Warning: Most oversimplification ahead:
Authoritative Server
Authoritative server is a server that only responds to DNS questions about the zone(s) that only they control or own: It is a selfish myopic server but highly efficient one too.
In that offensive sense, an authoritative server does not provide a decent nor meaningful answer to any general request (questions) about other zones that they do not control or own.
Collectively, only authoritative servers are one with the DNS answers to their own zones, and with an authoritatively stance. And rightfully so, for they are the ones who owns their own zones.
This is all that they know and do. Just need to go and find these authoritative servers … somehow.
Recursive Server
Recursive server is a server that collects all the needed answers for any DNS-related questions from just about anyone or anything, as a rule.
Some recursive servers will be devious-like and do answer back in some selective manner based on geographical, privacy, or trope-like ISP wanting to catch all your badly misnamed domain requests with a nice “sales pitch”.
For each part of a domain name (not having a period symbol), a recursive server will work very hard to seek out the correct authoritative nameserver associated with that part of the domain name. That each and every part of a domain name is also called a zone.
Recursive server is a server that also does additional lookups toward other authoritative servers in order to try and get an answer for a question about a hostname, a domain name, or any other DNS record types that they may have been asked for. Most commonly, that answer is “see that next authoritative server for a more specific answer.
A recursive server does lookups as followed:
- ask a root server for authoritative server to the top-level (TLD) domain part,
- receives IP address of authoritative server for TLD zone from the root server
- ask TLD authoritative server about 2nd-level part of domain name
- receives IP address of authoritative server for second-level zone from the TLD server
- ask 2nd-level authoritative server about 3rd-level part of domain name
- receives IP address of authoritative server for 3rd zone from the 2nd-level authoritative server
- ask 3rd-level authoritative server about 4th-level part of domain name
- receives not a nameserver this time, but a DNS (commonly ‘A’) record with an answer containing an IP address.
They will work very hard to provide you with a complete and concise answer or give up trying.
If the recursive server happens to have zones that they own or control, they’ll answer with that too (and quickest so); they are the nice guys, but badly abused.
They are a favorite target by DDoS actors world-wide. Keep those recursive servers of yours within your trusted but firewalled network.
Recursive What?
A resolver is a loose term. Most UNIX users would associate a resolver as that mini-DNS-lookup that is built into every networkable operating system (such as libnss.so and /etc/resolve.conf
).
Resolver do the work of relaying each DNS-related request from the application (or end-user) to the recursive server and wait toward obtaining its final complete answer before relaying it back to its application.
And at each request that the resolver received, it starts with relaying requests to the first working nameserver
listed in /etc/resolv.conf
file. They’re your most indispensible component of interacting with the Internet in general.
Recursive resolver sounds like it is entirely within the same host, which is done dually by both running a DNS recursive server (such as dnsmasq
or named
configured as a recursive-only) and having the OS resolver point to that localhost:53
.
Network engineers, who try to usher all their corporate DNS traffic toward their firewalled bastion nameserver, will frown upon those recursive resolvers unless its properly configured to do just forwarding-only toward their protected recursive nameserver(s).
In those corporate networks, PCs with recursive resolvers (that starts at the root server) or with forwarding-only to non-corporate recursive nameserver just needlessly spray nasty packet noise within their corporate network and may trip up intrusion detection systems.