How DNS Works: From Resolution to Proxy and Hijacking Explained

DNS (Domain Name System) is a distributed database that maps domain names to IP addresses, allowing users to access websites without remembering numeric addresses.

When a user requests a site such as www.163.com, the resolution process follows these steps:

Check the local DNS cache; if found, return the IP.

Check the hosts file for a static mapping.

Query the ISP’s local DNS server, which first checks its cache.

If not cached, the local server queries a root name server, which directs it to the .com top‑level server.

The .com server points to the authoritative server for the target domain.

The authoritative server returns the exact IP address, which is then cached locally and sent back to the client.

DNS caching speeds up lookups but can become stale when mappings change or servers fail; cached entries have a limited time‑to‑live.

A DNS proxy (DNS Proxy) acts as an intermediary between DNS clients and upstream DNS servers, forwarding queries and responses. It simplifies network configuration and centralizes management, allowing administrators to change the upstream DNS address in one place instead of on every client.

DNS hijacking occurs when a malicious DNS server resolves a legitimate domain to an incorrect IP address, often redirecting users to advertising or phishing sites. Mitigation includes using trusted ISP DNS servers or public DNS services.