DNS vs HTTP Routing
Verdict: DNS routing resolves domain names to IP addresses before a TCP connection is made — it is fast, transparent, and operates outside the application. HTTP routing inspects the request after the connection is established and routes by path, hostname, or header — it is flexible and application-aware. Production systems use both: DNS to direct traffic to the right infrastructure, HTTP routing to dispatch it to the right service.
For a broader DevOps context, see the DevOps Configuration & Deployment Basics guide.
- •Routing traffic to different data centres or cloud regions (GeoDNS, latency-based routing)
- •Implementing global load balancing across multiple origin servers
- •Pointing a domain to a CDN or DDoS protection layer
- •Failover: automatically redirecting traffic when a primary IP goes down
- •Separating services onto distinct domains (api.example.com, app.example.com)
- •Routing requests to different microservices based on URL path (
/api/*,/app/*) - •Handling multiple tenants or services on a single IP with virtual hosting
- •Implementing A/B testing, canary releases, or feature flag routing by header
- •Terminating TLS, adding authentication middleware, or rewriting URLs
- •Kubernetes Ingress rules, NGINX
locationblocks, and API gateway rules
DNS routing for network-level direction (global, pre-connection) — HTTP routing for application-level dispatch (path, host, header).
Side-by-Side Comparison
| Aspect | DNS Routing | HTTP Routing |
|---|---|---|
| OSI layer | Layer 3–4 (Network / Transport) — resolves before TCP | Layer 7 (Application) — inspects request after TCP is established |
| Routing decision basis | Domain name → IP address. Optionally weighted, geo-based, or health-checked. | URL path, Host header, request headers, query parameters, method |
| Where it happens | At DNS resolvers, authoritative nameservers, and CDN PoPs — outside the application | At load balancers, reverse proxies (NGINX, HAProxy), API gateways, and Kubernetes Ingress controllers — inside the infrastructure |
| Propagation / latency | Changes take effect after TTL expires — seconds to hours. Caching is a fundamental property. | ✓ Instant — rule changes apply immediately without TTL |
| Granularity | Domain or subdomain level. Cannot differentiate by URL path. | ✓ Path, host, header, method — full request context |
| Geographic distribution | ✓ GeoDNS routes users to nearest data centre before any connection | Geographic routing requires application-level logic or CDN integration after initial connection |
| Failover speed | Limited by TTL. Low-TTL records (60–300s) enable faster failover but increase DNS query load. | ✓ Sub-second failover with health-checked backends in the load balancer |
| TLS termination | DNS has no role in TLS. It only resolves where to connect. | ✓ HTTP routing layers (load balancer, NGINX, Ingress) typically handle TLS termination |
| Typical tools | Route 53, Cloudflare DNS, Azure Traffic Manager, Google Cloud DNS, NS1 | NGINX, HAProxy, AWS ALB, GCP Cloud Load Balancing, Kubernetes Ingress, API gateways (Kong, Traefik) |
What DNS Routing Is
DNS (Domain Name System) translates domain names into IP addresses. When a client wants to connect to api.example.com, it first queries a DNS resolver, which returns one or more IP addresses. Only then does the client open a TCP connection to that IP.
DNS routing means using the DNS resolution step to influence where traffic goes. Instead of a single static A record, you configure DNS to return different IP addresses based on the client's geographic location, health checks on the upstream servers, or weighted distribution. This happens entirely at the DNS layer — the application servers never see the routing decision.
Check live DNS records: DNS Record Validator — queries Cloudflare's DNS-over-HTTPS (1.1.1.1) and returns A, AAAA, CNAME, MX, TXT, and NS records for any domain.
What HTTP Routing Is
HTTP routing happens after the DNS lookup and TCP connection are complete. An HTTP router (a load balancer, reverse proxy, API gateway, or Kubernetes Ingress controller) receives the full HTTP request and uses its content — URL path, Host header, method, query parameters, or custom headers — to decide which backend to forward it to.
NGINX — path-based HTTP routing example
server {
listen 443 ssl;
server_name example.com;
# Route API requests to the API service
location /api/ {
proxy_pass http://api-service:3000/;
}
# Route all other requests to the frontend
location / {
proxy_pass http://frontend-service:8080/;
}
}HTTP routing enables use cases that are impossible at the DNS layer: routing different URL paths to different microservices on the same domain, applying per-path authentication, rate limiting specific endpoints, or performing A/B testing by reading a cookie or header value.
Kubernetes Ingress — host and path routing example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
spec:
rules:
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1
port:
number: 80
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2
port:
number: 80How DNS and HTTP Routing Work Together
In most production architectures, DNS and HTTP routing are both in use simultaneously and serve complementary purposes. A typical request flow looks like this:
Typical request flow
Client
│
├─ 1. DNS lookup: api.example.com
│ GeoDNS returns nearest load balancer IP
│ (e.g., EU load balancer: 198.51.100.10)
│
├─ 2. TCP + TLS connection to 198.51.100.10
│ Load balancer terminates TLS
│
├─ 3. HTTP request: GET /v2/users HTTP/1.1
│ Host: api.example.com
│
└─ 4. Load balancer HTTP routing:
/v2/* → api-v2 service (port 8080)
/v1/* → api-v1 service (port 8081)
/* → default backendResolves the domain to an IP. GeoDNS picks the nearest region. The client has no choice about which IP it gets — it uses what DNS returns.
The load balancer or edge terminates TLS. The certificate must cover the domain name from Step 1. TLS is independent of both DNS and HTTP routing.
The load balancer reads the HTTP request and forwards it to the correct backend based on path, host, or headers. This routing is invisible to the DNS layer.
Common Mistakes
✗ Expecting DNS failover to be instantaneous
DNS records have a TTL (time-to-live). Even if you update a record to point to a new IP, resolvers and clients cache the old value until the TTL expires. Reducing TTL to 60 seconds before a planned failover helps, but cached values from before the reduction may persist longer. For sub-second failover, use load balancer health checks — not DNS changes.
✗ Trying to route by URL path in DNS
DNS can only return IP addresses (or CNAMEs) — it has no visibility into URL paths. Routing /api to one server and /app to another cannot be done at the DNS level. This requires an HTTP reverse proxy, API gateway, or load balancer rule. A common mistake is creating separate subdomains (api.example.com, app.example.com) pointing to the same IP as a workaround when a single load balancer could handle both via HTTP host routing.
✗ Not lowering TTL before a DNS migration
If you plan to move a service to a new IP, reduce the DNS TTL to 300 (5 minutes) at least 24–48 hours before the change. This allows cached resolvers to expire the old record quickly after you update it. Migrating with a TTL of 86400 means some clients may resolve to the old IP for up to 24 hours after the update.
✗ Confusing HTTP host header routing with DNS
HTTP virtual hosting uses the Host header to serve different content from the same IP. When a load balancer routes api.example.com and app.example.com to different backends, this is HTTP routing — both domains can have DNS A records pointing to the same load balancer IP. Many engineers assume that distinct domains require distinct IPs, but one IP can serve hundreds of virtual hosts via HTTP host header inspection.
✗ Forgetting that GeoDNS returns results based on the resolver's location
GeoDNS determines geographic location from the IP of the DNS resolver making the query — not the end user's IP. When a user uses a public DNS resolver (8.8.8.8 or 1.1.1.1), the resolver's geographic location is used. Most modern DNS systems support EDNS Client Subnet (ECS) to include the client's subnet in the query, improving accuracy, but not all resolvers or authoritative nameservers support it.
✗ Using CNAME records on the apex domain
DNS prohibits CNAME records at the zone apex (example.com). You can use CNAME for www.example.com pointing to a CDN, but example.com itself must use an A record (or AAAA). Some DNS providers offer ALIAS or ANAME records as a workaround — these behave like CNAME but resolve to an A record at query time, making them valid at the apex.
Try the Tools
All tools run entirely in your browser. No data is uploaded. Browse all DevOps tools →
Frequently Asked Questions
Related Reading
DevOps Configuration & Deployment Basics
Full guide covering YAML, DNS, SSL/TLS certificates, cron, HTTP headers, and validation workflows.
Cron Jobs and Scheduling Basics
Cron expression syntax, special strings, common patterns, and scheduling in Linux, GitHub Actions, and Kubernetes.
HTTP vs HTTPS
Why HTTPS is now the baseline for all web traffic, what TLS protects, and migration mistakes.
YAML vs JSON
Format trade-offs for Kubernetes manifests, CI/CD pipelines, and application configuration files.
DevOps & Infrastructure Tools
Browse all browser-based DevOps tools: DNS, SSL, YAML, cron, HTTP, and more.