Authoritative Vs Recursive DNS: What You Need To Know

Listen to this article instead
4:30


There are two types of DNS servers: authoritative and recursive

Authoritative DNS servers are the authority on DNS records and store DNS record information while recursive DNS servers interact directly with the end user. The recursive DNS server reads a user’s DNS request and either uses cached data to respond or attempts to discover the answer and then respond. The recursive DNS server is able to discover the answer by seeing what is stored on the authoritative DNS servers.

More detail on authoritative vs. recursive DNS

When you attempt to access a domain, your computer sends what is known as a DNS request or query. Every time you access a website, you’re making a DNS request. But you’re not always using authoritative DNS servers when you access a site. While you always rely on recursive servers, sometimes authoritative servers are not part of the process as stated above.

Recursive DNS is often called the “middleman” of DNS, but I think it could be more aptly referred to as the “workhorse” of DNS. It’s involved in every single DNS query, connecting the dots between end users and either authoritative name servers or cached information.

Let’s break it down even further. Please note that the following is a simplified version and this process can actually involve more steps. However, if you’re unfamiliar with types of DNS, this is a good breakdown of the usual process.

Authoritative DNS

As stated above, authoritative DNS servers are just that: the authority on DNS records for a domain.

The IP addresses (and other DNS data) of websites are stored on authoritative name servers. But in order for them to provide the correct IP, the DNS query needs to start at the root zone and travel downward so the recursive server knows exactly where to find the IP address. Domains are organized in a hierarchy by the top level domain, or TLD. By this we mean, there's information at the top, pointing to more below, which ultimately ends with the domain itself. 

Let’s extend the metaphor of DNS as “the phonebook of the internet.” If we are looking for the number (in this case IP address) for the domain of DNSFilter, you would first flip to the "com" section of the address book (the root and TLD servers), then look for "dnsfilter.com" (stored on the authoritative servers) where you would finally find the number you were after.

Recursive DNS

So while authoritative DNS servers “hold” the information, recursive DNS servers are discovering information about domains for you. This can be a lengthy process. 

It’s important to remember that there are billions of registered domains. In Q1 of 2021 alone, 363.5 million top-level domain names were registered. That means there is a lot happening behind the scenes (and all occurring very quickly!) directing recursive DNS to the correct authoritative name server.

The recursive resolver is the part of the system that's doing all the work here: flipping through each part of the address book until it finds the information you're really after.

When it's done this, it saves a copy of the data locally for a period of time. This is called caching. The amount of time data is cached for is determined by the TTL, or "time to live". This means that if the recursive resolver is asking for an address you’ve already visited within the TTL, it doesn't have to repeat the whole process again—it just sends back the information it has.

When you implement DNS protection and content filtering like DNSFilter, this is done through the DNS resolver.

In some cases, DNS queries aren't directly prompted by something the user is doing. This occurs when a user doesn’t directly request a domain, but rather a domain that was requested needs other domains in order to function properly. In these instances, it’s a machine-generated DNS query. I wrote a blog about TikTok network usage that gives examples of how this works. But even in these cases, DNSFilter will block malicious domains.

So even if you never actively navigate to a malicious site, sites you access may attempt to send malicious requests. With a DNS security solution like DNSFilter, you’re protected by even these background queries.

Start putting a barrier between your DNS requests and DNS resolution to better protect your organization. Get a free trial of DNSFilter today.

Search
  • There are no suggestions because the search field is empty.
Latest posts
Maximizing Efficiency and Security: The Art of Safe Automation Maximizing Efficiency and Security: The Art of Safe Automation

Automation is no longer optional for companies looking to scale and operate their cyber defenses. It enables organizations to do more with less, eliminating rote and mundane tasks to free up valuable human resources for more strategic initiatives. However, if not used carefully, automation can amplify existing problems, making something bad even worse. So, how can we use automation effectively and safely?

Revving Up the Fun: DNSFilter's IndyCar Experience Recap — Nashville Edition Revving Up the Fun: DNSFilter's IndyCar Experience Recap — Nashville Edition

Our final race weekend at the Music City Grand Prix was an adrenaline-pumping experience that perfectly blended speed, technology, and unforgettable moments. It was a weekend full of thrills, camaraderie, and lightning-fast Wi-Fi in Nashville. Here’s a rundown of the highlights:

Ensuring Safety from Digital Threats in Educational Environments Ensuring Safety from Digital Threats in Educational Environments

As education relies more heavily on technology, the importance of ensuring the safety and media literacy of students continues to grow. Educational environments must navigate a complex landscape of online content, balancing the need for open access to information with the necessity of protecting students from harmful, inappropriate, or inaccurate material. Digital safety encompasses protecting students from online threats such as cyberbullying, m...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.