DNS & CDN Demystified.

Two invisible systems do most of the heavy lifting before your browser even sees a server: one translates names into IPs, the other puts content physically closer to users. Together they decide whether a page feels instant or sluggish.

PT.1 · The Phonebook

DNS — turning postman.com into 18.65.0.42

Computers don't route packets by name. They route by IP. DNS — the Domain Name System — is a globally distributed database that humans never see, queried billions of times per second to bridge that gap.

The cascade: where the answer is looked up

Before ever leaving your machine, a DNS resolution checks a series of caches. Each hop adds latency. The art of DNS is making sure most lookups stop early.

Browser Cache

Chrome / Firefox keep their own short-lived DNS cache

~60s

OS Cache

macOS, Windows, Linux all cache via system resolver

respects TTL

Router

Your home router or ISP gateway holds recent answers

minutes

Recursive Resolver

ISP, or Google 8.8.8.8 / Cloudflare 1.1.1.1

hours

Authoritative

Root → TLD → domain's nameserver. The source of truth.

canonical

Fig. 1 — Most queries die at layer 1 or 2. Only cache misses travel deeper. A "cold" lookup that goes all the way to authoritative servers can cost 100–300ms.

A full recursive resolution, step by step

Fig. 2 — The recursive resolver does all the legwork; your browser only ever talks to one server.

DNS record types you'll see in interviews

Type	Maps	Example
`A`	name → IPv4 address	`postman.com → 18.65.0.42`
`AAAA`	name → IPv6 address	`postman.com → 2606:4700::6810:85e5`
`CNAME`	name → another name (alias)	`www.postman.com → postman.com`
`MX`	name → mail server	`postman.com → mail.google.com`
`TXT`	name → arbitrary text (SPF, verification)	`"v=spf1 include:_spf.google.com"`
`NS`	name → authoritative nameserver	`postman.com → ns1.aws.com`

Fig. 3 — CNAME is how CDNs work their magic: you point www.yoursite.com at yoursite.cloudfront.net and the CDN handles the rest.

TTL: the dial between speed and freshness

Every DNS record carries a TTL (time-to-live) in seconds. It tells caches: "trust this answer for X seconds, then ask again."

300s

Short TTL · 5 min

Used when you need quick failover (database with replicas, blue/green deploys). Costs: more lookups, more load on authoritative servers.

3600s

Medium TTL · 1 hour

Default for most websites. Balances cache benefit with reasonable propagation when you change records.

86400s

Long TTL · 24h

For stable records that never change. Fastest lookups, slowest changes.

PT.2 · The Distribution Network

CDN — putting your content closer

A CDN (Content Delivery Network) is a fleet of servers — called Points of Presence or PoPs — scattered around the world. They cache copies of your origin's content and serve users from whichever PoP is geographically closest, turning a 200ms transcontinental request into a 10ms local one.

Without a CDN: every user reaches the origin

Fig. 4 — Without a CDN, distance directly translates to latency.

With a CDN: PoPs everywhere, origin barely touched

Fig. 5 — Each user hits their nearest PoP. The PoP serves cached content or fetches from origin once and caches it.

Real latency numbers

Origin only

Sydney → us-east-1 (no CDN)

320ms

CDN miss

PoP → origin → PoP → user

230ms

CDN hit

edge

10ms

Fig. 6 — A 32× improvement on cache hits.

What a CDN does, beyond caching static files

Static asset caching

Images, CSS, JS, fonts, video — anything cacheable by URL

TLS termination

HTTPS handshake happens at the edge, not your origin — closer = faster

Compression & optimization

Brotli/gzip on the fly, image format conversion (WebP, AVIF), responsive resizing

DDoS protection & WAF

Absorb floods at the edge; filter SQL injection, XSS, bot traffic before origin sees it

Edge compute

Cloudflare Workers, Lambda@Edge — run JS at the PoP for A/B tests, auth, rewrites

Routing & anycast

Same IP advertised from every PoP; BGP picks the closest for each user automatically

Fig. 7 — Cloudflare, Fastly, AWS CloudFront, Akamai all offer these stacks.

Cache invalidation: the hard part

TTL

Time-based

Each cached object has an expiry. Cache-Control: max-age=3600 = re-fetch in 1 hour.

Purge

Manual eviction

Call CDN API: "drop this URL from every PoP." Used on deploy.

Hash

Versioned URLs

Best practice: app.a3f2b1.js. New build = new filename. Old cache irrelevant.

The one-paragraph summary for the interview

"DNS is the distributed database that translates names to IPs through a cascade of caches — browser, OS, recursive resolver, then authoritative nameservers if needed. A CDN is a network of edge servers (PoPs) that cache your content geographically close to users. They combine via a CNAME plus anycast or geo-DNS, so a user in Tokyo gets routed to a Tokyo PoP that serves cached HTML in 10ms instead of a 320ms transcontinental round trip to your origin."

Four follow-ups you should be ready for

What's the difference between A and CNAME? A points name → IP directly. CNAME points name → another name, which then resolves.
How do you invalidate a CDN cache? TTL expiry, manual purge API, or versioned filenames with content hashes.
Why is TLS termination at the edge a perf win? TLS handshake is 1-2 round trips. Done close to user (10ms RTT) vs all the way to origin (200ms RTT), you save 200-400ms.
What's a cache hit ratio? % of requests served from edge without touching origin. Static assets: >95%. HTML: 60-80%. Personalized: ~0% unless using edge compute.

Before you leave — how confident are you with this?

Your honest rating shapes when you'll see this again. No grades, no shame.

Comments

to join the discussion.

Loading comments…