To open this page, your computer asked a question and a global system answered in under 30 milliseconds.
The servers were fine.
The websites were fine.
But nobody could find them.
Attack vector
100,000 hijacked devices. Baby monitors. Security cameras.
The Mirai botnet.
The thing they attacked is called
Everything you do online starts with it.
DNS is the translator between the two. Every connection starts with a question and an answer.
378.5 million domain names exist. Without DNS, you'd memorize addresses like this.
That's Google.
Follow a single DNS lookup across the internet — faster than you can blink.
Faster than a blink. Faster than your reflexes.
That was one query. This page triggered 47 more.
5.8 billion queries per second enter the system. Almost none of them reach the bottom.
resolved here
Already resolved in the last few minutes. Never leaves your machine.
resolved here
Your operating system remembers too. Shared across every app.
resolved here
Your ISP or Cloudflare already asked this question for someone else.
of all queries reach here
13 names. 1,959 instances worldwide. They handle what nothing else can.
Root servers handle 130 billion queries per day.
That's just 0.026% of the total.
Caching is what makes DNS possible.
DNS queries. Every single day.
500 trillion. More than Google searches per year.
5.8 billion every second.
In the time it took to read this, ~23 billion more.
| Root | Operator | Sites |
|---|---|---|
| A | Verisign | 59 |
| B | USC-ISI | 6 |
| C | Cogent | 13 |
| D | U. of Maryland | 231 |
| E | NASA | 328 |
| F | ISC | 354 |
| G | DISA | 6 |
| H | US Army | 12 |
| I | Netnod | 89 |
| J | Verisign | 150 |
| K | RIPE NCC | 149 |
| L | ICANN | 143 |
| M | WIDE Project | 28 |
0 machines. The limit exists because all root addresses must fit in a single 512-byte UDP packet
— a constraint from 1983.DNS query volume, 2015–2025
# HOSTS.TXT — maintained by SRI-NIC
# Last updated: Thursday, November 3, 1983
HOST : 10.0.0.73 : SRI-NIC : DEC-2060 : TOPS20
HOST : 10.1.0.13 : UCLA-CCN : IBM-360/91 : OS/MVT
HOST : 10.0.0.51 : MIT-AI : PDP-10 : ITS
HOST : 10.3.0.52 : STANFORD : PDP-11/40 : MOS
HOST : 10.1.0.5 : BBN-TENEX : PDP-10 : TENEXElizabeth "Jake" Feinler ran the Network Information Center
at Stanford from 1972. If you wanted to add a computer to the internet, you called her
office — during business hours, Pacific time.
Her team maintained this file. They invented .com, .edu, .gov, .org, .net.
By the early 1980s, with hundreds of hosts, the model was breaking.
1983. Paul Mockapetris was asked to evaluate proposals to fix the problem. He invented something new instead.
'lo' — crashed after two characters. They were typing 'login'.
It starts here.
Her office at Stanford becomes the internet's directory.
One woman, one file, the whole internet.
Mockapetris invents DNS. Distributed, hierarchical, no single point of failure.
The elegant solution.
First .com domain. March 15. Six total that year.
6 domains. 6.
February 19. The big names arrive.
Registration opens commercially. The gold rush begins.
DNS governance formalized. Jon Postel dies 16 days later.
'The God of the Internet'
Every DNS server on Earth vulnerable. Largest coordinated vendor patch in history.
Free public resolver. Memorizable address. Changes who controls DNS resolution.
July 15. Cryptographic signatures added to the root zone.
Mirai botnet. 1.2 Tbps. Half the internet goes dark.
DNS's worst day.
Cloudflare's privacy-focused resolver. April 1 — not a joke.
Mozilla enables DNS-over-HTTPS by default. ISPs and governments push back.
Who controls resolution?
The researcher who saved the internet.
CVE-2023-50387. A single DNS packet can stall resolvers for 16 hours.
DNSSEC's own attack surface.
378.5M domains. 500T queries/day. 1,959 root instances. Still invisible.
Ran the internet's directory from Stanford. Created .com, .edu, .gov, .org. Internet Hall of Fame, 2012.
Designed DNS in 1983. It's still running. ACM Software System Award, 2020.
RFC Editor for 30 years. 'Be conservative in what you send, be liberal in what you accept.'
Found a bug in every DNS server on Earth. Coordinated the largest simultaneous vendor patch in history.
Maintained BIND — the DNS software behind most of the internet — since 1988. Operates F-Root.
Created djbdns as a secure alternative to BIND. Won a First Amendment case establishing code as protected speech.
You see the padlock. You feel safe. But before that encrypted connection was established,
your browser sent a DNS query
— in plain text — asking "What is the IP of mybank.com?"
Anyone on the network path could see it. Anyone could answer with a fake address. Your ISP, your Wi-Fi operator, transit providers, the resolver itself.
HTTPS encrypts the connection. DNS — the step before it — was built in 1983 without any protection at all.
Google, Facebook, Amazon — none sign their primary domains with DNSSEC.
| Year | Protocol | Transport | Protection |
|---|---|---|---|
| 1983 | DNS | Port 53 | None |
| 2016 | DNS-over-TLS | Port 853 | Encrypted |
| 2018 | DNS-over-HTTPS | Port 443 | Encrypted + hidden |
| 2022 | DNS-over-QUIC | Port 853 | Faster + encrypted |
| 2022 | Oblivious DoH | Proxied | Resolver-blind |
While you were reading this, DNS answered
queries.
It will answer billions more before you go to sleep tonight. And you'll never notice.
That's the point.
"It's not DNS. There's no way it's DNS. It was DNS."