Why DNS Fails for AI Agents
DNS maps names to IP addresses. Agents need capability discovery, trust verification, and protocol negotiation — none of which DNS provides.
DNS: A 1983 Masterpiece
The Domain Name System is one of computing's great achievements. Designed by Paul Mockapetris in 1983, DNS provides a globally distributed, hierarchical namespace that maps human-readable domain names to machine-readable IP addresses. It's fast, resilient, and handles billions of queries daily.
But DNS was designed for a specific purpose: locating servers that host documents. When you type example.com, DNS returns an IP address. Your browser connects,
requests a page, and the transaction ends. This model has served the web brilliantly for
four decades.
The problem? AI agents aren't documents. They don't sit at fixed endpoints waiting for requests. They're dynamic, autonomous entities that discover peers, negotiate protocols, verify trust, and delegate tasks — all in real time.
Five Ways DNS Falls Short
1. Propagation Latency
DNS updates propagate through a hierarchy of caches and resolvers. Research shows end-user visibility can stretch to 24–48 hours in worst cases, with typical propagation taking minutes to hours. When an agent spawns a helper agent that needs to be discoverable immediately, minutes are an eternity.
As Professor Raskar noted during an AWS DNS outage: "DNS glitch at AWS today for websites. Imagine if we had the same for the Internet of AI Agents."
2. No Capability Metadata
A DNS record tells you where something is — an IP address, maybe a port. It tells you nothing about what it can do. When your travel-booking agent needs to find a flight-search specialist that supports A2A protocol, speaks English and Japanese, and has a verified performance SLA, DNS has no mechanism to express or query any of this.
3. Trust Is Domain-Level Only
TLS certificates prove domain ownership — that example.com is controlled by
Example Inc. But agent trust requires far more: behavioral history, capability attestations,
compliance certifications, and cryptographic proof of code integrity. As the NANDA Beyond DNS paper argues, trust must be agent-level, not domain-level.
4. Privacy Exposure
Every DNS query reveals what you're looking for to network observers. When a pharmaceutical company's research agent queries for a genomics specialist, that search pattern itself leaks strategic intent. NANDA's dual-path resolution architecture addresses this with anonymous lookup paths through neutral third-party hosts.
5. Static Addressing in a Dynamic World
Agents migrate between runtimes, auto-scale across regions, and update capabilities continuously. DNS was designed for relatively static mappings — a domain name pointing to one or a few IP addresses. Agents need dynamic, adaptive routing that reflects their real-time state.
The Scale Problem
These limitations compound at scale. Consider the numbers: DNS currently handles roughly 400 million domain registrations globally. The Internet of AI Agents envisions billions to trillions of agents — each registering, updating capabilities, rotating endpoints, and revoking trust in real time.
The NANDA Index addresses this with an ultra-lean record format — AgentAddr records of ≤120 bytes — that separate static identity from dynamic metadata. This architectural decision reduces write overhead by approximately 10,000× compared to DNS while enabling sub-second global resolution.
What Replaces DNS for Agents?
The answer isn't to deprecate DNS — it continues to work well for its intended purpose. The answer is to build a complementary discovery layer purpose-built for agents, just as broadband infrastructure was built alongside (not instead of) the telephone network.
The NANDA protocol provides this layer through three interlocking systems:
- The NANDA Index — a decentralized "Quilt" of registries providing global agent discovery without a single point of control
- AgentFacts — rich, cryptographically signed metadata encoded as W3C Verifiable Credentials
- The Adaptive Resolver — a dynamic resolution layer handling real-time endpoint discovery, federation, caching, and failover
AgentName → NANDA Index → AgentAddr → AgentFacts → Agent Endpoint — analogous to
DNS resolution but with built-in trust verification, capability matching, and privacy-preserving
lookups at every step.Further Reading
The architectural case for moving beyond DNS is laid out in detail across several NANDA research papers:
- Beyond DNS: Unlocking the Internet of AI Agents via the NANDA Index and Verified AgentFacts — the foundational NANDA paper
- Upgrade or Switch — the architectural comparison of upgrade vs. switch paths
- NANDA Adaptive Resolver — dynamic microservice architecture for agent resolution