Updated 2 hours ago
When you type a domain name into your browser, something peculiar happens. Your computer asks a server that doesn't know the answer. That server asks another server that also doesn't know. This continues until finally, some server somewhere says: "Yes, I know. Here's the IP address."
This is the design. DNS is a system of referrals, not answers.
The root doesn't know where google.com lives. It only knows who handles .com. And that's enough. That's how billions of domain lookups happen every day without the system collapsing under its own weight.
The Inverted Tree
DNS operates as an inverted tree. At the top sits the root, represented by a single dot. Below it branch the top-level domains—.com, .org, .uk. Below those, the domains you actually type: example.com, connected.app. And below those, subdomains like www or blog or api.
When you look up www.example.com, DNS reads it from right to left: root → .com → example.com → www. Each level delegates to the next. The trailing dot you never type—www.example.com.—represents the root where every lookup begins.
This structure solves a fundamental problem: no single entity needs to maintain a database of every domain on Earth. The root knows about TLDs. The .com TLD knows about domains ending in .com. And example.com knows about its own subdomains. Each level maintains only its piece.
Root Servers: Thirteen Addresses, Nearly Two Thousand Machines
At the top sit the root nameservers—thirteen logical servers identified by letters A through M. But "thirteen" is misleading. Each letter represents an IP address, and each IP address is served by many physical machines distributed worldwide through anycast. When you query a.root-servers.net, you're hitting whichever of the many "A" servers is closest to you.
As of 2024, nearly 2,000 root server instances operate across the globe1. They're run by twelve independent organizations: Verisign operates A and J, NASA operates E, the U.S. Army Research Lab operates H, and international organizations like RIPE NCC, Netnod, and Japan's WIDE Project operate others. This diversity is intentional—no single entity controls the foundation of DNS.
Root servers have exactly one job: tell you which TLD servers handle a given extension. Ask a root server about example.com and it responds: "I don't know, but here are the servers that handle .com." Ask about example.jp and you get the servers for .jp.
This limited scope keeps root servers fast. The entire root zone—every TLD delegation in existence—fits in a file under 2 megabytes2. That file lists over 1,500 top-level domains, and it's small enough that every root server instance can hold it entirely in memory.
TLD Servers: The Middle Layer
Top-level domain servers manage everything under their extension. The .com servers know about every .com domain. The .uk servers know about every .uk domain.
TLDs come in types:
- Generic TLDs (gTLDs):
.com,.org,.net, and newer ones like.app,.dev,.blog - Country code TLDs (ccTLDs):
.us,.uk,.de,.jp—each country manages its own - Sponsored TLDs:
.edu,.gov,.mil—restricted to specific organizations
Verisign operates .com and .net, which together account for over 169 million domain registrations3. When their TLD servers receive a query for example.com, they don't return the IP address. They return another referral: "Here are the nameservers responsible for example.com."
Another handoff. Another delegation.
Authoritative Nameservers: Where Answers Live
Authoritative nameservers are where the chain ends. These servers hold the actual DNS records—the A records mapping names to IP addresses, the MX records directing email, the CNAME records creating aliases.
When you register a domain, you designate which nameservers speak for it. Those might be run by your registrar, a hosting provider like Cloudflare or AWS Route 53, or your own infrastructure.
The authoritative nameserver is the source of truth. If ns1.example.com says www.example.com points to 192.0.2.1, that's the answer. No server above it can override this. They can only point queries in its direction.
Most domains have multiple authoritative nameservers—ns1 and ns2, often in different data centers. If one fails, queries route to the other. Redundancy at every level.
A Query From Start to Finish
You type www.example.com. Your browser asks your operating system. Your OS asks its configured resolver—usually your ISP's, or maybe Google's 8.8.8.8, or Cloudflare's 1.1.1.1.
The resolver checks its cache. Nothing there. Time to climb the tree.
Step 1: Ask the root. "Where can I find information about .com?" The root responds with a list of .com TLD servers.
Step 2: Ask the TLD. The resolver picks one and asks: "Where can I find information about example.com?" The TLD responds with the authoritative nameservers for example.com—plus their IP addresses.
That last part matters. It's called a glue record, and it solves a chicken-and-egg problem: you need DNS to look up ns1.example.com, but you need ns1.example.com to do DNS for example.com. The TLD embeds the IP address in the referral, breaking the loop.
Step 3: Ask the authoritative server. "What's the IP address for www.example.com?" Finally, an actual answer: 192.0.2.1.
The resolver caches this response based on its TTL, returns it to your browser, and your browser connects. The entire journey—root to TLD to authoritative—typically completes in tens of milliseconds. With caching, subsequent lookups resolve in single digits.
Why Delegation Works
Each level doesn't try to know everything. Each level knows only who to ask next.
The root delegates .com to Verisign. Verisign delegates example.com to whoever registered it. The domain owner can further delegate—blog.example.com might point to completely different nameservers than api.example.com.
No central database. Adding a new domain doesn't require updating the root. It only requires updating the TLD, and even that is just adding a pointer.
Isolated failures. If your authoritative nameservers go down, that's your problem. The root servers don't notice. The TLD servers don't care. Your outage doesn't cascade upward.
Distributed control. Different organizations control different pieces. The root zone is managed through international coordination, TLDs by their respective operators, individual domains by their owners. No single entity can unilaterally control DNS.
Unlimited growth. The tree can grow forever. New TLDs, new domains, new subdomains—each is just another branch, managed by whoever owns that branch.
This is how a system designed in the 1980s handles billions of queries per day. Not through brute force, but through elegant delegation. Everyone knows just enough to point to the next level down.
Frequently Asked Questions About the DNS Hierarchy
Sources
Sources
Was this page helpful?