Master Linux DNS: Deep Dive into Mechanics and Best Practices

1. Core DNS Principles

DNS is more than a simple "phone book"; it uses a hierarchical namespace and various resource record types to map names to data.

Domain Name Space : A tree‑like hierarchy starting at the root (.) followed by top‑level domains (TLDs) such as .com, then second‑level domains like google.com.

Resource Records (RR) : Data units stored in DNS, e.g.

A – IPv4 address

AAAA – IPv6 address

CNAME – Alias

MX – Mail exchange

NS – Name server

TXT – Text information (SPF, verification, etc.)

Stub Resolver : A lightweight resolver on the client that forwards queries to a recursive resolver.

Recursive Resolver : Provided by ISPs or public services (e.g., 8.8.8.8, 1.1.1.1) and performs the full lookup on behalf of the client.

Authoritative Server : Holds the definitive records for a zone and answers queries for that zone directly.

2. Full DNS Resolution Flow

Using www.example.com as an example:

Browser calls the system API getaddrinfo.

Stub resolver checks the local cache.

If not cached, it checks /etc/hosts.

If still unresolved, it queries the recursive resolver defined in /etc/resolv.conf.

The recursive resolver iterates:

Ask a root server → obtain the .com TLD server address.

Ask the .com server → obtain the authoritative server for example.com.

Ask the authoritative server → receive the final A/AAAA record.

Result is cached locally, returned to the stub resolver, and finally to the application.

The browser now has the IP address and can establish a connection.

Cache and TTL are critical for speed: many queries are satisfied directly from the recursive resolver or local cache.

3. DNS Components in Modern Linux

/etc/hosts : Static mappings with the highest priority, useful for testing or temporary overrides.

/etc/nsswitch.conf : Defines the order of name‑service lookups. A typical line is:

hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname

files

→ check

/etc/hosts

dns

→ use the configured recursive resolver myhostname → resolve the local hostname

/etc/resolv.conf : Traditional resolver configuration file; on most modern systems it is a symlink to systemd‑resolved 's runtime file.

systemd‑resolved : Provides a local DNS stub listener at 127.0.0.53, built‑in cache, DNSSEC validation, optional DNS‑over‑TLS, and multi‑link DNS configuration. Managed via the resolvectl tool.

Enable and start: sudo systemctl enable --now systemd-resolved View status: resolvectl status NetworkManager : Retrieves DNS settings from DHCP or manual configuration, updates systemd‑resolved automatically, and offers GUI or nmtui configuration.

Application → glibc ( getaddrinfo) → nsswitch → ( /etc/hosts or systemd‑[email protected]) → recursive resolver.

4. Linux DNS Best Practices

Configure reliable resolvers : Avoid ISP‑provided “polluted” DNS. Recommended public resolvers:

Cloudflare: 1.1.1.1 / 1.0.0.1

Google: 8.8.8.8 / 8.8.4.4

Quad9: 9.9.9.9

OpenDNS: 208.67.222.222

Example configuration:

sudo resolvectl dns eth0 1.1.1.1 8.8.8.8
sudo resolvectl dnsovertls eth0 yes
resolvectl status

Make effective use of the local cache :

Ensure systemd‑resolved is running.

View cache statistics: resolvectl statistics Flush cache when needed: sudo resolvectl flush-caches Use /etc/hosts wisely :

Ideal for local development (e.g., myapp.test → 127.0.0.1).

Avoid large‑scale reliance on the hosts file.

Enable DNSSEC to protect against cache poisoning.

sudo resolvectl dns eth0 1.1.1.1 8.8.8.8
sudo resolvectl dnsovertls eth0 yes
resolvectl status

Enable encrypted transport (DoT / DoH) :

DoT (DNS‑over‑TLS) is natively supported by systemd‑resolved.

DoH (DNS‑over‑HTTPS) requires configuration in browsers or a proxy such as dnscrypt‑proxy.

Common diagnostic tools : dig – powerful query and trace tool.

dig example.com
 dig +trace example.com
 dig @8.8.8.8 example.com MX

nslookup

– traditional lookup utility.

nslookup example.com

host

– simple query tool.

host example.com
 host 8.8.8.8

resolvectl

– interacts directly with systemd‑resolved.

resolvectl query example.com
 resolvectl status

5. Summary

Understand the fundamentals: recursive resolution, authoritative servers, caching, and TTL.

Prefer configuring DNS via NetworkManager or resolvectl rather than editing /etc/resolv.conf manually.

Secure the setup by enabling DNSSEC and encrypted transports (DoT/DoH).

Boost performance by leveraging the built‑in cache of systemd‑resolved.

Develop troubleshooting skills with tools such as dig, host, and resolvectl.

Following these steps gives your Linux system a fast, stable, and secure DNS resolution environment.