The 3 types of DNS servers and how they work



Not all DNS servers are created equal, and understanding how the three different types of DNS servers work together to resolve domain names can be useful for any information security or IT professional.

DNS is a basic Internet technology that translates user-friendly domain names into machine-usable IP addresses, such as www.example.com in 192.0.2.1. DNS works like a distributed database, where different types of DNS servers are responsible for different parts of the DNS namespace.

The three types of DNS servers are:

  1. DNS stub resolution server
  2. Recursive DNS resolution server
  3. authoritative DNS server

Figure 1 below illustrates the three different types of DNS server.

A stub resolver is a software component normally present in endpoint hosts that generates DNS queries when application programs running on desktops or mobile devices need to resolve DNS domain names. DNS queries issued by stub resolvers are typically sent to a recursive DNS resolver; the resolver will make as many queries as necessary to get the response to the original query, and then send the response back to the stub resolver.

Figure 1. The three different types of DNS servers interact to provide correct and current mappings of IP addresses to domain names.

The recursive resolver can reside in a home router, be hosted by an Internet service provider, or be provided by a third party, such as Google’s Recursive Public DNS resolver in 8.8.8.8 or Cloudflare DNS service in 1.1.1.1.

Since DNS works as a distributed database, different servers are responsible – authoritative in DNS language – for different parts of the DNS namespace.

Figure 2 illustrates a hypothetical DNS resolution scenario in which an application uses all three types of DNS servers to resolve the domain name www.example.com to an IPv4 address, in other words, an address resource record. DNS.

Interoperable DNS servers
Figure 2. DNS servers cooperate to accurately resolve an IP address from a domain name.

In step 1, the host’s stub resolver sends a DNS query to the recursive resolver. In step 2, the recursive resolver returns the query to one of the authoritative DNS name servers for the root zone. This authoritative name server does not have the answer to the query but is able to provide a reference to the authoritative name server for the .com zone. Therefore, the recursive resolver returns the query to the authoritative name server for the .com zone.

This process continues until the request is finally returned to an authoritative nameserver for the zone www.example.com which can provide the answer to the original request, that is, what are the IP addresses of www.example.com? Finally, in step 8, this response is sent back to the stub resolver.

One thing to note is that all of these DNS messages are transmitted in the clear, and it is possible that malicious actors are monitoring users’ internet activities. Anyone administering DNS servers should be aware of DNS privacy issues and the ways in which these threats can be mitigated.


Previous Linux has a serious security issue that once again allows DNS cache poisoning
Next How do I resolve DNS privacy issues?