Authoritative Vs Recursive DNS: What You Need To Know

There are two types of DNS servers: authoritative and recursive

Authoritative DNS servers are the authority on DNS records and store DNS record information while recursive DNS servers interact directly with the end user. The recursive DNS server reads a user’s DNS request and either uses cached data to respond or attempts to discover the answer and then respond. The recursive DNS server is able to discover the answer by seeing what is stored on the authoritative DNS servers.

More detail on authoritative vs. recursive DNS

When you attempt to access a domain, your computer sends what is known as a DNS request or query. Every time you access a website, you’re making a DNS request. But you’re not always using authoritative DNS servers when you access a site. While you always rely on recursive servers, sometimes authoritative servers are not part of the process as stated above.

Recursive DNS is often called the “middleman” of DNS, but I think it could be more aptly referred to as the “workhorse” of DNS. It’s involved in every single DNS query, connecting the dots between end users and either authoritative name servers or cached information.

Let’s break it down even further. Please note that the following is a simplified version and this process can actually involve more steps. However, if you’re unfamiliar with types of DNS, this is a good breakdown of the usual process.

Authoritative DNS

As stated above, authoritative DNS servers are just that: the authority on DNS records for a domain.

The IP addresses (and other DNS data) of websites are stored on authoritative name servers. But in order for them to provide the correct IP, the DNS query needs to start at the root zone and travel downward so the recursive server knows exactly where to find the IP address. Domains are organized in a hierarchy by the top level domain, or TLD. By this we mean, there's information at the top, pointing to more below, which ultimately ends with the domain itself. 

Let’s extend the metaphor of DNS as “the phonebook of the internet.” If we are looking for the number (in this case IP address) for the domain of DNSFilter, you would first flip to the "com" section of the address book (the root and TLD servers), then look for "" (stored on the authoritative servers) where you would finally find the number you were after.

Recursive DNS

So while authoritative DNS servers “hold” the information, recursive DNS servers are discovering information about domains for you. This can be a lengthy process. 

It’s important to remember that there are billions of registered domains. In Q1 of 2021 alone, 363.5 million top-level domain names were registered. That means there is a lot happening behind the scenes (and all occurring very quickly!) directing recursive DNS to the correct authoritative name server.

The recursive resolver is the part of the system that's doing all the work here: flipping through each part of the address book until it finds the information you're really after.

When it's done this, it saves a copy of the data locally for a period of time. This is called caching. The amount of time data is cached for is determined by the TTL, or "time to live". This means that if the recursive resolver is asking for an address you’ve already visited within the TTL, it doesn't have to repeat the whole process again—it just sends back the information it has.

When you implement DNS protection and content filtering like DNSFilter, this is done through the DNS resolver.

In some cases, DNS queries aren't directly prompted by something the user is doing. This occurs when a user doesn’t directly request a domain, but rather a domain that was requested needs other domains in order to function properly. In these instances, it’s a machine-generated DNS query. I wrote a blog about TikTok network usage that gives examples of how this works. But even in these cases, DNSFilter will block malicious domains.

So even if you never actively navigate to a malicious site, sites you access may attempt to send malicious requests. With a DNS security solution like DNSFilter, you’re protected by even these background queries.

Start putting a barrier between your DNS requests and DNS resolution to better protect your organization. Get a free trial of DNSFilter today.

  • There are no suggestions because the search field is empty.
Latest posts
The Differences Between DNS Security and Protective DNS The Differences Between DNS Security and Protective DNS

When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...

Cisco Umbrella RC End-of-Life: What You Need to Know Cisco Umbrella RC End-of-Life: What You Need to Know

The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.

Cybersecurity Briefing | A Recap of Cybersecurity News in October 2023 Cybersecurity Briefing | A Recap of Cybersecurity News in October 2023

Industry State of the Art

This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world.  And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.