Updated 2 hours ago
Every time you type a domain name, you're asking a question. Not just "what's the IP address?" but "who's allowed to answer?"
That second question is the interesting one. Anyone could claim to know where google.com lives. The DNS system exists to ensure you only get answers from servers with the authority to give them.
The Hierarchy of Authority
DNS is built on a chain of trust. At the top sit the root servers—13 addresses that know about every top-level domain (.com, .org, .app). Below them, TLD servers know about every domain registered under their suffix. At the bottom, authoritative servers know the actual IP addresses for specific domains.
When you request connected.app, your computer doesn't ask all of them. It asks a recursive resolver—a server (usually run by your ISP or a public provider like Cloudflare) that does the detective work on your behalf.
The resolver starts at the top. It asks a root server: "Where's connected.app?"
The root server doesn't know. It only knows who to ask next. "I don't handle .app domains, but here's who does."
The resolver asks the .app server: "Where's connected.app?"
The .app server doesn't know either. "I don't handle that specific domain, but here's the authoritative server for connected.app."
Finally, the resolver asks that authoritative server, which provides the definitive answer: the IP address where connected.app actually lives.
This takes milliseconds. The root servers don't know where google.com is—they only know who to ask next. That's not a limitation; it's the entire point. No single server needs to know everything. Each level only needs to know enough to point you in the right direction.
Three Servers, Three Jobs
Recursive resolvers work for you. They take your question, chase it through the hierarchy, cache the answer, and hand it back. When you use 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare), you're choosing which resolver does this work on your behalf.
Authoritative servers are the source of truth. If you own example.com, your authoritative server is the only one allowed to say where example.com points. These servers don't ask questions—they only answer them.
Forwarding servers are middlemen. Your home router probably acts as one, taking DNS requests from your devices and passing them to your ISP's resolver. They cache results to speed things up, but they don't do the hierarchical lookup themselves.
Who Runs This Infrastructure?
Your ISP runs recursive resolvers as part of basic service. When you connect through Comcast or Verizon, your router is automatically configured to use their DNS servers. Public providers like Cloudflare, Google, and Quad9 offer alternatives—often faster, sometimes more private.
Domain owners run authoritative servers (or pay providers like Cloudflare or AWS to run them). When Connected operates connected.app, we're responsible for the servers that answer queries about our domain.
The root servers are the interesting case. Thirteen addresses serve the entire Internet—but those 13 addresses actually represent nearly 2,000 physical servers distributed worldwide. When you query a root server, anycast routing sends your request to the geographically closest one. You never know which physical machine answered.
This infrastructure is operated by 12 independent organizations: Verisign (which runs two root servers), NASA, the U.S. military, universities, ISC, and others. They coordinate through ICANN, but each runs their servers independently. No single organization controls the root.
Designed to Survive Failure
DNS expects things to break. The protocol requires at least two authoritative nameservers for every domain. The root system uses nearly 2,000 servers behind 13 addresses. Recursive resolvers cache everything, so they can keep answering queries even if authoritative servers go offline temporarily.
Individual DNS servers fail constantly—maintenance, attacks, outages—but the Internet keeps working. There's no single point of failure because failure was assumed from the start.
This is why DNS feels invisible. Not because nothing goes wrong, but because the system routes around whatever does.
Frequently Asked Questions About DNS Servers
Sources
Was this page helpful?