This article explains the differences between the two main types of DNS servers: authoritative and recursive, their functions, and when each one is used.
Basic Concepts
The Domain Name System (DNS) translates human-readable domain names (like example.com) to IP addresses (like 192.0.2.1). This process involves different types of servers with specific roles.
Authoritative DNS Server
An authoritative DNS server is the official source of information for a specific DNS zone. It contains the actual DNS records for the domains it manages and responds authoritatively to queries about those domains.
Characteristics
- Stores the original DNS records for a zone (A, AAAA, MX, CNAME, TXT, etc.).
- Is the source of truth for the domains it manages.
- Does not query other servers; only responds with the data it has.
- Responds with the "aa" (authoritative answer) flag in its responses.
Example Flow
When someone queries www.example.com:
- The authoritative server for
example.comreceives the query. - It looks up the record in its local database.
- It responds directly with the configured IP.
Use Cases
- Hosting providers managing DNS for their customers.
- Companies managing their own domains.
- Domain registrars.
Common Software
- BIND (named)
- PowerDNS Authoritative
- NSD
- Knot DNS
Recursive DNS Server
A recursive DNS server (also called a resolver) acts as an intermediary between the client and authoritative servers. It doesn't store original records but instead searches for answers by querying other servers and caches the results.
Characteristics
- Receives queries from clients and searches for answers on their behalf.
- Queries multiple authoritative servers following the DNS hierarchy.
- Stores responses in cache to improve performance.
- Respects the TTL (Time To Live) of records to determine how long to keep the cache.
Example Flow
When a client queries www.example.com:
- The client sends the query to the recursive server.
- The recursive queries a root server: "Who handles
.com?" - The root server responds with the
.comservers. - The recursive queries the
.comserver: "Who handlesexample.com?" - The
.comserver responds with the authoritative servers forexample.com. - The recursive queries the authoritative server for
example.com: "What is the IP forwww.example.com?" - The authoritative responds with the IP.
- The recursive returns the response to the client and stores it in cache.
Use Cases
- Internet Service Providers (ISP) for their customers.
- Internal corporate networks.
- Public services like Google DNS or Cloudflare DNS.
Common Software
- BIND (named) in recursive mode
- Unbound
- PowerDNS Recursor
- Knot Resolver
Comparison
| Characteristic | Authoritative | Recursive |
|---|---|---|
| Main function | Store and serve DNS records | Search and resolve queries |
| Data source | Local database | Queries to other servers |
| Cache | Not applicable | Yes, according to TTL |
| Queries other servers | No | Yes |
| Authoritative response | Yes (aa flag) | No |
| Typical client | Other DNS servers | End users and applications |
Can a Server Be Both?
Yes, technically a server can act as authoritative for some zones and as recursive for other queries. However, this configuration is not recommended in production for security and performance reasons:
- Security: An open recursive server can be abused for DDoS amplification attacks.
- Performance: The roles have different load patterns and optimizations.
- Best practices: Separating roles allows for more secure and specific configurations.
Configuration Examples
Authoritative Server
In this scenario, you configure a server that is the official source for example.com. It only responds to queries about that domain.
Recursive Server
In this scenario, you configure a server that resolves any domain for your internal clients. It is not authoritative for any public domain, it only searches and caches responses.
Public DNS Services (Recursive)
These are publicly available recursive servers:
| Provider | IPv4 | IPv6 |
|---|---|---|
| 8.8.8.8, 8.8.4.4 | 2001:4860:4860::8888, 2001:4860:4860::8844 | |
| Cloudflare | 1.1.1.1, 1.0.0.1 | 2606:4700:4700::1111, 2606:4700:4700::1001 |
| Quad9 | 9.9.9.9, 149.112.112.112 | 2620:fe::fe, 2620:fe::9 |
| OpenDNS | 208.67.222.222, 208.67.220.220 | 2620:119:35::35, 2620:119:53::53 |
Summary
- Authoritative: "I own this information and I give it to you directly."
- Recursive: "I don't have the information, but I'll search for it and bring it back to you."
Both types are essential for the functioning of the Internet. Authoritative servers store the original information, while recursive servers facilitate access to that information for end users.