All Products
Search

This Product

    Alibaba Cloud DNS:Terms

    Document Center

    Alibaba Cloud DNS:Terms

    Last Updated:Nov 28, 2025

    This topic introduces the basic concepts of Alibaba Cloud DNS to help you understand the fundamentals and better use the product features.

    DNS

    DNS (Domain Name System) is one of the fundamental systems of the Internet and an important basic service system for corporate intranets. It is responsible for converting Internet domain names and corporate intranet domain names into IP addresses. This conversion process is called "domain name resolution," which is why DNS is also known as the "domain name resolution system," serving as a signpost for network access. DNS is a distributed database that maps domain names to IP addresses, allowing users to access network resources and services more conveniently without having to remember IP address strings that can be directly read by machines. The DNS protocol runs on the UDP protocol and uses port 53. Based on the network environment it serves, DNS can be categorized into public DNS and internal DNS. Based on the functional role in the resolution chain, DNS can be categorized into authoritative DNS and recursive DNS.

    Domain hierarchy

    Domain names use a hierarchical tree structure for naming. Each host or router connected to the Internet has a unique hierarchical name. Domain names consist of a sequence of labels separated by dots (periods). The domain name hierarchy is shown in the following figure:

    image

    Examples

    • .com is a top-level domain name;

    • aliyun.com is a primary domain name, also called a second-level domain;

    • example.aliyun.com, www.aliyun.com are subdomains, also called third-level domains;

    • test.example.aliyun.com is a subdomain of a subdomain, also called a fourth-level domain.

    DNS server hierarchy

    The DNS resolution process involves 4 levels of DNS servers, as follows:

    Server type

    Function

    Root name server

    Full name: Root Name Server, abbreviated as Root Server. When the local DNS server cannot find the resolution result locally, it first queries the root name server and obtains the IP address of the TLD name server.

    TLD name server

    It manages the primary domain names registered under it. For example, for "example.com", the .com TLD name server can return the address of the authoritative name server for the primary domain name "example.com".

    Authoritative name server

    It is unique within a specific zone and maintains the mapping between domain names and IP addresses in that zone. For example, with the public authoritative resolution of Alibaba Cloud DNS, you can add DNS records. The server then returns the configured IP records to users.

    Local DNS resolver

    Full name: Local DNS Server, abbreviated as Local DNS. The local DNS server responds to recursive requests from clients and ultimately tracks until it obtains the resolution result. Examples include automatically assigned DNS on the user's machine, ISP-assigned DNS, and public DNS services such as Google DNS or 223.5.5.5.

    Note

    Each level of domain has its dedicated domain name server, with the root name server at the top level. Each layer of domain name servers stores the IP addresses of the lower-level domain name servers, enabling step-by-step queries.

    DNS resolution process

    The domain name resolution process when accessing a website through the domain name example.com is as follows.

    1. The user enters example.com in the Web browser and initiates a query request to the local DNS resolver. If the local DNS resolver has cached resolution data, it directly returns the IP address corresponding to the domain name example.com to the Web browser, and jumps to step 9. If the local DNS resolver does not find cached resolution data, it continues to step 2.

    2. The local DNS resolver queries the root name server.

    3. The root name server returns the address of the .com TLD name server to the local DNS resolver.

    4. The local DNS resolver sends a query request for example.com to the .com TLD name server.

    5. The .com TLD name server returns the address of the authoritative name server that provides authoritative resolution for example.com to the local DNS resolver.

    6. The local DNS resolver sends a query request to the authoritative name server.

    7. The authoritative name server returns the IP address corresponding to the domain name example.com to the local DNS resolver.

    8. The DNS resolver feeds the IP address into the browser.

    9. The Web browser accesses the website server using the IP address.

    10. The website server returns the webpage information.

    image

    Recursive resolution (Recursive Query)

    The DNS server completes the entire query process for you. Each step is handled by this server, and it returns the final result directly to you. For example:

    • The client submits "Please find the IP of www.example.com" to the local DNS (recursive server).

    • If the recursive server does not know the answer, it will continuously query the root DNS, TLD, and authoritative DNS, following each step until it obtains the final answer.

    • The user only needs to wait for the recursive server to provide the final resolution result.

    Characteristics

    • The user only needs to ask once and wait once.

    • The recursive server has a relatively high load because it needs to complete the entire query process.

    • This is the most common method between clients and local DNS.

    Common applications

    • Regular users/PCs/browsers: Only use recursive queries and do not process iterative queries.

    • Local DNS servers (such as your broadband carrier, public 8.8.8.8, or company intranet DNS): Usually take on the role of recursive resolution and initiate iterative queries externally (to root, TLD, authoritative DNS).

    • Public DNS servers: Recursive for users, iterative for higher-level DNS.

    Iterative resolution (Iterative Query)

    The DNS server only helps you find "the next clue it knows." If it does not have the answer itself, it tells you where to ask next, and you must complete the entire query process yourself. For example:

    • The client asks the local DNS: "What is the IP of www.example.com?"

    • The local DNS does not know and queries the root DNS. The root DNS does not directly answer with the IP but responds: "You should ask the TLD server." Here, the root DNS is performing iterative resolution.

    • The local DNS asks the TLD server, and the TLD tells you "go find this authoritative DNS." Here, the TLD server is performing iterative resolution.

    • This continues until the authoritative server is found and the final result is obtained.

    Characteristics

    • The client needs to ask at each step.

    • The server load is relatively low, but the client burden is high (not typically used this way).

    Common applications

    • Root DNS servers, TLD servers, authoritative DNS servers.

    • Self-built DNS servers for enterprises, schools, etc.

    • Public DNS servers: Recursive for users, iterative for higher-level DNS.

    DNS cache

    A DNS cache stores resolution data geographically close to the client that made the request. DNS data can be cached at any level in the query hierarchy. The purpose of caching is to reduce query latency and decrease the number of recursive queries.

    TTL

    Time to Live (TTL) is a value in a DNS record that tells a recursive resolver how long to cache the record. When the TTL expires, the resolver deletes the record from its cache. If a user requests the same domain name again, the resolver must perform a new query to obtain the record.

    IPv4/IPv6 dual stack

    A dual IP stack, or dual stack, allows a system to use both the IPv4 and IPv6 protocol stacks simultaneously. The two protocol stacks run in parallel.

    DNS query flood attack

    A DNS query flood attack is a type of denial-of-service (DoS) attack where an attacker uses multiple compromised machines to send a massive volume of domain name queries to a target DNS server. If the number of queries per second exceeds the server's capacity, legitimate resolution requests may time out, which impacts service availability.

    URL forwarding

    URL forwarding, also known as URL redirection, is a technique that uses special server settings to redirect requests for one domain name to another website.

    edns-client-subnet

    edns-client-subnet is a DNS extension protocol that allows a recursive DNS resolver to pass the client's IP address information to an authoritative DNS server.

    DNSSEC

    Domain Name System Security Extensions (DNSSEC) is a feature of DNS that uses digital signatures to ensure the authenticity and integrity of DNS responses. DNSSEC can effectively prevent attacks such as DNS spoofing and cache pollution. This protects users from being redirected to malicious sites and increases trust in the Internet.

    HTTPDNS mobile resolution concepts

    Application terminal

    Refers to specialized terminal devices and application services for network access, including but not limited to mobile terminals, IoT devices, APP applications, etc.

    DNS over HTTPS (DoH)

    Used to encrypt DNS request traffic. Alibaba Cloud Public DNS provides DNS resolution through TLS-encrypted HTTP connections as specified in RFC 8484.

    DNS over TLS (DoT)

    Used to encrypt DNS request traffic. Alibaba Cloud Public DNS provides DNS resolution through TLS-encrypted TCP connections as specified in RFC 7858.