Authoritative Vs Recursive DNS: What You Need To Know

Listen to this article instead

There are two types of DNS servers: authoritative and recursive

Authoritative DNS servers are the authority on DNS records and store DNS record information while recursive DNS servers interact directly with the end user. The recursive DNS server reads a user’s DNS request and either uses cached data to respond or attempts to discover the answer and then respond. The recursive DNS server is able to discover the answer by seeing what is stored on the authoritative DNS servers.

More detail on authoritative vs. recursive DNS

When you attempt to access a domain, your computer sends what is known as a DNS request or query. Every time you access a website, you’re making a DNS request. But you’re not always using authoritative DNS servers when you access a site. While you always rely on recursive servers, sometimes authoritative servers are not part of the process as stated above.

Recursive DNS is often called the “middleman” of DNS, but I think it could be more aptly referred to as the “workhorse” of DNS. It’s involved in every single DNS query, connecting the dots between end users and either authoritative name servers or cached information.

Let’s break it down even further. Please note that the following is a simplified version and this process can actually involve more steps. However, if you’re unfamiliar with types of DNS, this is a good breakdown of the usual process.

Authoritative DNS

As stated above, authoritative DNS servers are just that: the authority on DNS records for a domain.

The IP addresses (and other DNS data) of websites are stored on authoritative name servers. But in order for them to provide the correct IP, the DNS query needs to start at the root zone and travel downward so the recursive server knows exactly where to find the IP address. Domains are organized in a hierarchy by the top level domain, or TLD. By this we mean, there's information at the top, pointing to more below, which ultimately ends with the domain itself. 

Let’s extend the metaphor of DNS as “the phonebook of the internet.” If we are looking for the number (in this case IP address) for the domain of DNSFilter, you would first flip to the "com" section of the address book (the root and TLD servers), then look for "" (stored on the authoritative servers) where you would finally find the number you were after.

Recursive DNS

So while authoritative DNS servers “hold” the information, recursive DNS servers are discovering information about domains for you. This can be a lengthy process. 

It’s important to remember that there are billions of registered domains. In Q1 of 2021 alone, 363.5 million top-level domain names were registered. That means there is a lot happening behind the scenes (and all occurring very quickly!) directing recursive DNS to the correct authoritative name server.

The recursive resolver is the part of the system that's doing all the work here: flipping through each part of the address book until it finds the information you're really after.

When it's done this, it saves a copy of the data locally for a period of time. This is called caching. The amount of time data is cached for is determined by the TTL, or "time to live". This means that if the recursive resolver is asking for an address you’ve already visited within the TTL, it doesn't have to repeat the whole process again—it just sends back the information it has.

When you implement DNS protection and content filtering like DNSFilter, this is done through the DNS resolver.

In some cases, DNS queries aren't directly prompted by something the user is doing. This occurs when a user doesn’t directly request a domain, but rather a domain that was requested needs other domains in order to function properly. In these instances, it’s a machine-generated DNS query. I wrote a blog about TikTok network usage that gives examples of how this works. But even in these cases, DNSFilter will block malicious domains.

So even if you never actively navigate to a malicious site, sites you access may attempt to send malicious requests. With a DNS security solution like DNSFilter, you’re protected by even these background queries.

Start putting a barrier between your DNS requests and DNS resolution to better protect your organization. Get a free trial of DNSFilter today.

  • There are no suggestions because the search field is empty.
Latest posts
Traversing the World of AI with Judy Security Traversing the World of AI with Judy Security

Raffaele Mautone, CEO of Judy Security, recently joined us for an interview session around the increasing presence of AI in cybersecurity. This insightful Q&A session sheds light on how AI is integrated into Judy Security's operations. Raffaele also touches on the broader implications of AI for the future, making a compelling case for its strategic use in both day-to-day operations and long-term security strategies.

Exploring the Security of Free Public Wi-Fi with eero Exploring the Security of Free Public Wi-Fi with eero

There is no doubt that Wi-Fi has become an essential part of our daily lives, enabling us to stay connected whether we're at home, at work, or on the go. However, the convenience of wireless networks comes with significant security risks that can compromise personal and sensitive information. 

Revving Up the Fun: DNSFilter's IndyCar Experience Recap —Laguna Seca Edition Revving Up the Fun: DNSFilter's IndyCar Experience Recap —Laguna Seca Edition

Another exciting race weekend with Juncos Hollinger Racing and Romain Grosjean has come to a close! We co-hosted the IndyCar race at Laguna Seca road course with our pals at Pax8, our logos alongside each other on Grosjean’s No. 77 car. Clearly this teamwork paid off, with Romain finishing the race in his team-best position!

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.