Types of DNS Servers Explained: Recursive, Authoritative, Root

Types of DNS Servers Explained: Recursive, Authoritative, Root

DNS is a hierarchical distributed system. Behind every successful dig lookup is a chain of servers — root, TLD, authoritative, and recursive. This article shows how they interact, who owns what, and why understanding the model is critical to debugging domain issues.

The DNS hierarchy

Domains form a tree with an empty root (.) at the top:

           .  (root)
           |
       com / org / ru  (TLD)
           |
     example.com  (SLD / 2nd level)
           |
  www.example.com  (subdomain)

Root servers

13 logical root servers (a.root-servers.net through m.root-servers.net), backed by hundreds of physical anycast instances worldwide. They only know the addresses of TLD servers (.com, .org, .ru, etc.) and handle the first step of recursion.

Operators

12 organisations (ICANN / VeriSign / NASA and others) coordinated by IANA.

Traffic

About 1 trillion queries per day.

Technology

BGP anycast — a single IP served by thousands of servers across all regions.

TLD servers

Handle a specific Top-Level Domain: .com, .org, .ru, .io. They store NS records for every second-level domain inside their TLD.

• gTLD (.com, .org) — generic.
• ccTLD (.ru, .de) — country-specific.
• new gTLD (.io, .app, .dev) — recent additions.

Authoritative DNS

The source of truth for a zone. When you register a domain and set ns1.cloudflare.com and ns2.cloudflare.com — those are your authoritative servers.

Primary (Master)

Holds the master zone. All edits happen here.

Secondary (Slave)

Replicates the zone from primary via AXFR/IXFR. Provides redundancy.

Hidden primary

Primary is not exposed to the public — only secondaries answer queries.

Recursive DNS resolvers

The service your client talks to. It doesn't store zone data — it walks root, TLD, authoritative, assembles the answer, and caches it.

Public recursive examples:

• Cloudflare — 1.1.1.1 / 1.0.0.1
• Google — 8.8.8.8 / 8.8.4.4
• Quad9 — 9.9.9.9 (blocks malicious domains)
• OpenDNS — 208.67.222.222
• Yandex — 77.88.8.8

Caching DNS

A subtype of recursive. Its main job is to cache answers and minimise queries to authoritative. In practice every recursive server is also a caching server.

Local device caching:

• Windows — DNS Client service.
• macOS — mDNSResponder.
• Linux — systemd-resolved, nscd, dnsmasq.

Forwarder / Stub resolver

Stub resolver — a simple library in the OS that forwards queries to whatever resolver is configured in resolv.conf. Does not recurse.

Forwarder — a DNS server that passes queries to another recursive resolver instead of walking the tree itself. Common in corporate networks for centralising DNS traffic.

Full resolution path

1. Browser asks the OS for www.example.com.
2. OS checks its cache. Miss means sends query to configured recursive (ISP or 1.1.1.1).
3. Recursive checks cache. Miss means queries a root server.
4. Root replies "ask the .com TLD", returns TLD server IPs.
5. Recursive asks .com TLD: "where is example.com?" TLD returns NS records (ns1.cloudflare.com).
6. Recursive asks the authoritative: "give me A for www.example.com".
7. Authoritative returns the record.
8. Recursive caches and returns the answer to the client.

See the full chain with:

dig +trace www.example.com

In practice

Compare recursive vs authoritative:

# Recursive (cached)
dig A example.com @8.8.8.8

# Direct to authoritative (bypass cache)
dig NS example.com +short
dig A example.com @ns1.example.com

Or use Enterno.io DNS Lookup — it shows the resolution path and answer source.

DNS and security

• DNSSEC — authoritative answers are signed, validated by the recursive.
• DoH / DoT — encrypted transport between client and recursive.
• Rate limiting — caps QPS on authoritative to resist DDoS.
• Anycast — geographically distributed root and TLD.

FAQ

Why exactly 13 root servers?

Due to the legacy 512-byte UDP limit (RFC 1035) — 13 name servers was the maximum that fit in an NS response.

Does a recursive resolver store my zone?

No, it only caches answers fetched from the authoritative. When you edit a record, the cache expires at TTL.

Primary vs secondary?

Primary is the edit source. Secondary mirrors the zone via transfer — for redundancy.

Should I have primary and secondary at the same provider or different?

Different providers give better resilience — immune to single-provider DDoS.

Conclusion

Knowing the roles root, TLD, authoritative, recursive lets you localise any DNS failure quickly. Use DNS Lookup and Propagation Checker to inspect each layer, and enable NS monitoring for continuous uptime tracking.