IPFYI
🌐 DNS Deep Dive 7 分で読める

Authoritative vs Recursive DNS Servers

Understand the two types of DNS servers: authoritative servers that hold records and recursive resolvers that look them up.

Two Fundamentally Different Roles

DNS infrastructure relies on two distinct server types that work together to answer every DNS query:

  • Authoritative DNS servers store the actual DNS records for a domain and provide definitive answers.
  • Recursive DNS resolvers look up records on behalf of clients by querying the DNS hierarchy.

Understanding this distinction is essential for DNS troubleshooting, performance optimization, and security configuration.

Authoritative DNS Servers

An authoritative server is the source of truth for a domain's DNS records. When asked about a domain it hosts, it responds with the definitive answer (not from cache):

Query: "What is the IP for example.com?"
Authoritative server for example.com:
  -> "93.184.216.34" (authoritative answer, AA flag set)

Key characteristics: - Hosts zone files containing A, AAAA, MX, TXT, CNAME, and other records. - Responds only for domains it is configured to serve. - Returns errors (NXDOMAIN or REFUSED) for domains it does not host. - Does not perform recursive lookups for other domains.

Popular authoritative DNS providers: - Cloudflare DNS -- Free, fast, with DDoS protection. - AWS Route 53 -- Integrated with AWS services. - Google Cloud DNS -- Anycast-based with global coverage. - Self-hosted -- BIND, PowerDNS, NSD, Knot DNS.

Recursive DNS Resolvers

A recursive resolver does the legwork of DNS resolution. When a client asks for a domain, the resolver queries the DNS hierarchy (root -> TLD -> authoritative) and returns the final answer:

Client -> Recursive resolver: "Where is example.com?"
Resolver -> Root server: "Who handles .com?"
  -> .com TLD: "Who handles example.com?"
    -> example.com authoritative: "93.184.216.34"
Resolver -> Client: "93.184.216.34" (cached for TTL)

Key characteristics: - Acts on behalf of end-user clients. - Caches responses to speed up subsequent queries. - Follows referrals through the DNS hierarchy. - Validates DNSSEC signatures when configured.

Popular recursive resolvers: - 1.1.1.1 (Cloudflare) -- Fastest, privacy-focused. - 8.8.8.8 (Google) -- Reliable, widely used. - 9.9.9.9 (Quad9) -- Security-focused, blocks malicious domains. - Your ISP -- Automatically configured via DHCP.

How to Tell Them Apart

# Check if a server is authoritative for a domain
dig example.com @ns1.example.com
# Look for "flags: ... aa" (Authoritative Answer)

# Check if a server is a recursive resolver
dig example.com @8.8.8.8
# Look for "flags: ... rd ra" (Recursion Desired, Recursion Available)

Running Both

Some organizations run both types:

  • Authoritative for their own domains (company.com).
  • Recursive resolver for internal users to resolve external domains.

It is a security best practice to keep these roles on separate servers. Combining them on one server increases the attack surface.

Performance Implications

  • Authoritative speed depends on server location and anycast deployment. Use a provider with global PoPs for low latency worldwide.
  • Resolver speed depends on cache hit rate and proximity to the client. Public resolvers like 1.1.1.1 use anycast to minimize latency.

関連情報

A Record 用語集 AAAA Record 用語集 Authoritative DNS Server 用語集 CNAME Record 用語集 DNS 用語集 DNS Resolver 用語集 MX Record 用語集 NS Record 用語集 DNS over HTTPS vs DNS over TLS 比較 Cloudflare DNS (1.1.1.1) vs Google DNS (8.8.8.8) 比較 Authoritative vs Recursive DNS 比較 BIND vs Unbound 比較