TOPIC 04

DNS & Content Delivery Networks

Two systems make the web feel instant: one translates names into addresses, the other moves the bytes themselves to the edge of the planet — close to your users.

Beginner 25 min read 8 concepts

At a Glance

DNS: The Internet's Phone Book

Computers route packets to IP addresses like 142.250.72.14, but humans remember names like google.com. The Domain Name System is the globally distributed, heavily cached directory that maps one to the other. It might be the most successful distributed system ever built: billions of lookups per hour, running since 1983, and you only notice it when it breaks.

The resolution journey, step by step

Browser "shop.dev?" 1 Recursive Resolver (ISP/8.8.8.8) checks cache first 2 "ask .dev" Root nameserver (.) 3 "ask shop.dev's NS" TLD nameserver (.dev) 4 "93.184.216.34!" Authoritative NS holds the real records 5 cached & returned 6 browser connects to IP

A cold lookup walks the hierarchy: root → TLD → authoritative. Caches make the warm path one hop.

1
Browser & OS cache

Seen this domain recently? Use the cached IP and skip everything below. Most lookups end here.

2
Recursive resolver

Your ISP's resolver (or 8.8.8.8 / 1.1.1.1) takes over the hunt on your behalf — also checking its own giant cache.

3
Root nameserver

13 logical root clusters know one thing: who runs each top-level domain. ".dev? Ask these servers."

4
TLD nameserver

The .dev registry replies with the authoritative nameservers for shop.dev.

5
Authoritative nameserver

The source of truth (Route 53, Cloudflare DNS, etc.) returns the actual record: A 93.184.216.34.

6
Answer flows back

The resolver caches it for the record's TTL and hands it to your browser, which finally opens a TCP connection.

Record types you'll actually use

RecordMapsExample use
Aname → IPv4 addressapi.shop.dev → 93.184.216.34
AAAAname → IPv6 addressapi.shop.dev → 2606:2800::1
CNAMEname → another name (alias)www.shop.dev → shop.dev, CDN hostnames
MXdomain → mail servers (with priority)Route email to Google Workspace
NSdomain → its authoritative nameserversDelegate a subdomain to another provider
TXTname → arbitrary textDomain verification, SPF/DKIM anti-spoofing

TTL: the freshness dial

Every record carries a TTL (time to live) — how long resolvers may cache it. A 24-hour TTL means almost no load on your nameservers, but a botched IP change takes a day to heal worldwide. A 60-second TTL gives you fast failover at the cost of constant queries. Common play: keep TTLs long normally, drop them to 60s a day before a planned migration.

DNS pain points

Propagation delay (caches everywhere obey old TTLs), it's a juicy DDoS target (the 2016 Dyn attack took down Twitter, Spotify and GitHub simultaneously), and its slow cache convergence makes it a clumsy failover mechanism — load balancers handle instant failover much better.

DNS Record Types — The Full Cheat Sheet

The quick table above covers the daily drivers; here's the complete reference with the records you'll meet in real zone files (including the one everyone forgets — SOA):

RecordWhat it mapsExampleNotes
Ahostname → IPv4 addressexample.com → 93.184.216.34The workhorse — the final answer of most lookups
AAAAhostname → IPv6 addressexample.com → 2606:2800:220:1::1"Quad-A" — same as A, but for IPv6
CNAMEalias → another hostnamewww.example.com → example.comChains resolve until an A/AAAA is found; can't live at the zone apex
MXdomain → mail exchange serverexample.com → mail.example.com (prio 10)Priority number picks the preferred server; lower wins
NSdomain → its nameserversexample.com → ns1.dnsprovider.comDeclares which DNS server is authoritative for the zone
TXTname → arbitrary text"v=spf1 include:_spf.google.com ~all"SPF/DKIM email auth, domain ownership verification (Google, Netlify)
SOAzone → its admin metadatans1.example.com admin.example.com …Start of Authority: TTL defaults, serial number, contact email for the zone admin

DNS-Based Traffic Management

Because DNS answers the question "which IP should I talk to?", it's also a control point for steering traffic — before a single packet reaches your servers. AWS Route 53 exposes this as routing policies:

PolicyHow it routesUse case
SimpleOne IP, every timeNo intelligence — small single-region apps
WeightedSend 90% to v1, 10% to v2Canary deployments! Shift weights gradually
Latency-basedResolve to the region with lowest latency for that userGlobal apps with multiple regions
FailoverPrimary + standby; switch on health-check failureDisaster recovery
GeolocationEuropean users → EU region, US users → US-EastData residency (GDPR), localized content
GeoproximityLike geolocation, but with tunable bias weightsGradually shifting traffic between nearby regions
Anycast: one IP, many places

The same IP address is advertised from multiple PoPs, and BGP routes each packet to the nearest one. Cloudflare's 1.1.1.1 and Google's 8.8.8.8 are both Anycast IPs — you and someone in Tokyo hit "the same address" but land on completely different machines.

TTL and the Propagation Delay Trade-Off

The TTL — how long resolvers may cache the answer — is the single most consequential number in your zone file:

Short TTL (60–300s)

Changes propagate fast — great for failovers and migrations. Cost: every cache expires constantly, so resolvers re-query → more load on your authoritative servers.

Long TTL (86,400s = 1 day)

Fewer queries, faster resolution from cache, lighter nameserver load. Cost: changing IPs is painful — the old answer lives in caches worldwide for up to a day.

The migration playbook

Lower the TTL to ~60s a day before a planned migration (so existing long-TTL caches drain out), then change the IP, then restore the long TTL once the migration is stable. Doing it in the other order means waiting out the old TTL while traffic splits unpredictably.

Real incident: Fastly, June 2021

A latent bug triggered by one customer's config change took down roughly a third of the visible internet — Reddit, Amazon, gov.uk — for nearly an hour. Caching and DNS TTLs meant many users stayed stuck even after Fastly fixed the root cause within minutes. Lesson: your recovery time includes everyone else's caches, not just your fix.

CDN: Moving Bytes to the Edge

Physics is undefeated: a request from Sydney to a server in Virginia spends ~200 ms just traveling. A Content Delivery Network defeats distance by copying your content to hundreds of PoPs (points of presence) around the world. Each PoP is a cluster of edge servers; users are routed (via anycast or DNS) to the nearest one.

The flow: the user hits the closest edge. Cache hit → served in ~20 ms. Cache miss → the edge fetches from your origin server once, caches it, and every later visitor in that region gets the fast path.

Push vs Pull CDNs

FW

Push CDN

You proactively upload content to the edges whenever it changes. Full control, zero first-visitor misses — but you own the upload pipeline and pay for storage. Best for sites with small, infrequently changing assets (downloads, video libraries, low-traffic sites where a miss matters).

FR

Pull CDN

Edges fetch from origin lazily on the first miss, then cache per TTL. Minimal setup — point a CNAME and go. First visitor per region eats a slow request, and redundant pulls can happen around expiry. Best for heavy-traffic sites: the popular stuff stays naturally hot. This is the Cloudflare/CloudFront default model.

Push CDNPull CDN
Who fills the edgeYou, ahead of timeThe edge, on first miss
First request in regionFast (already there)Slow (origin fetch)
MaintenanceYou manage uploads & invalidationTTL handles refresh
Best forStatic, rarely-changing contentHigh traffic, frequently-changing content

What a CDN buys you

Real-world receipts

Netflix went further than renting a CDN — it built Open Connect, placing its own caching appliances inside ISP datacenters so most streams never cross the public internet. Cloudflare, Akamai, Fastly and AWS CloudFront power much of everything else; Fastly's instant purge is why news sites that change content constantly love it.

Archie says

In interviews, the CDN is your free first move: "static assets — images, JS, CSS, video — go behind a CDN" instantly removes most bandwidth from your design, and lets you spend your complexity budget on the interesting parts.

CDN Architecture Deep Dive

Under the hood, a CDN is a hierarchy of caches with a routing layer in front:

Cache invalidation strategies

1
TTL expiry + cache busting

Simplest: content is stale until the TTL runs out. The workaround is "cache busting" — change the URL when the content changes (app.v2.js, hashed filenames). Old URL stays cached forever; new URL is instantly fresh.

2
Purge API

Cloudflare and Fastly let you purge specific URLs (or everything) instantly via API. Standard move after a CMS publish: save article → purge its URL → next request pulls the fresh version.

3
Surrogate keys (cache tags)

Tag cached objects with content IDs at response time: an article page might carry tags article:42 and user:123. Then "purge everything tagged user:123" invalidates every page that included that user's data — one API call, surgical precision.

Netflix Open Connect — A CDN Built into ISPs

Netflix is ~15% of global downstream internet traffic, so it built its own CDN: Open Connect Appliances (OCAs) — caching servers installed inside ISPs like Comcast and AT&T, for free. The ISP gets free hardware and saves on transit costs; Netflix gets ultra-low-latency delivery.

Archie says

The lesson isn't "build your own CDN" — it's that at sufficient scale, the build-vs-rent math flips. Netflix's traffic volume made owning the delivery layer cheaper and faster than renting one. For everyone else, Cloudflare and CloudFront remain the right answer.

CDN Security Features

Modern CDNs are as much a security perimeter as a performance layer — everything below happens at the edge, before traffic ever reaches your origin:

DDoS protection

Volumetric attacks get absorbed across hundreds of PoPs' combined capacity. Cloudflare blocks 100+ billion threats per day at the edge.

🧱

WAF

The Web Application Firewall blocks SQL injection, XSS, and known-bad bots at the edge — malicious requests never reach your origin.

Bot management

Browser fingerprinting, JavaScript challenges, and CAPTCHAs separate humans from scrapers and credential-stuffers.

SSL termination at edge

The CDN handles the TLS handshake near the user; the origin can speak plain HTTP (or re-encrypted HTTPS) — saving origin CPU and a full round trip.

Origin shield

On a cache miss, requests funnel through one regional node instead of thousands of edges hitting your origin simultaneously — preventing the "thundering herd" on cold or just-purged content.

Quick Check

Your product launches in Brazil tomorrow and the marketing page must be instant for the very first visitor. Which CDN strategy fits best?

Correct! Push (or pre-warming a pull CDN) guarantees the content is already sitting at the São Paulo edge before anyone asks for it. Pull CDNs make the first visitor per region pay the origin round trip.

Interview Q&A

Modern CDNs (Cloudflare Workers, Lambda@Edge) run computation at edge nodes — you can cache personalized responses, A/B test at the edge, rewrite URLs, add security headers, even query edge databases (Cloudflare D1, KV). For truly dynamic content, CDNs still help by: (1) terminating TLS close to users (~100ms RTT saved), (2) keeping persistent keep-alive connections to origin (avoiding a TCP handshake per request), (3) absorbing DDoS before it hits origin.

Pull CDN: the edge fetches from origin on first miss, caches per TTL. Zero configuration, works for any traffic pattern, but the first user to request new content gets origin latency. Best for high-traffic sites where the cache-fill cost is amortized. Push CDN: you proactively upload content to CDN nodes. Full control, no origin hits — but you must manage what's on the CDN. Best for predictable content (software downloads, game patches) and low-traffic sites where pull would rarely hit cache anyway.

With Route 53 failover routing: set a health check on the primary endpoint. If the primary fails the health check, Route 53 automatically returns the secondary IP instead. With a low TTL (60s), most clients see the new IP within a minute. The TTL must be short enough for fast failover — but that means more queries: a classic trade-off. For critical services, combine latency + failover routing: normally go to the nearest healthy region, fail over to the next-nearest if that region dies.

Anti-Patterns to Avoid

High TTL before an IP change

You're stuck for up to 24 hours with the old IP cached worldwide. Always reduce the TTL well before migrations, and restore it after.

Personalized content on the CDN without cache variation

If the cache key doesn't include session info, the CDN can serve one user's private dashboard to another user. Use Cache-Control: private or Vary: Authorization/Cookie headers — carefully.

Caching error responses

A bug makes your origin return 500s, the CDN caches them — and your 5-minute outage becomes a 24-hour one. Set a very short TTL or no-store for error responses.

Interview Prep

DNS & CDN Interview Questions

All key questions and answers from this topic that appear in system design interviews.

DNS Questions

DNS resolution converts a domain name (e.g., www.example.com) into an IP address through these steps:

1. User Query — The user types a domain into a browser.

2. Browser Cache Check — The browser checks its local cache for a stored IP.

3. OS Cache Check — If not in the browser cache, the OS DNS resolver is queried.

4. Local DNS Resolver — If the OS doesn't have it, the query goes to the ISP-provided resolver.

5. Root DNS Servers — If uncached, the resolver queries one of the 13 root DNS servers.

6. TLD Server Query — The root server directs to the TLD server (e.g., .com, .org).

7. Authoritative DNS Server — The TLD server provides the authoritative DNS server's address.

8. IP Address Retrieval — The authoritative server responds with the correct IP.

9. Response Caching — The resolver caches the result for future queries.

10. Website Access — The browser connects to the web server using the IP.

Recursive DNS Server: Acts as an intermediary between the user and other DNS servers. It performs the full DNS lookup process on behalf of the client. Typically provided by ISPs or third-party DNS providers (e.g., Google Public DNS 8.8.8.8, Cloudflare 1.1.1.1).

Authoritative DNS Server: Stores actual DNS records (A, CNAME, MX, etc.) for a domain. It provides the final, definitive answer in the DNS resolution process and is managed by domain owners or hosting providers.

In short: recursive servers fetch data, while authoritative servers store and provide the definitive DNS records.

DNS caching reduces lookup latency by storing previously retrieved DNS results. Benefits:

Reducing latency — Eliminates repeated queries for frequently accessed websites.

Lower DNS server load — Fewer queries reach upstream DNS servers.

Better user experience — Websites load faster when queries resolve locally.

Caching occurs at three levels: Browser Cache (stores responses for recently visited sites), OS Cache (maintains a local DNS cache for frequently accessed domains), and Recursive Resolver Cache (ISP resolvers cache responses to serve many users efficiently).

TTL (Time-To-Live) is a setting in DNS records that defines how long a record is valid before it must be refreshed.

Short TTL (e.g., 60 seconds) — Ensures frequent updates but increases query load on DNS servers.

Long TTL (e.g., 24 hours) — Reduces query frequency but delays propagation of changes (e.g., IP migrations).

TTL balances performance and accuracy. Always reduce TTL well before planned IP migrations, then restore it afterward.

DNS-based load balancing distributes traffic across multiple servers by returning different IP addresses for the same domain:

Round-Robin DNS — Each DNS query gets a different server IP in a rotating order.

Geolocation-based Routing — Directs users to the closest data center to minimize latency.

Failover DNS — If a server fails, the DNS resolver removes it from the list and redirects traffic to healthy servers.

Anycast DNS — Uses the same IP address across multiple locations, routing requests to the nearest server.

This approach improves reliability, availability, and performance in large-scale applications.

DNS Spoofing / Cache Poisoning — Attackers inject false DNS records, redirecting users to malicious websites. Mitigation: Use DNSSEC to verify DNS records.

DDoS Attacks on DNS Servers — Attackers overload DNS servers with traffic, making domains unreachable. Mitigation: Rate limiting, Anycast DNS, and load balancing.

Man-in-the-Middle Attacks — Intercept DNS queries to manipulate responses. Mitigation: Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).

NXDOMAIN Attack — Floods DNS resolvers with queries for non-existent domains. Mitigation: Deploy response rate limiting (RRL) and DNS firewalls.

CDN Questions

A Content Delivery Network (CDN) is a distributed network of servers that deliver content to users efficiently. The primary goal is to reduce latency by caching content at multiple geographically distributed edge servers (PoPs — Points of Presence).

How it works: (1) A user requests content. (2) The request is routed to the nearest CDN edge server based on geographic location, network latency, and server load. (3) If cached (Cache Hit), content is served instantly. (4) If not cached (Cache Miss), the edge fetches from the origin server, stores it, then serves it.

Without a CDN, content is served directly from the origin server, leading to:

High latency due to geographic distance between user and server.

Overloaded origin servers, causing slower responses and downtime.

Bandwidth constraints leading to slow page loads and higher costs.

Security risks including DDoS attacks and malicious traffic.

CDNs solve these by distributing traffic across edge locations, caching frequently accessed content, and protecting against cyber threats.

Reduced Latency — Faster content delivery by serving from the closest PoP.

Lower Bandwidth Costs — Caching reduces requests to the origin, minimizing data transfer costs.

Increased Availability & Load Balancing — Distributes traffic across multiple servers, preventing overload.

Enhanced Security — Protects against DDoS attacks, traffic filtering, and SSL/TLS encryption at the edge.

Origin Server: The central server that hosts the original content. It is responsible for serving content when a cache miss occurs.

Edge Server (PoP): A geographically distributed server that caches content closer to users to reduce latency.

Analogy: The origin server is like a main warehouse, while edge servers are local distribution centers that store frequently accessed goods.

A PoP (Point of Presence) is a CDN data center that contains edge servers to store and serve cached content to users. The more PoPs a CDN has, the faster and more reliable the content delivery.

CDNs use various routing strategies to direct user requests to the optimal edge server:

Geo-Based Routing — Users are directed to the closest PoP.

Latency-Based Routing — Requests go to the PoP with the lowest network latency.

Load-Aware Routing — Traffic is balanced across multiple PoPs to prevent overload.

Cache Hit: The requested content is found in the CDN cache and served immediately — fast and cheap.

Cache Miss: The content is not in the cache, so it is fetched from the origin server, stored at the edge, and then served to the user. Slower on first request, but cached for subsequent users.

Manual Purge — Manually removes outdated content from CDN caches immediately.

Stale-While-Revalidate — Serves stale content while fetching fresh content in the background.

Versioning — Appends version numbers (e.g., image_v2.png) to URLs to force cache updates without purging.

Cache invalidation is critical to ensure users receive updated content without waiting for TTL to expire.

CDNs distribute traffic across multiple PoPs using round-robin balancing, latency-based routing, and geo-based routing. If a CDN PoP fails, the CDN automatically reroutes traffic to the next best PoP, ensuring uninterrupted service.

Gzip & Brotli Compression — Reduces file size for transmission.

Minification of CSS/JS — Removes unnecessary characters (whitespace, comments) to reduce file size.

Image Optimization — Converts images to modern formats like WebP and AVIF for better compression.

Rate Limiting — Blocks excessive requests from a single source.

Traffic Filtering — Identifies and drops malicious requests before they reach the origin.

Anycast Routing — Distributes attack traffic across multiple PoPs to absorb the impact, preventing any single location from being overwhelmed.

SSL/TLS offloading means the CDN handles encryption/decryption at the edge, reducing the computational burden on the origin server. Benefits include: reduced origin CPU load, faster response times, and centralized certificate management at the edge.

A multi-CDN strategy uses multiple CDN providers simultaneously for better redundancy, performance, and failover handling. If one CDN provider experiences an outage or poor performance in a region, traffic is automatically routed to an alternate CDN. This is used by large platforms like Netflix and Cloudflare to guarantee uptime.

Segmented Caching — Store different video chunks (segments) at different PoPs based on popularity.

Adaptive Bitrate Streaming — Adjusts video quality dynamically based on the user's available bandwidth.

Load Balancing — Distributes viewers across multiple edge servers to prevent overload.

Multi-CDN — Use multiple CDN providers for geographic coverage and failover.

Example: Netflix uses its Open Connect CDN with custom edge servers placed inside ISP networks to minimize last-mile latency.

Further Reading

Try It

Interactive: CDN Edge Cache Routing

Pick a user region and fetch a resource. The first request hits origin (cache MISS). Every repeat request is served from the nearest edge (cache HIT) at a fraction of the latency. Purge the cache to reset.