Linkedin Twitter Youtube Instagram

How DNS Works: ICANN, DNS Resolution, and the Authority Chain Explained

Understanding how DNS works often starts with terms like root servers, TLDs, and authoritative name servers. However, DNS is not about a single system resolving everything. It is a deliberately distributed architecture, designed to scale globally while avoiding central control.

At the top of this structure sits ICANN, not as a resolver, but as the coordinator of authority across the DNS ecosystem.

What Role Does ICANN Play in DNS?

ICANN does not resolve domain names.
It does not answer DNS queries.
It does not return IP addresses.

Instead, ICANN defines who is authoritative over which parts of the DNS namespace and manages the root zone through IANA.

In simple terms, ICANN draws the map of authority:

  • Who controls .com?
  • Who manages .tr, .eu, or other TLDs?
  • Which organizations are trusted to operate critical DNS infrastructure?

ICANN has no direct interaction with end users, and this separation is intentional.

Why DNS Is Hierarchical

If DNS were centralized, it would be:

  • Impossible to scale
  • Vulnerable to outages
  • Risky from a governance perspective

That is why DNS is built as a hierarchical delegation model:

 
Root (.)
Top-Level Domain (.com, .org, .tr)
→ Domain (example.com)
→ Subdomain (api.example.com)

Each level delegates responsibility to the next. No level resolves everything on its own.

Root Zone and Root Servers

The root zone does not store IP addresses.

Instead, root servers answer a simple question:

“Which name servers are responsible for this TLD?”

For example, when resolving example.com, the root server responds with:

“Here are the authoritative name servers for .com.”

The root never resolves domains directly.
It only points to the next authority.

What Is a Registry in DNS?

A registry manages a specific Top-Level Domain.

For example, the .com registry knows:

  • Which domains are registered
  • Which authoritative name servers they use
  • DNSSEC delegation records

However, registries do not return IP addresses.
Their role is to say:

“This domain’s authoritative DNS servers are here.”

Think of a registry as a directory, not a resolver.

The Role of Registrars

Registrars operate on the commercial layer of DNS.

They allow users to:

  • Register domains
  • Renew domain names
  • Update name server information

Registrars communicate these changes to registries, but they do not participate in DNS resolution.

Where DNS Resolution Actually Happens

DNS resolution is performed by the recursive resolver.

When a browser requests api.example.com, the resolver:

  1. Checks its cache

  2. Queries the root servers

  3. Queries the TLD name servers

  4. Queries the authoritative DNS server

  5. Caches the response and returns the IP address

Link:  How the Peppol Network Works Technically (With DNS Logic)

Resolvers validate each step and do not blindly trust responses. This is where the real work happens.

Authoritative DNS: The Final Source of Truth

The authoritative DNS server holds the actual records, such as:

 
api.example.com → 192.0.2.1

Once the resolver receives this answer, the resolution process ends.
The authoritative server has the final say.

Registry vs Resolver: A Common Confusion

Although often mentioned together, their roles are very different:

  • Registry: “Where is this domain’s authoritative DNS?”
  • Resolver: “What is the IP address of this domain?”

One points the way.
The other finds the answer.

How DNSSEC Fits into the Authority Chain

DNSSEC adds cryptographic validation between each layer of DNS.

It ensures that:

  • Responses are authentic
  • Data has not been tampered with

The trust anchor starts at the root, coordinated by ICANN/IANA, but ICANN still never resolves queries itself.

Why DNS Is Designed This Way

DNS avoids:

  • Central points of failure
  • Single authorities controlling the system

Instead, it relies on delegation, verification, and distributed responsibility.

This design may appear complex, but it is exactly what allows the internet to scale globally and remain resilient.

Key Takeaways

  • ICANN defines authority, not resolution
  • DNS works through hierarchical delegation
  • Registries know where to ask, not what the answer is
  • Resolvers perform the actual lookup
  • Authoritative DNS servers hold the final records
  • DNS is a controlled, distributed system — by design
    F.M Arslan
Linkedin Twitter Youtube Instagram
Post Views: 1,228

Related Posts:

Essential Concepts for Modern Cloud Architecture: A Complete Technical Glossary
Why Eventual Consistency Is Inevitable in Regulated Networks