DNS A vs NS record

Question

I'm trying to understand DNS a bit better, but I still don't get A and NS records completely.

As far as I understood, the A record tells which IP-address belongs to a (sub) domain, so far it was still clear to me. But as I understood, the NS record tells which nameserver points belongs to a (sub) domain, and that nameserver should tell which IP-address belongs to a (sub) domain. But that was already specified in the A record in the same DNS file. So can someone explain to me what the NS records and nameservers exactly do, because probably I understood something wrong.

edit: As I understand you correctly, a NS record tells you were to find the DNS server with the A record for a certain domain, and the A record tells you which ip-address belongs to a domain. But what is the use of putting an A and an NS record in the same DNS file? If there is already an A record for a certain domain, then why do you need to point to another DNS server, which would probably give you the same information?

Forgive the hubris on an old question, but I'm a DNS admin and I do not consider any of the upvoted answers to adequately explain the problem. I can relate to this question because I had the same confusion myself in my early days. I've contributed an answer of my own. — Andrew B, May 30 '16 at 19:15

score 70 · Accepted Answer · edited Jun 07 '12 at 15:13

70

Some examples out of the fictitious foo.com zone file

 ....... SOA record & lots more stuff .......
 foo.com.      IN        NS        ns1.bar.com.

 foo.com.      IN        A         192.168.100.1
 ....... More A/CNAME/AAAA/etc. records .......

A Record = "The host called foo.com lives at address 192.168.100.1"
NS Record = "If you want to know about hosts in the foo.com zone, ask the name server ns1.bar.com"

edited Jun 07 '12 at 15:13

daveslab

187
1
10

answered Jan 20 '11 at 23:15

voretaq7

79,345
17
128
213

10

I love foobar references. :D – JohnThePro Jan 20 '11 at 23:18
Same as above, that's what I understood, but what's the use of the NS record in files where you already have an A record for that host – Tiddo Jan 20 '11 at 23:18
2

@Tiddo a big reason is that slave servers are usually notified of zone changes because they're listed as NS records. Also if you query the authoritative server for `ns1.foo.com`'s address in the process of looking up something else and the record doesn't exist there you'll get `NXDOMAIN` and Bad Things will happen (but it will work for people who queried the `com` parent server, since presumably there would be glue A records there) – voretaq7 Jan 20 '11 at 23:26
1

@JohnThePro - my other option was example.com, and I hate example.com references :-) – voretaq7 Jan 20 '11 at 23:29
3

@voretaq7 so basically the NS records are used as a backup mechanism and to notify those nameservers when the ip-address of the domain changes? – Tiddo Jan 20 '11 at 23:30
2

@tiddo and as a signpost as described above & in lots of the other answers. There may be other things that look at NS records that I'm forgetting about, but those are the two big ones that jump to mind. – voretaq7 Jan 20 '11 at 23:42

score 34 · Answer 2 · edited Oct 07 '21 at 07:34

34

This is an old question, but I think the other answers aren't really touching on the source of the confusion. NS records at the apex follow a different set of rules than NS records beneath the apex.

The NS records at the apex do not define a referral. Instead, they provide the authoritative definition for those NS records.
Any NS records beneath the apex do define a referral. This NS record is not considered authoritative, and neither is an A record sharing the same name.

From those rules, we can derive two different behaviors for what happens when an A record exists on a DNS server with the same name:

If the NS record does not define a referral, other data can exist alongside of it in the same zone. Since the server considers itself authoritative for both the NS record and the A record, there is no conflict. This is why other data commonly lives alongside the NS records at the apex of a zone.
If the NS record does define a referral, then the A record is effectively "masked" by a zone cut. This A record is not authoritative, and must not show up in the answer section of an authoritative response. It can potentially be used as glue data which shows up in the additional section of the referral, but that's it.

Confusing? Yeah, it is. Drop a note in the comments if you have trouble following this and I'll see what I can do.

edited Oct 07 '21 at 07:34

Community

1

answered May 30 '16 at 19:10

Andrew B

31,858
12
90
128

8

What do you mean by APEX? – Ryan-Neal Mes Jun 01 '18 at 22:01
2

@Ryan-Neal The `NS` records at the top of the zone file. – Andrew B Jun 03 '18 at 04:46
@Andrew B - The source of confusion is still there - I read your answer again and again and understood most of the concepts but for me things get hazy when you say "A record exists on a DNS server with the same name" - same name as what - same name as delegated NS record?; I know you are referring to glue record - 2 example records i.e. NS records for each case i.e. for referral and no referral can really help. Can you enhance your answer please? – Abhishek Palakkal Kaliyath Jun 02 '20 at 18:55
It would have been a good explanation if there was a sample zone file provided and detailing where the delegation happens and where the zone cut is happening etc. I am still in an endless loop of figuring out the need for NS records at authoritative server :-( – Abhishek Palakkal Kaliyath Jun 02 '20 at 19:09
1

@AbhishekPalakkalKaliyath Re: "still in an endless loop of figuring out the need for NS records", does [this answer](https://serverfault.com/a/764957/152073) help more? If not, I'll create a chat room and we can discuss it further. – Andrew B Jun 02 '20 at 22:39
@Andrew B,Thank you. I should have been clear in my comments.The need for glue records is clear i.e. when a domain's Name server resides within the domain. The endless loop part is in fact not about this discussion-it is on the need for NS records at both parent and child zones. I read your other post - https://serverfault.com/q/588244/577132 which explains 'Subordinate identification' & 'Authoritative definition'.On the 'Authoritative definition' part,do you mean to say NS records that live on child side of the referral are the most trustworthy and recursive resolvers rely on trustworthiness – Abhishek Palakkal Kaliyath Jun 03 '20 at 03:27
1

@AbhishekPalakkalKaliyath Essentially, yes. The job of a recursive nameserver is to find an *authoritative answer*. An authoritative answer is a reply from a nameserver that has the AA (authoritative answer) flag set to 1. To reduce comment spam, [I will continue in this chat](https://chat.stackexchange.com/rooms/108894/authoritative-vs-non-authoritative-ns-records). – Andrew B Jun 04 '20 at 19:52

score 19 · Answer 3 · answered Jan 20 '11 at 23:19

19

an A record maps a name to an IP address. e.g.

binary.example.com.         IN  A       192.168.1.42

states that binary.example.com. resolves to 192.168.1.42

an NS record maps a name to another nameserver, i.e. another DNS server that serves that domain. i.e. "I've no idea of the IP address of this name, but if you go ask that nameserver over there, it might know"

binary.example.com.            IN      NS      otherbox.example.com
otherbox.example.com.          IN       A      192.168.1.2

If you ask a DNS server that has the above 2 records for binary.example.com. (or www.binary.example.com. or foo.bar.binary.example.com). it'll tell you that you'll have to go ask 192.168.1.2 to translate those names (well, or the dns server could do that for you, or it could have the resolved names cached and return them to you.)

answered Jan 20 '11 at 23:19

nos

2,368
3
20
24

often you'll see DNS records which specifies NS and A records for the same domains. But if an NS record tells were to find the A record, then what is the use of the NS record in that same file, if the A record is already there? – Tiddo Jan 20 '11 at 23:25
1

this was my favorite explanation among all ! – Benjamin Dec 26 '18 at 10:14
yes, I agree with @Benjamin - this goes to show that the so-called highest or most (and sometime most recent) upvoted answer is not necessarily the best for a concise answer. – nate Dec 27 '20 at 16:34

score 12 · Answer 4 · edited May 30 '16 at 18:17

It is important to have both NS and A record in zone if you need to delegate sub-zone to different DNS server.

E.g. we have dns server ns1.bar.com authoritative for zone bar.com. And we need to delegate foo.bar.com to ns1.foo.bar.com. So we need to create zone foo.bar.com and put there this records:

foo.bar.com.     IN NS ns1.foo.bar.com.
ns1.foo.bar.com. IN A  10.10.10.10

If we won't have A record delegation won't work. Such record pairs are called glue records.

Glue records is only way for DNS system to find the exact IP of authoritative DNS server for non-root zone. If you check any domain for NS record using dig or see traffic dump with wireshark you'll see that there's 'additional' section in answer.

;; ANSWER SECTION:
foo.bar.com.             10800   IN      NS      ns1.foo.bar.com.

;; ADDITIONAL SECTION:
ns1.foo.bar.com.         7972    IN      A       10.10.10.10

when doing recursive request, e.g. www.foo.bar.com your dns client will ask for DNS authoritative for foo.bar.com zone and get answer ns1.foo.bar.com.

To go further it needs to send A request for ns1.foo.bar.com, which is served by... ns1.foo.bar.com. To break out loop, delegating DNS server should add this additional section, with A record.

Server ns1.foo.bar.com should have the same records in its zone, so it can be authoritative for foo.bar.com zone.

Was having a hard time getting my head around the chicken and egg problem until I saw your glue record explanation! — Jon Skarpeteig, Jun 21 '16 at 06:25
Thanks, I think the key point is, the returned answer of an NS record has also the corresponding A record. — BAKE ZQ, Sep 09 '20 at 11:36

score 10 · Answer 5 · answered Jan 20 '11 at 23:14

10

The NS records specify the servers which are providing DNS services for that domain name.

The A records point host names (such as www, ftp, mail) to one or more IP addresses.

answered Jan 20 '11 at 23:14

mrdenny

27,074
4
40
68

score 3 · Answer 6 · answered Jan 20 '11 at 23:17

NS records exist SOLELY for the purpose of defining WHICH NAMESERVERS are responsible for a particular domain.

An A record exists to "ADDRESS" a particular machine, or service.

Examples for you:

In your DNS Control Panel, you'll see some NS records, these are your NAMESERVERS, or primary machine responsible for telling the internet where stuff on your domain resides.

NS1.CP.COM NS2.CP.COM

Also inside of your DNS Panel, you'll have a domain that you own (ie. -mikesfunhouse.com) that you need to have some services, like a website on.

So what you'll do is have a Primary A record, pointing "mikesfunhouse.com" to "76.19.87.956" (obviously fake IP).

Then you'll make another record, a www record, which will redirect the subdomain "www." portion to your primary site.

In short, you use A records to convert a namespace to an IP address.

score 1 · Answer 7 · answered Jan 20 '11 at 23:15

1

The nameserver record tells the Internet which DNS server holds the A records, so to look up an A record for a subdomain it's roughly the following process:

Lookup the nameservers for the domain -> Query the nameserver for the subdomain's A Record

answered Jan 20 '11 at 23:15

James L

5,915
1
19
24

But if the A records are already in that same file, why should you specify the NS records? – Tiddo Jan 20 '11 at 23:16
1

It's all about what you're looking for. The NS record is like the starting point. If a server had NEVER EVER visited your domain before, it would first find the NS server respond for your domain. After it identified that server, it would query it for the A record of the domain in question. – JohnThePro Jan 20 '11 at 23:43

DNS A vs NS record

7 Answers7