Traces a single DNS lookup from the stub resolver in your OS through the recursive resolver, root, TLD and authoritative servers, then explains caching, TTLs, negative answers, and the record types that make it work.
Traces how DoT (RFC 7858) and DoH (RFC 8484) encrypt the stub-to-resolver hop, what privacy they actually buy, why DoH inside the browser collided with enterprise filtering and parental controls, and where the deployment debate landed by 2026.
A reference on steering traffic through DNS answers: round-robin, weighted, latency and geo-based responses, health checks, EDNS Client Subnet, and the TTL and caching limits that make DNS an approximate load balancer.
How spoofed-source UDP queries turn open DNS resolvers into reflectors, why a 64-byte question returns a 3,000-byte answer, what happened to Spamhaus in 2013, and why BCP 38 and RRL still matter in 2026.
How malware generates thousands of pseudo-random rendezvous domains from a shared seed, traced from Kraken and Conficker through Torpig and GameOver Zeus, and how defenders sinkhole and classify them.
How fast flux rotates A and NS records over a bot proxy layer to hide C2 and phishing infrastructure, the flux-score and TTL signals that detect it, and what the 2025 CISA advisory adds.
Traces DNS from the ARPANET's single HOSTS.TXT file through Mockapetris's 1983 design (RFC 882/883, then 1034/1035), BIND, DNSSEC, the 2008 Kaminsky cache-poisoning crisis, and the move to encrypted DoT and DoH.