Authoritative vs Recursive DNS

Every DNS lookup involves two distinct jobs. One server has to go and find the answer, and another server has to actually know the answer. These jobs are handled by recursive servers and authoritative servers respectively, and almost no server does both at once.

Keeping the distinction straight makes the rest of DNS much easier to reason about: when a change is slow to appear it is usually a recursive cache issue, and when an answer is simply wrong it is usually an authoritative record issue.

A recursive resolver is the server your device talks to directly. Its job is to take your question and chase down the answer by querying other servers, following referrals from the root down to the authoritative nameservers until it has a definitive result.

• It does the legwork of resolution so your device does not have to.
• It caches every answer for the length of the record's TTL, so repeat lookups are fast.
• It owns no records of its own and is never the authority for any domain.
• Common examples are your ISP's resolver and public resolvers like 1.1.1.1 and 8.8.8.8.

For a deeper look at this side of the system, see our guide to the DNS resolver.

An authoritative nameserver holds the real records for a domain. When you log into your DNS provider and edit an A record or add an MX record, you are changing the data on your authoritative servers. They give definitive answers about the domains they are responsible for and nothing else.

• It stores the actual zone data for a domain and is the origin of every answer.
• It responds authoritatively, meaning its answer is treated as the truth rather than a cached guess.
• It does not go looking for answers about other domains; it only serves the zones it is responsible for.

For more on the servers that play this role, see what is a nameserver.

A single request shows both roles working together:

1. Your device sends the domain to its recursive resolver.
2. If the resolver has a fresh cached answer, it replies at once and the authoritative servers are never touched.
3. Otherwise the resolver asks a root server, then the TLD servers, each pointing it closer to the right place.
4. Finally the resolver asks the domain's authoritative nameservers, which return the definitive record.
5. The resolver caches that answer for its TTL and hands it back to your device.

So the recursive resolver is the messenger that gathers the answer, and the authoritative server is the office that issues it.

• Who it serves — recursive serves end users and applications; authoritative serves resolvers asking about its domains.
• What it stores — recursive stores temporary cached copies; authoritative stores the original zone records.
• Where edits land — you edit records on authoritative servers; recursive servers simply pick up the change once their cache expires.
• What goes wrong — slow updates point to recursive caching; wrong answers point to authoritative records.

Because the authoritative records are the ones that truly define your domain, they are the ones worth watching closely. ZoneWatcher monitors your authoritative records and nameservers continuously and alerts you the moment any of them change.