Networking · 5 min read

How DNS actually resolves a URL

When you type app.example.com into a browser, eight things happen before you see a single pixel. Here they are — without lying about the order.

The chain, animated

Your browser doesn't know an IP. It asks its operating system, which asks a resolver, which asks the world. Each hop in this chain either knows the answer or knows who to ask next.

browser "what's app.example.com?"

recursive resolver cache miss → ask root

root nameserver "ask .com TLD"

.com TLD nameserver "ask ns1.example.com"

authoritative ns CNAME → 135.148.35.4

The thing nobody tells you: the recursive resolver caches every answer it gets, including failures. That's why a CNAME change can take "up to TTL" to propagate — and why dig +trace bypasses the cache to give you the truth.

What a CNAME actually is

A CNAME record is an alias. It says "for the purposes of resolution, treat this name as if it were that name."

So if app.example.com CNAME proxy.miosa.ai, your browser does NOT get an IP back when it asks for app.example.com. It gets another question: "now resolve proxy.miosa.ai". The resolver chases the chain until it hits an A or AAAA record.

$ dig +short app.example.com
proxy.miosa.ai.        ← CNAME (alias)
135.148.35.4           ← A record (the truth)

The wildcard CNAME

One CNAME with a wildcard host (*) catches every subdomain at once. This is how white-label preview URLs work — you point *.your-domain.com at a single proxy and every <anything>.your-domain.com resolves there.

Type  Host  Value             TTL
CNAME  *     proxy.miosa.ai    600

Anything before the dot — b00ac81b, my-sandbox, staging — all hit the same proxy, which decides how to route based on the leftmost label.

Five rules that will save you hours

1TTL is a hint, not a contract. Treat propagation as "up to TTL × 2" in the worst case.

2You cannot put a CNAME at the apex (example.com with no subdomain) in standard DNS. Use ALIAS or ANAME at most providers, or an A record.

3If you're behind Cloudflare with the orange-cloud proxy on, Cloudflare answers the request, not your target. For passthrough, set the record to "DNS only" (gray cloud).

4A CNAME and any other record type can't coexist on the same name. app.example.com can be CNAME or have MX/TXT/etc., not both.

5Use dig +trace when something is wrong. It bypasses your local resolver's cache and shows you the actual chain.

The five-line debugging routine

$ dig +short app.example.com         # Does it resolve at all?
$ dig +trace app.example.com         # Where does the chain break?
$ dig +short app.example.com @1.1.1.1# Does a fresh resolver agree?
$ curl -v https://app.example.com    # Does TLS work for that host?
$ openssl s_client -connect ...      # What cert is being presented?

If line 1 gives the wrong IP, it's DNS. If line 1 is fine but line 4 fails, it's TLS or the upstream. The two are almost never both broken at the same time — start with DNS, then move on.