What is "DNS Relay"?
Sangam Ghimire
As the world relay suggest, it’s forwarded ahead. But’s is it just that simple?
DNS relay means a device (like a router, firewall, or server) forwards DNS queries to another DNS server instead of resolving them itself. It acts as a middleman for DNS requests.
When you type a domain (like cloudandcosmos.com) in your browser, DNS helps find the right server.
User Request
You entercloudandcosmos.com.Recursive Resolver
Your ISP or public DNS (e.g., Google DNS) checks its cache. If not found, it asks the Root Server.Root DNS Server
Says: "Ask the.comTLD (Top Level DNS) server."TLD DNS Server
Says: "Ask the authoritative server forcloudandcosmos.com."Authoritative DNS Server
Responds: "Here’s the IP forcloudandcosmos.com."Browser Connects
Your browser uses the IP to load the website.In short,
| Type of DNS | Role of DNS | | --- | --- | | Recursive Resolver | Finds data on your behalf | | Root Server | Points to TLD servers | | TLD Server | Points to authoritative servers | | Authoritative Server | Holds actual domain records (final answer) |
But here’s the twist — in many systems, you’re not asking the real source of DNS information (the authoritative server). Instead, your DNS query is relayed through a series of intermediaries.
This process is called DNS relay (also known as DNS forwarding).
DNS relay is when a device (like your router, VPN, firewall, or cloud VM) forwards your DNS request to another DNS server — usually a public one like Google DNS (
8.8.8.8) or Cloudflare DNS (1.1.1.1).Instead of resolving the domain name itself, the device passes your query along and just gives you the answer it gets back.
This adds convenience and caching, but also comes with hidden trade-offs: delayed updates, stale records, and even surveillance risks.
You might be surprised to learn that DNS relays are everywhere — often quietly operating behind the scenes without users realizing it.
Most home routers don’t resolve DNS on their own. They relay queries to your ISP’s DNS servers — or, in many modern cases, directly to Google (8.8.8.8) or Cloudflare (1.1.1.1). This means every device in your house is effectively going through the some DNS middleman.
In private cloud, A relay addresses the limitations inherent with simply forwarding DNS queries to external service. If there is no service inside the network, we cannot determine which devices themselves make queries. By using DNS relay we enable a number of key enhancements/features:
Policy by Subnet– It helps us assign policy based on subnet meaning, leading to different policies for different LAN networks.
Local Devices IP in Logs – We can tag all queries with the LAN IP of the device for better tracking in the access logs.
DNS Encryption – All internal DNS are routed through a set of hosts this helps us encrypt the DNS traffic before it leaves your network using DoT or DoH for privacy and security.
Besides, another aspect for us to look onto could be how:
"Amazon VPC DNS relays forward public DNS requests to an upstream resolver." — AWS Docs
Subscribe to my newsletter
Read articles from Sangam Ghimire directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by