I always treated secondary DNS as a pretty inconsequential setting. You either leave it alone entirely or fill it once and then forget about it for the rest of time. You pick a primary server, pick a backup, and then move on.
But backup DNS is a lot more important than I thought. If it’s slow, broken, or mismatched, it can really ruin regular browsing, and the root cause of the problem might be really hard to track down.
Your backup DNS is doing more than just sitting there
It can still ruin your day
DNS servers are the middlemen between the websites you type in and the IP addresses your devices actually need. Your primary DNS server is usually the one your device tries first, as it should be. Then, the secondary DNS steps in when a backup is needed, meaning when the first one fails to respond. Because of that, it’s easy to assume that the backup option is kind of irrelevant.
I get it. DNS problems are generally less common than other network issues, such as various ISP problems or poorly optimized settings. But if your primary DNS fails, welp, that’s it, you’re kind of stuck. That’s what makes secondary DNS so important.
If that secondary DNS is slow, unreachable, or outdated, your device can still end up waiting on it, stuck in purgatory as it keeps retrying queries. That doesn’t mean your whole connection will be good for nothing, but it could make websites load slowly or fail to load at all.
A messy DNS setup is so hard to pin down, though. A bad cable is a bad cable, Wi-Fi dead zones are pretty easy to diagnose, but a DNS will often be the last thing you check. It shouldn’t be.
QuizDNS servers & how the internet finds its way
Trivia challenge
From 8.8.8.8 to how your browser finds cat videos — find out how much you really know about DNS.
DNS BasicsIP AddressesSecurityProvidersHistory
Correct! DNS stands for Domain Name System — the internet’s giant phone book that translates human-friendly domain names like ‘howtogeek.com’ into IP addresses computers can actually use. Without it, you’d need to memorize a string of numbers every time you wanted to visit a website.
Not quite — DNS stands for Domain Name System. It acts like the internet’s phone book, converting easy-to-remember domain names into the numerical IP addresses that computers use to route traffic. It’s one of the most fundamental building blocks of the modern web.
Before DNS was invented, how did computers resolve hostnames on the early internet (ARPANET)?
That’s right! Before DNS, every computer on ARPANET relied on a file called HOSTS.TXT maintained by the Stanford Research Institute. Admins had to manually download the updated file to get new hostname mappings — not exactly scalable once the network started growing rapidly.
The answer is HOSTS.TXT. Before DNS existed, a single text file maintained at the Stanford Research Institute mapped all hostnames to addresses, and every machine had to download it periodically. As the internet grew, this system became completely unmanageable, which is exactly what motivated the creation of DNS in 1983.
The famous DNS server at IP address 8.8.8.8 is operated by which company?
Correct! 8.8.8.8 (and its companion 8.8.4.4) is Google’s Public DNS service, launched in 2009. It was one of the first major free public DNS resolvers and became incredibly popular as a fast, reliable alternative to ISP-provided DNS servers.
The 8.8.8.8 address belongs to Google’s Public DNS, launched in 2009. Google made 8.8.8.8 easy to remember on purpose. Cloudflare runs 1.1.1.1, OpenDNS uses 208.67.222.222, and Microsoft’s Azure DNS exists but isn’t the same service — each provider pitches slightly different benefits like speed, privacy, or filtering.
Cloudflare’s DNS resolver at 1.1.1.1 launched in 2018 with a strong emphasis on what selling point?
Spot on! Cloudflare launched 1.1.1.1 on April 1, 2018 (yes, really) with privacy as its headline feature, promising never to log users’ IP addresses or sell browsing data. It was independently audited by KPMG to back up those claims, which set it apart from many competitors.
Cloudflare’s big pitch for 1.1.1.1 was privacy — specifically the promise to never log users’ IP addresses or sell their data. While 1.1.1.1 is also very fast (often ranking #1 in independent speed tests), privacy was the headline claim at launch, backed by a third-party audit from KPMG. Ad blocking is available via a separate 1.1.1.2 address, but it’s not on by default.
What is a DNS ‘resolver’ (also called a recursive resolver)?
Exactly right! A recursive resolver (like 8.8.8.8 or 1.1.1.1) is the middleman that takes your query and chases down the answer by contacting root servers, TLD servers, and authoritative nameservers — then delivers the final IP address back to you. It does all the heavy lifting so you don’t have to.
A recursive resolver is the server that does the legwork on your behalf — it contacts root nameservers, top-level domain servers, and authoritative nameservers in sequence until it finds the IP address you need. The authoritative nameserver is the one that actually holds the official records. Your resolver is essentially the internet’s investigator, tracking down answers one clue at a time.
What type of attack involves poisoning a DNS cache with false records to redirect users to malicious websites?
Correct! DNS spoofing, also known as cache poisoning, tricks a DNS resolver into storing a fraudulent IP address for a legitimate domain. When users then request that domain, they’re silently redirected to a malicious server — which is exactly why DNSSEC was developed to cryptographically sign DNS records.
The attack you’re thinking of is DNS spoofing or cache poisoning. An attacker injects fake DNS records into a resolver’s cache, causing anyone who queries that resolver to be directed to the wrong — often malicious — IP address. DNSSEC (DNS Security Extensions) was designed specifically to fight this by adding cryptographic signatures to DNS records.
Which DNS record type is responsible for mapping a domain name to an IPv4 address?
Right on! The ‘A’ record (short for Address record) is the most fundamental DNS record type, mapping a hostname directly to a 32-bit IPv4 address. Its cousin, the AAAA record, does the same job for 128-bit IPv6 addresses — you’ll sometimes see both configured for the same domain.
The correct answer is the A record (Address record), which maps a domain to an IPv4 address. An MX record handles mail routing, a CNAME is an alias pointing one domain name to another, and TXT records store arbitrary text — often used for things like SPF email verification or domain ownership confirmation. The A record is the bread-and-butter of DNS.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both aim to solve the same core problem. What is it?
Absolutely correct! Traditional DNS queries travel as plain, unencrypted text — meaning your ISP, network admin, or anyone monitoring traffic can see every domain you look up. DoH wraps DNS in HTTPS (using port 443), while DoT uses a dedicated TLS connection (port 853), both making your browsing queries much harder to snoop on.
The core problem that DoH and DoT solve is that standard DNS queries are completely unencrypted and readable by anyone watching your network traffic — your ISP, a coffee shop Wi-Fi operator, or a government. DNS-over-HTTPS hides queries inside normal HTTPS traffic, while DNS-over-TLS uses a dedicated encrypted channel. Both approaches protect your privacy at the DNS layer, which is surprisingly often overlooked.
Your Score
/ 8
Thanks for playing!
Mismatched DNS makes troubleshooting a chore
Or rather, even more of a chore
The most annoying thing here is (and this problem is already pretty annoying to begin with) is that when something is wrong, you’re unlikely to think of DNS as the last thing.
You’ll blame the website, the ISP, your router, and any number of things before you check your DNS settings to find out whether those DNS servers are playing nicely together. This is especially true if the issue is intermittent and you don’t have to deal with it every single time you go online.
This problem levels up yet again when your primary DNS and secondary DNS don’t share the same problems. One might be doing great, while the other might be slower, filtered, tied to your ISP, or otherwise just disappointing. That doesn’t mean that mixing DNS providers is automatically wrong, but it does mean that you’ll be troubleshooting two “paths” toward the internet instead of just one.
9/10
- Brand
-
Unifi
- Range
-
1,750 square feet
Unifi’s Dream Router 7 is one of the best you can buy, with fully managed switching, a built-in firewall, four 2.5G Ethernet ports, and a 10G SFP+ port.
Your browser might be ignoring those DNS settings anyway
The lookup has layers
Guess what? As if this whole thing wasn’t enough of a nuisance already, your browser might be adding an extra layer of frustration.
Your router and your PC aren’t the only places where DNS can be configured. Modern browser can use secure DNS, also called DNS over HTTPS, which means that the likes of Chrome, Firefox, Edge, or whatever else you might use, might be sending DNS queries to a provider you picked inside the browser. That’s not so bad on its own, but it does mean that the DNS settings you chose elsewhere might not be the ones doing the work when you try to load a website.
This is where troubleshooting gets even worse. Your router might be handing out one DNS server, Windows might have another one saved, and your browser might be using a third option entirely. Then, there’s secondary DNS. Tracing the problem back to the source gets trickier with each added layer of potential failure.
The one router setting I change every time I set up a new network
One change to the network can stop malware before it can reach your PC
The fix is painfully simple
Which is exactly how we like them
Good news! The fix isn’t going to cost you a penny, it’ll just be a tiny bit of digging.
In most causes, you just need to find out what your primary and secondary DNS servers actually are, make sure both of them actually make sense, and try to unify them across various devices/browsers.
Start with the obvious. Access your router’s internet or LAN settings, then your PC’s network adapter settings, and lastly, your browser’s DNS settings.
On Windows, you can check this under Settings > Network & Internet > Advanced network settings, then open your adapter’s properties and look for DNS settings. In Chrome or Edge, search for Secure DNS; in Firefox, search settings for DNS over HTTPS.
Pick one plan and make every device follow it
The simplest fix is to pick one plan and make sure the backup server belongs to that plan, too. If you want Cloudflare, use 1.1.1.1 and 1.0.0.1. For Google, use 8.8.8.8 and 8.8.4.4, and so on.
The point isn’t that they must be identical, because they can’t be, but they should all be part of the same setup.
Stephan is the sports journalist for the Maple Grove Report.
