← Back to Library
DNS Infrastructure & Operations Introductory 7 min read

Recursive vs Authoritative DNS: Who Answers What, and Why

An explanation of the two major DNS server roles, how they interact during resolution, and why the separation matters operationally.

Updated January 22, 2026

When people say “the DNS server,” they are usually collapsing two very different roles into one idea. In reality, DNS is split between recursive resolvers and authoritative name servers, each with a distinct job and a strict boundary of responsibility.

Understanding that split explains why DNS behaves the way it does under load, during outages, and when things go wrong.

Two roles, one system

DNS works because different servers agree to answer different questions.

At a high level:

  • Recursive resolvers find answers.
  • Authoritative name servers publish answers.

They cooperate, but they do not overlap.

This separation is not optional. It is foundational to how DNS scales.

Diagram showing the boundary between recursive resolvers and authoritative name servers
Figure 1: The separation between recursive resolvers and authoritative name servers.

What a recursive resolver does

A recursive resolver is the component that does the work on behalf of a client.

When a laptop, phone, or application needs an IP address for a name, it sends a query to a recursive resolver and effectively says:

“Please find the answer for me.”

The resolver then:

  1. Checks its cache.
  2. If no cached answer exists, walks the DNS hierarchy.
  3. Returns the final answer to the client.
  4. Caches the result for future queries, respecting TTLs.

Clients almost never contact authoritative servers directly. They rely on a recursive resolver to do that work.

Case example
A laptop queries its configured resolver for www.example.com. The resolver has no cached entry, so it queries a root server, then a .com server, then the authoritative servers for example.com. The final A record is returned to the laptop and cached.

Recursive resolvers are optimized for:

  • Caching
  • Performance
  • Handling large volumes of client queries
  • Hiding DNS complexity from end devices

What an authoritative name server does

An authoritative name server does not search. It does not recurse. It does not cache answers for others.

Its job is simpler and stricter:

  • Store DNS records for zones it is responsible for
  • Answer queries only for those zones
  • Respond with authority or not at all

If an authoritative server does not host the zone being queried, it returns a referral or no answer. It does not attempt to help further.

This constraint is deliberate. Authority must be unambiguous.

RFC reference
The distinction between recursive and authoritative behavior is defined in RFC 1034, Sections 2.4 and 4.3.

Authoritative servers are optimized for:

  • Correctness
  • Availability
  • Consistent answers for the zones they serve

Why these roles are separated

It is tempting to imagine a single server that both finds answers and publishes them. DNS deliberately avoids this design.

Separating recursion from authority:

  • Prevents circular dependencies
  • Allows caching to exist without corrupting authority
  • Limits blast radius when something misbehaves
  • Enables independent scaling of resolution and publishing

Operationally, this separation is one of the reasons DNS can survive partial outages and still function.

What recursive resolvers are not allowed to do

A recursive resolver must not invent answers. It can only return:

  • Cached data it previously learned
  • Data retrieved from authoritative sources

It cannot:

  • Modify authoritative data
  • Override TTLs (except in limited local policy contexts)
  • Pretend to be authoritative for zones it does not control

When resolvers violate these constraints, debugging becomes extremely difficult. Many DNS pathologies trace back to resolvers behaving outside their role.

What authoritative servers are not allowed to do

An authoritative server must not:

  • Perform recursion for clients
  • Guess answers outside its zones
  • Cache answers for unrelated domains

If an authoritative server attempts recursion, it blurs the trust boundary DNS depends on. For this reason, most authoritative platforms disable recursion entirely.

Did you know?
Running an authoritative server with recursion enabled is a common misconfiguration and historically led to open resolver abuse.

How this looks in a real lookup

Flow showing recursive resolver querying authoritative servers
Figure 2: A recursive resolver querying authoritative servers on behalf of a client.

The client never sees the root, TLD, or authoritative servers directly. It sees only the resolver.

This indirection is intentional.

Why this distinction matters operationally

Many DNS problems become easier to reason about once you ask a simple question:

Is this failure happening at the recursive layer or the authoritative layer?

Examples:

  • Slow browsing often points to resolver issues or cache misses
  • Incorrect records usually indicate authoritative data problems
  • Intermittent behavior may be caused by inconsistent caching across resolvers

Security implications follow the same boundary. Attackers often target resolvers for amplification and authority infrastructure for domain abuse, but the mechanics differ because the roles differ.

Summary

Recursive resolvers and authoritative name servers serve different purposes:

  • Resolvers find and cache answers for clients
  • Authoritative servers publish answers for zones they control

They cooperate through clear, enforced boundaries. DNS works at internet scale because those boundaries exist and are respected.

Once you understand who is allowed to answer which questions, many DNS behaviors stop being mysterious and start feeling inevitable.

Tags: Recursive Dns Authoritative Dns Dns Resolution Dns Infrastructure
Previous Article DNS Caching and TTL: How DNS Remembers (and Forgets) DNS Fundamentals