Skip to content

DNS Operations — Trivia & Interesting Facts

Surprising, historical, and little-known facts about DNS operations and infrastructure.

DNS was created because one file got too big

Before DNS, every host on the ARPANET was listed in a single file called HOSTS.TXT, maintained by the Stanford Research Institute's Network Information Center (SRI-NIC). By 1983, the file was being updated so frequently and downloaded so often that the system collapsed under its own weight. Paul Mockapetris invented DNS (RFC 882/883, November 1983) to replace it with a distributed, hierarchical system.

There are only 13 root server "letters" but over 1,500 actual instances

The 13 root server identities (A through M) are a logical constraint from the original DNS design — all 13 addresses had to fit in a single 512-byte UDP response. Today, those 13 identities are served by over 1,500 physical servers worldwide using anycast routing. The largest, L-root (operated by ICANN), has over 200 instances across the globe.

The "eight-minute TTL" incident demonstrated DNS's blast radius

In 2016, Dyn (a major DNS provider) was hit by a massive DDoS attack using the Mirai botnet. Because Dyn provided authoritative DNS for Twitter, GitHub, Netflix, Reddit, and many others, the attack rendered huge swaths of the Internet unreachable. The outage demonstrated that DNS is a single point of failure even for companies that otherwise have highly redundant infrastructure.

DNS over UDP has a 512-byte legacy that still haunts operations

The original DNS specification limited UDP responses to 512 bytes. EDNS0 (RFC 6891, 2013) extended this, but many firewalls, load balancers, and middleboxes still drop or truncate large DNS responses. This is particularly problematic for DNSSEC responses, which can easily exceed 1,400 bytes and trigger TCP fallback — which some broken firewalls also block.

Negative caching is one of DNS's most important yet least understood features

RFC 2308 (1998) defined how resolvers should cache NXDOMAIN (name does not exist) responses. Without negative caching, a mistyped domain would generate a fresh query to the authoritative servers every single time. The SOA record's minimum TTL field controls how long negative answers are cached — a detail that has tripped up countless DNS operators who changed it without understanding this dual purpose.

The "split-horizon" DNS pattern predates cloud computing by decades

Split-horizon DNS — returning different answers for the same query depending on the source — was originally used so internal hosts could resolve private IPs while external hosts got public IPs. The technique is now fundamental to hybrid cloud architectures, service meshes, and zero-trust networks, but it makes debugging DNS issues dramatically harder because the answer depends on who's asking.

DNS TTL values are a game of trust, and many resolvers cheat

TTL (Time To Live) tells resolvers how long to cache a record. But studies have shown that many resolvers ignore low TTLs — some ISP resolvers enforce minimum TTLs of 30 seconds or even 5 minutes regardless of what the authoritative server specifies. This means that "instant" DNS failover with a 30-second TTL may actually take much longer in practice.

A single CNAME at the zone apex can break your entire domain

The DNS specification (RFC 1034) prohibits CNAME records at the zone apex because a CNAME cannot coexist with other record types, and the apex always needs SOA and NS records. This means you can't point example.com at a CDN using a standard CNAME. Various workarounds exist — ALIAS records, ANAME, CNAME flattening — but they are all non-standard vendor extensions.

DNS is the Internet's most abused protocol for tunneling

Because DNS traffic is almost never blocked by firewalls, DNS tunneling has become a go-to technique for data exfiltration and C2 communication. Tools like iodine and dnscat2 encode arbitrary data in DNS queries and responses. A single DNS TXT record can carry 255 bytes of payload per label, making it possible to exfiltrate data at ~50 KB/s through a DNS tunnel without triggering most security tools.

Stub resolvers do almost nothing, and that's by design

The DNS client on your laptop (the "stub resolver") has no cache (in most implementations), cannot do recursion, and simply forwards every query to a configured recursive resolver. This extreme simplicity was a deliberate design choice — the intelligence lives in the recursive resolver, keeping endpoints simple. This is why misconfigured /etc/resolv.conf or broken upstream resolvers can make an otherwise healthy machine appear completely offline.