When considering the types of DNS servers, it’s important to understand where authoritative DNS servers and recursive DNS servers fit into the broader DNS ecosystem. In fact, the entire DNS lookup chain depends on both types—though they serve distinctly different roles. By gaining deeper insight into how these two server types interact, who maintains them, and why their differences matter, you’ll have a more complete picture of the Domain Name System as a whole. DNS recursive vs authoritative functionality impacts your organization, and now you’ll understand why that is.
Where Recursive and Authoritative Fit Into the DNS Infrastructure
The DNS resolution process is a journey that starts with a user request and ends with finding the correct IP address of a requested domain. On one side of the spectrum, you have recursive DNS servers—often operated by your ISP, public or private DNS providers, or security and filtering services. These recursive servers are the first point of contact for your DNS queries.
Recursive DNS is often called the “middleman” of DNS, but it could be more aptly referred to as the “workhorse” of DNS. It’s involved in every single DNS query, connecting the dots between end users and either authoritative name servers or cached information.
At the other end are authoritative DNS servers. These are controlled by domain owners, domain registrars, web hosting providers, and DNS hosting services. They store the official DNS records—think of them as the “source of truth” for a given domain. While a user does not directly interact with them, the recursive server consults these authoritative servers to ultimately deliver an accurate IP address.
Every time you access a website, you’re making a DNS request. But you’re not always using authoritative DNS servers when you access a site. While you always rely on recursive servers, sometimes authoritative servers are not part of the process as stated above.
Who Uses Which and Why?
- Recursive DNS servers: End users, small businesses, large corporations, and anyone connecting to the Internet rely on recursive DNS. These servers handle all DNS queries from the user’s perspective—fetching, caching, and filtering queries as necessary. They are often operated by your ISP or a public DNS provider and may integrate DNS security solutions like DNSFilter to protect against malicious domains.
- Authoritative DNS servers: Domain owners, DNS hosting providers, and enterprises managing their own DNS infrastructure rely on authoritative DNS servers. By maintaining these authoritative records, they ensure that the world knows exactly where to find their domains. Changes to a website’s IP address, subdomains, or mail server configurations are reflected here.
Authoritative DNS
As stated above, authoritative DNS servers are just that: the authority on DNS records for a domain.
The IP addresses (and other DNS data) of websites are stored on authoritative name servers. But in order for them to provide the correct IP, the DNS query needs to start at the root zone and travel downward so the recursive server knows exactly where to find the IP address. Domains are organized in a hierarchy by the top level domain, or TLD. By this we mean, there's information at the top, pointing to more below, which ultimately ends with the domain itself.
Let’s extend the metaphor of DNS as “the phonebook of the Internet.” If we are looking for the number (in this case IP address) for the domain of DNSFilter, you would first flip to the "com" section of the address book (the root and TLD servers), then look for "dnsfilter.com" (stored on the authoritative servers) where you would finally find the number you were after.
Recursive DNS
So while authoritative DNS servers “hold” the information, recursive DNS servers are discovering information about domains for you. This can be a lengthy process.
The recursive resolver is the part of the system that's doing all the work here: flipping through each part of the address book until it finds the information you're really after.
When it's done this, it saves a copy of the data locally for a period of time. This is called caching. The amount of time data is cached for is determined by the TTL, or "time to live". This means that if the recursive resolver is asking for an address you’ve already visited within the TTL, it doesn't have to repeat the whole process again—it just sends back the information it has.
When you implement DNS protection and content filtering like DNSFilter, this is done through the DNS resolver.
In some cases, DNS queries aren't directly prompted by something the user is doing. This occurs when a user doesn’t directly request a domain, but rather a domain that was requested needs other domains in order to function properly. In these instances, it’s a machine-generated DNS query. This article on TikTok network usage gives examples of how this works. But even in these cases, DNSFilter will block malicious domains.
So even if you never actively navigate to a malicious site, sites you access may attempt to send malicious requests. With a DNS security solution like DNSFilter, you’re protected by even these background queries.
Key Differences Between the DNS Servers
The following table breaks down the main differences between authoritative and recursive DNS servers. Use it as a quick reference to understand how these two types of DNS servers contrast in terms of function, maintenance, and role within the DNS lookup process.
| Aspect |
Recursive DNS Server |
Authoritative DNS Server |
| Primary Function |
Retrieves, caches, and resolves DNS queries for end users |
Stores and provides the official DNS records for a domain |
| Maintained By |
ISPs, public and private DNS providers, security & filtering services |
Domain owners, hosting providers, DNS hosting companies |
| Role in DNS Process |
First point of contact for a DNS query; retrieves answers |
Final "source of truth" that holds the authoritative data |
| Security and Filtering |
Can apply DNS filtering, block malicious domains, and integrate DNS security tools |
Must ensure data integrity (often via DNSSEC) but cannot directly filter user queries |
How Understanding Different Types of DNS Helps You
Knowing the difference between authoritative vs recursive DNS helps you optimize your DNS strategy. For example, if you manage a company network, you can select a recursive DNS provider that offers robust DNS filtering to improve performance and security. On the other hand, if you own a domain, ensuring that your authoritative DNS servers are well-maintained, secure, and distributed across multiple geographic locations improves both reliability and load times.
Real-Word Use Cases
- A small business relies on their ISP’s recursive DNS service for resolution of queries. By switching to a security-focused recursive DNS provider, they gain protection against malicious domains and improved performance.
- A large enterprise controlling multiple domains uses authoritative DNS services. They carefully manage TTL (time to live) values and DNSSEC to ensure customers always reach legitimate resources securely, no matter where they’re located.
Start Protecting Your Organization Via DNS Today
While both DNS servers are integral to how the Internet works, implementing a protective layer over your DNS queries can prevent attacks and downtime. Using a DNS filtering solution integrated at the recursive layer offers immediate protection against threats—even those lurking in the background of your network traffic.
Ready to level up your DNS security and performance? Get a free trial of DNSFilter or schedule a demo.
This article was originally published on June 16, 2021. It was updated on May 21, 2025.
Smarter DNS Policies: What You Should Be Blocking (But Probably Aren’t)
Educating Your Clients on the Sophistication of Phishing Attacks
IAM Userless: Streamline AWS Access & Reduce the Attack Surface
