At a Glance
- DNS maps names → IPs via a cached hierarchy: resolver → root → TLD → authoritative.
- TTL is the freshness dial: short = fast failover but more queries; long = cheap but slow to change.
- DNS is also a traffic manager: weighted, latency-based, geo, and failover routing (Route 53), plus Anycast.
- CDNs copy content to hundreds of edge PoPs; cache hits never touch your origin.
- Push CDN = pre-load the edges; Pull CDN = edges fetch on first miss.
- CDNs also buy you DDoS absorption, WAF, bot management, and TLS termination at the edge.
DNS: The Internet's Phone Book
Computers route packets to IP addresses like 142.250.72.14, but humans remember names like google.com. The Domain Name System is the globally distributed, heavily cached directory that maps one to the other. It might be the most successful distributed system ever built: billions of lookups per hour, running since 1983, and you only notice it when it breaks.
The resolution journey, step by step
A cold lookup walks the hierarchy: root → TLD → authoritative. Caches make the warm path one hop.
Seen this domain recently? Use the cached IP and skip everything below. Most lookups end here.
Your ISP's resolver (or 8.8.8.8 / 1.1.1.1) takes over the hunt on your behalf — also checking its own giant cache.
13 logical root clusters know one thing: who runs each top-level domain. ".dev? Ask these servers."
The .dev registry replies with the authoritative nameservers for shop.dev.
The source of truth (Route 53, Cloudflare DNS, etc.) returns the actual record: A 93.184.216.34.
The resolver caches it for the record's TTL and hands it to your browser, which finally opens a TCP connection.
Record types you'll actually use
| Record | Maps | Example use |
|---|---|---|
| A | name → IPv4 address | api.shop.dev → 93.184.216.34 |
| AAAA | name → IPv6 address | api.shop.dev → 2606:2800::1 |
| CNAME | name → another name (alias) | www.shop.dev → shop.dev, CDN hostnames |
| MX | domain → mail servers (with priority) | Route email to Google Workspace |
| NS | domain → its authoritative nameservers | Delegate a subdomain to another provider |
| TXT | name → arbitrary text | Domain verification, SPF/DKIM anti-spoofing |
TTL: the freshness dial
Every record carries a TTL (time to live) — how long resolvers may cache it. A 24-hour TTL means almost no load on your nameservers, but a botched IP change takes a day to heal worldwide. A 60-second TTL gives you fast failover at the cost of constant queries. Common play: keep TTLs long normally, drop them to 60s a day before a planned migration.
Propagation delay (caches everywhere obey old TTLs), it's a juicy DDoS target (the 2016 Dyn attack took down Twitter, Spotify and GitHub simultaneously), and its slow cache convergence makes it a clumsy failover mechanism — load balancers handle instant failover much better.
DNS Record Types — The Full Cheat Sheet
The quick table above covers the daily drivers; here's the complete reference with the records you'll meet in real zone files (including the one everyone forgets — SOA):
| Record | What it maps | Example | Notes |
|---|---|---|---|
| A | hostname → IPv4 address | example.com → 93.184.216.34 | The workhorse — the final answer of most lookups |
| AAAA | hostname → IPv6 address | example.com → 2606:2800:220:1::1 | "Quad-A" — same as A, but for IPv6 |
| CNAME | alias → another hostname | www.example.com → example.com | Chains resolve until an A/AAAA is found; can't live at the zone apex |
| MX | domain → mail exchange server | example.com → mail.example.com (prio 10) | Priority number picks the preferred server; lower wins |
| NS | domain → its nameservers | example.com → ns1.dnsprovider.com | Declares which DNS server is authoritative for the zone |
| TXT | name → arbitrary text | "v=spf1 include:_spf.google.com ~all" | SPF/DKIM email auth, domain ownership verification (Google, Netlify) |
| SOA | zone → its admin metadata | ns1.example.com admin.example.com … | Start of Authority: TTL defaults, serial number, contact email for the zone admin |
DNS-Based Traffic Management
Because DNS answers the question "which IP should I talk to?", it's also a control point for steering traffic — before a single packet reaches your servers. AWS Route 53 exposes this as routing policies:
| Policy | How it routes | Use case |
|---|---|---|
| Simple | One IP, every time | No intelligence — small single-region apps |
| Weighted | Send 90% to v1, 10% to v2 | Canary deployments! Shift weights gradually |
| Latency-based | Resolve to the region with lowest latency for that user | Global apps with multiple regions |
| Failover | Primary + standby; switch on health-check failure | Disaster recovery |
| Geolocation | European users → EU region, US users → US-East | Data residency (GDPR), localized content |
| Geoproximity | Like geolocation, but with tunable bias weights | Gradually shifting traffic between nearby regions |
The same IP address is advertised from multiple PoPs, and BGP routes each packet to the nearest one. Cloudflare's 1.1.1.1 and Google's 8.8.8.8 are both Anycast IPs — you and someone in Tokyo hit "the same address" but land on completely different machines.
TTL and the Propagation Delay Trade-Off
The TTL — how long resolvers may cache the answer — is the single most consequential number in your zone file:
Short TTL (60–300s)
Changes propagate fast — great for failovers and migrations. Cost: every cache expires constantly, so resolvers re-query → more load on your authoritative servers.
Long TTL (86,400s = 1 day)
Fewer queries, faster resolution from cache, lighter nameserver load. Cost: changing IPs is painful — the old answer lives in caches worldwide for up to a day.
Lower the TTL to ~60s a day before a planned migration (so existing long-TTL caches drain out), then change the IP, then restore the long TTL once the migration is stable. Doing it in the other order means waiting out the old TTL while traffic splits unpredictably.
A latent bug triggered by one customer's config change took down roughly a third of the visible internet — Reddit, Amazon, gov.uk — for nearly an hour. Caching and DNS TTLs meant many users stayed stuck even after Fastly fixed the root cause within minutes. Lesson: your recovery time includes everyone else's caches, not just your fix.
CDN: Moving Bytes to the Edge
Physics is undefeated: a request from Sydney to a server in Virginia spends ~200 ms just traveling. A Content Delivery Network defeats distance by copying your content to hundreds of PoPs (points of presence) around the world. Each PoP is a cluster of edge servers; users are routed (via anycast or DNS) to the nearest one.
The flow: the user hits the closest edge. Cache hit → served in ~20 ms. Cache miss → the edge fetches from your origin server once, caches it, and every later visitor in that region gets the fast path.
Push vs Pull CDNs
Push CDN
You proactively upload content to the edges whenever it changes. Full control, zero first-visitor misses — but you own the upload pipeline and pay for storage. Best for sites with small, infrequently changing assets (downloads, video libraries, low-traffic sites where a miss matters).
Pull CDN
Edges fetch from origin lazily on the first miss, then cache per TTL. Minimal setup — point a CNAME and go. First visitor per region eats a slow request, and redundant pulls can happen around expiry. Best for heavy-traffic sites: the popular stuff stays naturally hot. This is the Cloudflare/CloudFront default model.
| Push CDN | Pull CDN | |
|---|---|---|
| Who fills the edge | You, ahead of time | The edge, on first miss |
| First request in region | Fast (already there) | Slow (origin fetch) |
| Maintenance | You manage uploads & invalidation | TTL handles refresh |
| Best for | Static, rarely-changing content | High traffic, frequently-changing content |
What a CDN buys you
- Latency: content served from ~50 km away instead of ~10,000 km.
- Origin offload: 90%+ of requests never touch your servers — your origin handles only misses and dynamic calls.
- DDoS absorption: the CDN's enormous edge capacity soaks up attack traffic before it reaches you.
- Availability: if the origin hiccups, many CDNs keep serving stale cached copies ("serve-stale-on-error").
Netflix went further than renting a CDN — it built Open Connect, placing its own caching appliances inside ISP datacenters so most streams never cross the public internet. Cloudflare, Akamai, Fastly and AWS CloudFront power much of everything else; Fastly's instant purge is why news sites that change content constantly love it.
In interviews, the CDN is your free first move: "static assets — images, JS, CSS, video — go behind a CDN" instantly removes most bandwidth from your design, and lets you spend your complexity budget on the interesting parts.
CDN Architecture Deep Dive
Under the hood, a CDN is a hierarchy of caches with a routing layer in front:
- PoP (Point of Presence): a datacenter full of edge servers. Cloudflare runs 300+ PoPs; Akamai has 4,000+ deployments.
- Edge → Regional → Origin hierarchy: a miss at the edge checks a regional cache before falling all the way back to your origin; hits serve from the nearest layer.
- Cache key: usually just the URL — but it can include query params, cookies, or headers. The
Varyheader controls which request headers split the cache.
Cache invalidation strategies
Simplest: content is stale until the TTL runs out. The workaround is "cache busting" — change the URL when the content changes (app.v2.js, hashed filenames). Old URL stays cached forever; new URL is instantly fresh.
Cloudflare and Fastly let you purge specific URLs (or everything) instantly via API. Standard move after a CMS publish: save article → purge its URL → next request pulls the fresh version.
Tag cached objects with content IDs at response time: an article page might carry tags article:42 and user:123. Then "purge everything tagged user:123" invalidates every page that included that user's data — one API call, surgical precision.
Netflix Open Connect — A CDN Built into ISPs
Netflix is ~15% of global downstream internet traffic, so it built its own CDN: Open Connect Appliances (OCAs) — caching servers installed inside ISPs like Comcast and AT&T, for free. The ISP gets free hardware and saves on transit costs; Netflix gets ultra-low-latency delivery.
- OCAs cache the top ~20% of the Netflix catalog that drives ~80% of traffic — the Pareto principle doing the heavy lifting again.
- During off-peak hours, Netflix proactively pushes predicted-popular content to OCAs — tomorrow's big premiere is already sitting inside your ISP tonight.
- Result: a single PoP can serve 200 Gbps, and 90%+ of Netflix traffic never leaves the ISP's network.
The lesson isn't "build your own CDN" — it's that at sufficient scale, the build-vs-rent math flips. Netflix's traffic volume made owning the delivery layer cheaper and faster than renting one. For everyone else, Cloudflare and CloudFront remain the right answer.
CDN Security Features
Modern CDNs are as much a security perimeter as a performance layer — everything below happens at the edge, before traffic ever reaches your origin:
DDoS protection
Volumetric attacks get absorbed across hundreds of PoPs' combined capacity. Cloudflare blocks 100+ billion threats per day at the edge.
WAF
The Web Application Firewall blocks SQL injection, XSS, and known-bad bots at the edge — malicious requests never reach your origin.
Bot management
Browser fingerprinting, JavaScript challenges, and CAPTCHAs separate humans from scrapers and credential-stuffers.
SSL termination at edge
The CDN handles the TLS handshake near the user; the origin can speak plain HTTP (or re-encrypted HTTPS) — saving origin CPU and a full round trip.
Origin shield
On a cache miss, requests funnel through one regional node instead of thousands of edges hitting your origin simultaneously — preventing the "thundering herd" on cold or just-purged content.
Quick Check
Your product launches in Brazil tomorrow and the marketing page must be instant for the very first visitor. Which CDN strategy fits best?
Interview Q&A
Modern CDNs (Cloudflare Workers, Lambda@Edge) run computation at edge nodes — you can cache personalized responses, A/B test at the edge, rewrite URLs, add security headers, even query edge databases (Cloudflare D1, KV). For truly dynamic content, CDNs still help by: (1) terminating TLS close to users (~100ms RTT saved), (2) keeping persistent keep-alive connections to origin (avoiding a TCP handshake per request), (3) absorbing DDoS before it hits origin.
Pull CDN: the edge fetches from origin on first miss, caches per TTL. Zero configuration, works for any traffic pattern, but the first user to request new content gets origin latency. Best for high-traffic sites where the cache-fill cost is amortized. Push CDN: you proactively upload content to CDN nodes. Full control, no origin hits — but you must manage what's on the CDN. Best for predictable content (software downloads, game patches) and low-traffic sites where pull would rarely hit cache anyway.
With Route 53 failover routing: set a health check on the primary endpoint. If the primary fails the health check, Route 53 automatically returns the secondary IP instead. With a low TTL (60s), most clients see the new IP within a minute. The TTL must be short enough for fast failover — but that means more queries: a classic trade-off. For critical services, combine latency + failover routing: normally go to the nearest healthy region, fail over to the next-nearest if that region dies.
Anti-Patterns to Avoid
High TTL before an IP change
You're stuck for up to 24 hours with the old IP cached worldwide. Always reduce the TTL well before migrations, and restore it after.
Personalized content on the CDN without cache variation
If the cache key doesn't include session info, the CDN can serve one user's private dashboard to another user. Use Cache-Control: private or Vary: Authorization/Cookie headers — carefully.
Caching error responses
A bug makes your origin return 500s, the CDN caches them — and your 5-minute outage becomes a 24-hour one. Set a very short TTL or no-store for error responses.
DNS & CDN Interview Questions
All key questions and answers from this topic that appear in system design interviews.
DNS Questions
DNS resolution converts a domain name (e.g., www.example.com) into an IP address through these steps:
1. User Query — The user types a domain into a browser.
2. Browser Cache Check — The browser checks its local cache for a stored IP.
3. OS Cache Check — If not in the browser cache, the OS DNS resolver is queried.
4. Local DNS Resolver — If the OS doesn't have it, the query goes to the ISP-provided resolver.
5. Root DNS Servers — If uncached, the resolver queries one of the 13 root DNS servers.
6. TLD Server Query — The root server directs to the TLD server (e.g., .com, .org).
7. Authoritative DNS Server — The TLD server provides the authoritative DNS server's address.
8. IP Address Retrieval — The authoritative server responds with the correct IP.
9. Response Caching — The resolver caches the result for future queries.
10. Website Access — The browser connects to the web server using the IP.
Recursive DNS Server: Acts as an intermediary between the user and other DNS servers. It performs the full DNS lookup process on behalf of the client. Typically provided by ISPs or third-party DNS providers (e.g., Google Public DNS 8.8.8.8, Cloudflare 1.1.1.1).
Authoritative DNS Server: Stores actual DNS records (A, CNAME, MX, etc.) for a domain. It provides the final, definitive answer in the DNS resolution process and is managed by domain owners or hosting providers.
In short: recursive servers fetch data, while authoritative servers store and provide the definitive DNS records.
DNS caching reduces lookup latency by storing previously retrieved DNS results. Benefits:
Reducing latency — Eliminates repeated queries for frequently accessed websites.
Lower DNS server load — Fewer queries reach upstream DNS servers.
Better user experience — Websites load faster when queries resolve locally.
Caching occurs at three levels: Browser Cache (stores responses for recently visited sites), OS Cache (maintains a local DNS cache for frequently accessed domains), and Recursive Resolver Cache (ISP resolvers cache responses to serve many users efficiently).
TTL (Time-To-Live) is a setting in DNS records that defines how long a record is valid before it must be refreshed.
Short TTL (e.g., 60 seconds) — Ensures frequent updates but increases query load on DNS servers.
Long TTL (e.g., 24 hours) — Reduces query frequency but delays propagation of changes (e.g., IP migrations).
TTL balances performance and accuracy. Always reduce TTL well before planned IP migrations, then restore it afterward.
DNS-based load balancing distributes traffic across multiple servers by returning different IP addresses for the same domain:
Round-Robin DNS — Each DNS query gets a different server IP in a rotating order.
Geolocation-based Routing — Directs users to the closest data center to minimize latency.
Failover DNS — If a server fails, the DNS resolver removes it from the list and redirects traffic to healthy servers.
Anycast DNS — Uses the same IP address across multiple locations, routing requests to the nearest server.
This approach improves reliability, availability, and performance in large-scale applications.
DNS Spoofing / Cache Poisoning — Attackers inject false DNS records, redirecting users to malicious websites. Mitigation: Use DNSSEC to verify DNS records.
DDoS Attacks on DNS Servers — Attackers overload DNS servers with traffic, making domains unreachable. Mitigation: Rate limiting, Anycast DNS, and load balancing.
Man-in-the-Middle Attacks — Intercept DNS queries to manipulate responses. Mitigation: Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
NXDOMAIN Attack — Floods DNS resolvers with queries for non-existent domains. Mitigation: Deploy response rate limiting (RRL) and DNS firewalls.
CDN Questions
A Content Delivery Network (CDN) is a distributed network of servers that deliver content to users efficiently. The primary goal is to reduce latency by caching content at multiple geographically distributed edge servers (PoPs — Points of Presence).
How it works: (1) A user requests content. (2) The request is routed to the nearest CDN edge server based on geographic location, network latency, and server load. (3) If cached (Cache Hit), content is served instantly. (4) If not cached (Cache Miss), the edge fetches from the origin server, stores it, then serves it.
Without a CDN, content is served directly from the origin server, leading to:
High latency due to geographic distance between user and server.
Overloaded origin servers, causing slower responses and downtime.
Bandwidth constraints leading to slow page loads and higher costs.
Security risks including DDoS attacks and malicious traffic.
CDNs solve these by distributing traffic across edge locations, caching frequently accessed content, and protecting against cyber threats.
Reduced Latency — Faster content delivery by serving from the closest PoP.
Lower Bandwidth Costs — Caching reduces requests to the origin, minimizing data transfer costs.
Increased Availability & Load Balancing — Distributes traffic across multiple servers, preventing overload.
Enhanced Security — Protects against DDoS attacks, traffic filtering, and SSL/TLS encryption at the edge.
Origin Server: The central server that hosts the original content. It is responsible for serving content when a cache miss occurs.
Edge Server (PoP): A geographically distributed server that caches content closer to users to reduce latency.
Analogy: The origin server is like a main warehouse, while edge servers are local distribution centers that store frequently accessed goods.
A PoP (Point of Presence) is a CDN data center that contains edge servers to store and serve cached content to users. The more PoPs a CDN has, the faster and more reliable the content delivery.
CDNs use various routing strategies to direct user requests to the optimal edge server:
Geo-Based Routing — Users are directed to the closest PoP.
Latency-Based Routing — Requests go to the PoP with the lowest network latency.
Load-Aware Routing — Traffic is balanced across multiple PoPs to prevent overload.
Cache Hit: The requested content is found in the CDN cache and served immediately — fast and cheap.
Cache Miss: The content is not in the cache, so it is fetched from the origin server, stored at the edge, and then served to the user. Slower on first request, but cached for subsequent users.
Manual Purge — Manually removes outdated content from CDN caches immediately.
Stale-While-Revalidate — Serves stale content while fetching fresh content in the background.
Versioning — Appends version numbers (e.g., image_v2.png) to URLs to force cache updates without purging.
Cache invalidation is critical to ensure users receive updated content without waiting for TTL to expire.
CDNs distribute traffic across multiple PoPs using round-robin balancing, latency-based routing, and geo-based routing. If a CDN PoP fails, the CDN automatically reroutes traffic to the next best PoP, ensuring uninterrupted service.
Gzip & Brotli Compression — Reduces file size for transmission.
Minification of CSS/JS — Removes unnecessary characters (whitespace, comments) to reduce file size.
Image Optimization — Converts images to modern formats like WebP and AVIF for better compression.
Rate Limiting — Blocks excessive requests from a single source.
Traffic Filtering — Identifies and drops malicious requests before they reach the origin.
Anycast Routing — Distributes attack traffic across multiple PoPs to absorb the impact, preventing any single location from being overwhelmed.
SSL/TLS offloading means the CDN handles encryption/decryption at the edge, reducing the computational burden on the origin server. Benefits include: reduced origin CPU load, faster response times, and centralized certificate management at the edge.
A multi-CDN strategy uses multiple CDN providers simultaneously for better redundancy, performance, and failover handling. If one CDN provider experiences an outage or poor performance in a region, traffic is automatically routed to an alternate CDN. This is used by large platforms like Netflix and Cloudflare to guarantee uptime.
Segmented Caching — Store different video chunks (segments) at different PoPs based on popularity.
Adaptive Bitrate Streaming — Adjusts video quality dynamically based on the user's available bandwidth.
Load Balancing — Distributes viewers across multiple edge servers to prevent overload.
Multi-CDN — Use multiple CDN providers for geographic coverage and failover.
Example: Netflix uses its Open Connect CDN with custom edge servers placed inside ISP networks to minimize last-mile latency.
Further Reading
Interactive: CDN Edge Cache Routing
Pick a user region and fetch a resource. The first request hits origin (cache MISS). Every repeat request is served from the nearest edge (cache HIT) at a fraction of the latency. Purge the cache to reset.