What is the difference between Authoritative Nameserver and Recursive Resolver?

I am new to networking and all this DNS thing.

I have the following questions

  • What is an Authoritative Nameserver ?
  • What is a Recursive Resolver ?

Please help/ guide me out on this.

I have read Authoritative Nameserver, but I was not able to clearly understand it. Can one please explain me in some simple terms.


Solution 1:

An authoritative Nameserver is a nameserver (DNS Server) that holds the actual DNS records (A, CNAME, PTR, etc) for a particular domain/ address. A recursive resolver would be a DNS server that queries an authoritative nameserver to resolve a domain/ address.

So, for example, If I have a a DNS server in my network that holds an A record for foobar.com, my DNS server would be authoritative for the foobar.com domain.

If clients needed to access foobar.com, they could query my DNS server and they would get an authoritative response.

However, if a client needed to access contoso.com, and they queried my DNS server, it would not have records to resolve that domain. In order for my DNS server to resolve contoso.com, it would need to use recursive lookups (via Forwarders or Root Hints). My DNS server would be set to send queries for domains for which it is not authoritative, to another DNS server. That DNS server would do the same, until the query reached a DNS server that was authoritative for contoso.com. That DNS server would return the proper records, which would be passed all the way back down to the client.

This is an oversimplification, as there are other things in play here, like caching records.

Solution 2:

I have the following questions

  • What is an Authoritative Nameserver ?
  • What is a Recursive Resolver ?

Please note that "resolver" and "nameserver" are not exactly synonymous, and that you ask about a nameserver in the first case and a resolver in the second.

An authoritative nameserver is one that satisfies queries from its own data without needing to reference another source. Unless it is also a recursive nameserver (a practice which is generally deprecated) it will answer only with authoritative data from its own store (which can come from a zone master file, from a copy of that data transferred from a master server, from a database, from dynamic DNS, be built in, etc.) or with a referral (e.g. "I don't know that answer, but you can talk to server so-and-so, who answers questions for this subdomain..), or with an NXDOMAIN or similar error.

A recursive nameserver is one that satisfies queries by asking other nameservers for the answer, traversing the tree from the root level of the DNS tree if necessary. If it does not know the answer it will attempt to find it for the querying client.

A resolver is (collectively) the set of functionality that a DNS-aware system uses to query DNS.

  • Most client systems have a stub resolver, which knows only in a very basic fashion how to query a DNS server and how to receive an answer, but which does not contain logic for following a delegation chain from the root.
  • A recursing resolver is a full-service resolver which can traverse the tree to find an answer to a query.
  • Recursive nameservers must contain the functionality of a recursing resolver in order to function, but other programs may contain recursing resolvers without performing the functions of a nameserver. An excellent example is the utility / DNS-troubleshooting program "dig" (distributed by ISC as a part of BIND) which contains a full recursing resolver.

DNS concepts which are sometimes confused with the distinction between authoritative and recursive:

There are several DNS concepts which people sometimes confuse with the split between authoritative and recursive data.

Delegation

This one confuses quite a few people, particularly because the name of the SOA (start of authority) resource record type contains the word "authority" which sounds as though it should be related to "authoritative." However, you can serve authoritative data for a zone which is not delegated to you, and many people do. Examples include DNS-based content blocking and servers which provide authoritative answers for RFC 1918 zones [i.e. nobody has delegated you authority to answer PTR record queries for 168.192.in-addr.arpa (192.168.0.0/16) and similar zones but it's not a bad idea for your server to answer such queries authoritatively rather than leak queries for those zones to the internet, where nobody is delegated to answer them. ISC BIND and other nameservers provide built-in zone data for these private address space zones to prevent the in-addr.arpa servers from being bombarded with queries that cannot be referred.]

It is not required that you be delegated authority for a zone in order for answers to be considered authoritative.

Master and Slave

Slave servers, even though they get their zone data from another source, are still authoritative servers, as they are satisfying queries with data from their own storage (of whatever type) rather than satisfying it by relaying the queries recursively to other nameservers.

Slave servers are authoritative servers (for the zones they serve.)