1 Introduction
The Domain Name System (DNS) is the phone book of the Internet. When you type www.google.com into your browser, your computer does not know where that website lives. It needs to look up the actual address -- an IP address like 142.250.80.46. DNS performs this translation instantly, billions of times per day, across the entire Internet.
Imagine you want to call a friend but only know their name, not their phone number. You look them up in a phone book. DNS works the same way: it translates human-friendly names into machine-friendly numbers. Without DNS, you would need to memorize IP addresses for every website you visit.
Key DNS record types
A
Maps to an IPv4 address
AAAA
Maps to an IPv6 address
MX
Mail server for the domain
CNAME
Alias pointing to another domain
2 How It Works
Use the domain analyzer to inspect the DNS records of any domain and understand its infrastructure.
The DNS resolution process
When you type a domain name in your browser, a chain of lookups happens in milliseconds:
Local cache check
Your computer first checks if it has recently looked up this domain. If so, it uses the cached result.
Recursive resolver
Your ISP's DNS server (or a public one like 8.8.8.8) takes over and queries the hierarchy on your behalf.
Root servers
13 root server clusters worldwide direct the query to the correct Top-Level Domain (TLD) server (.com, .org, .net...).
Authoritative server
The domain's own DNS server provides the final answer -- the actual IP address associated with the domain.
3 Detailed Analysis
DNS record types explained
| Record | Purpose | Example | Security relevance |
|---|---|---|---|
| A | Maps domain to IPv4 | 93.184.216.34 | Reveals the hosting server's IP for reputation checks |
| AAAA | Maps domain to IPv6 | 2606:2800:220:1::248 | Same as A record but for IPv6 infrastructure |
| MX | Mail server | mail.example.com | Shows which server handles email; relevant for phishing analysis |
| CNAME | Alias to another domain | cdn.example.com | Can reveal shared infrastructure or CDN usage |
| TXT | Text data (SPF, DKIM) | v=spf1 include:... | Reveals email authentication policies (SPF, DMARC) |
| NS | Name servers | ns1.example.com | Shows who controls DNS; attacker infrastructure often uses specific providers |
DNS-based security mechanisms
DNSSEC
Digitally signs DNS responses to prevent attackers from forging DNS answers. Ensures you get authentic records from the domain owner.
DNS over HTTPS (DoH)
Encrypts DNS queries so your ISP or network eavesdroppers cannot see which domains you are looking up.
DNS over TLS (DoT)
Similar to DoH but uses a dedicated port (853). Provides encrypted DNS resolution at the transport layer.
DNS Sinkhole
Security teams redirect malicious domains to a controlled server, preventing malware from reaching its command-and-control infrastructure.
Try it on mlab.sh
Query the full DNS record set for any domain -- A, AAAA, MX, TXT, NS, CNAME, and more. See the same records you just learned about and check for security misconfigurations.
Scan DNS records on mlab.sh4 Red Flags
Here are DNS-related warning signs that may indicate malicious activity:
Very low TTL values
Attackers set very short TTL (Time To Live) values so they can quickly change where a domain points. Legitimate sites typically use TTLs of hours or days.
DNS pointing to a residential IP
A domain that resolves to a home broadband IP address is suspicious. Legitimate services use data centers, not someone's home router.
No MX or SPF records
A domain sending you emails but with no MX record or SPF configuration has poor legitimacy. Most legitimate organizations configure email authentication properly.
Frequent IP changes (fast flux)
A domain that resolves to many different IPs in rapid succession uses "fast flux" DNS -- a technique to hide malicious infrastructure behind a rotating set of compromised machines.
DNS tunneling patterns
Unusually long subdomain names or high volumes of TXT record queries can indicate DNS tunneling -- a technique for exfiltrating data through DNS queries.
CNAME chain to suspicious domain
A legitimate-looking domain that has a CNAME record pointing to a suspicious or recently-created domain may be a compromised site redirecting to attacker infrastructure.
Related Modules
What is a domain?
Human-readable names: how domains translate IP addresses into easy-to-remember names.
Analyzing a suspicious domain
Techniques for evaluating whether a domain is legitimate or potentially malicious.
What is an IP address?
The postal address of the Internet: how every device is identified on the network.
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/dns
Module: What is DNS? — Network Analysis
Disclaimer: This content is for awareness purposes only.