travels across the internet in the same way as a postcard travels through the mail—anyone handling it can read what is written on it.
Your ISP operates the recursive resolver that your device typically uses. This means your ISP can see a record of every domain you look up. They know you visited example.com, newssite.org, and health-advice.net today. They can build a profile of your interests, your health concerns, your political leanings, and your hobbies—all from DNS lookups alone, without needing to see the content you actually viewed.
This is true even if you use HTTPS, the encryption protocol that scrambles the content of web pages. HTTPS encrypts what you do on a website, but DNS happens before HTTPS kicks in. An observer can see which websites you visit; they just cannot see what you do on them.
Encryption came to DNS, but it comes with tradeoffs
In recent years, two methods for encrypting DNS have emerged: DNS over HTTPS (DoH) and DNS over TLS (DoT). Both wrap DNS queries in encryption, making them unreadable to your ISP or other network observers. If you use DoH, your DNS queries are encrypted and often sent to a company like Cloudflare or Google instead of your ISP.
This is genuinely better for privacy—your ISP no longer sees your domain lookups. But it comes with its own tradeoff: you are now trusting a different organization with the same information. Some argue this is a reasonable exchange; others worry about concentrating DNS authority in a few large technology companies. There is no perfect answer. Encryption is better than visibility, but it moves the trust problem rather than eliminating it.
DNS filtering: the cheapest form of censorship
DNS is also why DNS filtering has become the most common censorship method globally. A government or ISP can block access to a website by misconfiguring the DNS server: when a user asks, "What is the IP address for blocked-site.com," the server responds with a wrong address, or no address at all. The user's device cannot connect because it has been given a dead end.
DNS filtering is appealing to censors because it is cheap and requires no sophisticated technology. It does not require monitoring internet traffic, scanning content, or blocking at the network layer. It simply requires control of the DNS infrastructure—something that governments in many countries already have. This is why DNS filtering is used in countries ranging from authoritarian regimes to democracies. It is a blunt tool, but it is effective, invisible to most users, and easy to deploy at scale.
What comes next
Understanding DNS is the foundation for understanding both internet censorship and internet privacy. The next step is learning how VPNs route your traffic through encrypted tunnels to bypass DNS filtering, and how technologies like encrypted SNI (Server Name Indication) work to hide even the domain name from network observers. You might also explore how DNSSEC works to verify that DNS responses are authentic, or how decentralized DNS systems attempt to remove central points of control entirely.
For now, remember this: DNS is the internet's phone book, it is readable by default, and controlling it is a powerful form of censorship. That simple fact explains much about how the modern internet is shaped and who has power over what you can see.
🛡️
Recommended VPN Services
Top-rated VPNs trusted by millions
N
NordVPN
⭐ EDITOR'S PICK
★★★★★ 9.5/10 · 6,000+ servers · Works in China
$3.39/mo
View Deal →
S
Surfshark
BEST VALUE
★★★★★ 9.6/10 · Unlimited devices
$2.49/mo
View Deal →
E
ExpressVPN
PREMIUM
★★★★★ 9.4/10 · 94 countries
$6.67/mo
View Deal →
Disclosure: SaveClip may earn a commission when you sign up through our links. This helps us keep our tools free for everyone.