▲ Quick answer

The DNS hierarchy is a tree. At the very top is an unnamed root (the silent trailing dot). Below it sit top-level domains such as .com, then registered second-level domains, then subdomains and individual hosts. Each tier delegates authority downward, and a lookup is resolved one level at a time — from the root, to the TLD, to the authoritative server, to an IP address.

The Domain Name System exists to solve one problem: people remember names like example.com, but machines route traffic using numeric IP addresses. DNS is the distributed directory that translates between the two. What makes it scale to billions of names is that no single server holds the whole directory. Instead, responsibility is split into a hierarchy, with each level handing off control of the level beneath it.

If you have read our overview of what a TLD is, you already know the top-level domain is one tier of this tree. This guide zooms out to show the whole structure and then follows a query through it.

What are the tiers of the DNS hierarchy?

Read a domain name right to left and you are reading it from the top of the tree downward. Each label is a level, and each level is managed by a different party.

The tiers of the DNS hierarchy for blog.example.com., from the root downward, with who is responsible for each.
TierExample labelRoleTypically managed by
Root zone. (silent dot)The starting point; lists every TLD and its nameservers.IANA, under ICANN
Top-level domain.comA broad family of names; points to its registered domains.The TLD registry (e.g. for .com)
Second-level domainexampleThe name you register; the registrable domain.The registrant (you), via a registrar
SubdomainblogAn optional division you create under your domain.The registrant (you)
Hosta specific recordAn individual machine or service the name resolves to.The registrant (you)

Notice the trailing dot in blog.example.com. — that final dot represents the root. You almost never type it, but it is always implied. It is the anchor that makes every name in DNS fully qualified and unambiguous.

DNS hierarchy

The tree-shaped structure of the Domain Name System: an unnamed root at the top, then top-level domains, then second-level domains, then subdomains and hosts — each tier delegating authority to the tier below it.

How does a lookup travel from root to IP address?

When you ask for blog.example.com, your device usually hands the question to a recursive resolver (often run by your internet provider or a public DNS service). The resolver does the walking. Here is the journey, step by step:

  1. Ask a root server. The resolver asks one of the root servers, “Where do I find .com names?” The root does not know the final answer; it replies with a referral to the nameservers for the .com TLD.
  2. Ask the TLD nameserver. The resolver then asks the .com nameserver, “Where is example.com?” The TLD also does not hold the record; it refers the resolver to the authoritative nameservers for example.com.
  3. Ask the authoritative nameserver. Finally the resolver asks the authoritative server, “What is the address for blog.example.com?” This server is responsible for that zone, so it returns the definitive answer — usually an IP address.
  4. Return and cache. The resolver hands the IP back to your device and stores the answer for a while, so the next identical lookup can skip most of these steps.

Each step narrows the search by one level of the hierarchy. The root knows about TLDs, the TLD knows about its domains, and the domain’s own servers know about its hosts. No machine has to know everything, which is exactly why the system scales.

i

Recursive vs authoritative

A recursive resolver does the legwork — it queries the root, the TLD and the authoritative servers in turn and caches what it learns. An authoritative nameserver holds the real records for a particular zone and gives the final, definitive answer for the names it is responsible for. Most lookups involve both kinds working together.

What are the root servers?

The root sits at the apex of the whole tree, so the servers that answer for it are foundational. There are 13 logical root server identities, named with the letters A through M. They are operated by 12 organisations — a mix of universities, agencies and non-profits.

Thirteen named identities sounds fragile, but the reality is far more robust. Each identity is served from hundreds of physical instances spread across the world using anycast, a routing technique that lets many machines share a single address and answers your query from whichever instance is closest. So while there are only 13 names, there are vast numbers of actual servers behind them, which is what keeps the root fast and resilient.

The root is consulted less than you might think

Because resolvers cache aggressively, they rarely need to ask a root server for common TLDs — they already know where .com lives. The root is consulted mainly when a resolver has no cached referral for a top-level domain, which keeps load on those 13 identities manageable.

Who maintains the root zone?

The whole hierarchy rests on a single, coordinated file: the root zone. It lists every top-level domain and the nameservers that serve it. That file is maintained by IANA, the function operated under ICANN. When ICANN approves a new TLD, IANA delegates it by adding the appropriate records to the root zone, after which every resolver in the world can find the new extension.

This is what keeps DNS globally consistent. Because every resolver ultimately trusts the same IANA-maintained root, example.com resolves the same way whether the query starts in São Paulo or Seoul. For the related view of how that namespace is split between TLD families, see our guides on gTLD vs ccTLD and second-level vs top-level domain.

★ Key takeaways

  • The DNS hierarchy is a tree: root → TLD → second-level domain → subdomain → host.
  • A lookup is resolved one tier at a time — root server, then TLD nameserver, then authoritative nameserver, then IP.
  • There are 13 root server identities (A–M), run by 12 organisations and served via anycast from hundreds of instances.
  • Recursive resolvers do the legwork; authoritative nameservers give the final answer. IANA maintains the root zone.

Frequently asked questions

What is the DNS hierarchy in simple terms?

The DNS hierarchy is a tree of names. At the top is an unnamed root, written as a trailing dot. Below the root sit top-level domains like .com, below those sit registered second-level domains like example, and below those sit subdomains and individual hosts. Each level points down to the next, so a lookup can be resolved step by step.

How does a DNS lookup travel through the hierarchy?

A recursive resolver first asks a root server, which directs it to the nameserver for the relevant TLD. The TLD nameserver directs it to the authoritative nameserver for the specific domain. The authoritative nameserver returns the final answer, usually the IP address, which the resolver hands back to your device.

How many root servers are there?

There are 13 logical root server identities, labelled with the letters A through M. They are operated by 12 organisations, and although there are only 13 named identities, each is served from hundreds of physical instances around the world using a technique called anycast, which improves speed and resilience.

What is the difference between a recursive and an authoritative nameserver?

A recursive resolver does the legwork on your behalf: it queries the root, the TLD and the authoritative servers in turn and caches the result. An authoritative nameserver holds the actual records for a specific zone and gives the definitive answer for the names it is responsible for.

Who manages the DNS root zone?

IANA, operating under ICANN, maintains the authoritative root zone — the master file that lists every top-level domain and the nameservers that serve it. Every other DNS server on the internet ultimately trusts that single coordinated root, which keeps domain names consistent worldwide.

Sources & further reading