System Administration
Showing results for 
Search instead for 
Did you mean: 

What does it mean "Authoritative DNS server"?


What does it mean "Authoritative DNS server"?

Please, help me to clarify.

Thanks for your help
James R. Ferguson
Acclaimed Contributor

Re: What does it mean "Authoritative DNS server"?


An authoritative DNS server is one that has a complete copy of a domain's information. That is, a copy that is not simply cached from another server.

There are a number of good articles on the web, including:


Alexander Chuzhoy
Honored Contributor

Re: What does it mean "Authoritative DNS server"?

Whenever there's an Authoritative answer from the DNS query (by using nslookup,dig or other DNS querying tools) - it means that the zone actually resides on the queried DNS server.

And, as opposed to it, non-authoritative answer means that other DNS servers were contacted for the information.
Honored Contributor

Re: What does it mean "Authoritative DNS server"?

A DNS server can have two roles: an "authoritative" role and a "resolver" role.

A "resolver" DNS server gets DNS requests from ordinary hosts and tries to find "authoritative" DNS servers that know the answers for those requests. If the correct authoritative server is found, the resolver server will relay the answer to the host that made the query. Usually, the resolver server will also store the information in its cache, in case it's needed again in the near future.

If a DNS answer is marked "non-authoritative", it means it came from a DNS cache; in theory, there might already be newer information available at the original source.

If a DNS server is "authoritative" for some DNS zone (= a domain or a set of domains), this means it is configured to always have a complete and up-to-date dataset about that particular zone.

If an authoritative DNS servers says some hostname does not exist in a domain it's authoritative for, that means it really does not exist, by definition: if something is trying to tell you otherwise, that thing is either misconfigured or malicious.

If a non-authoritative DNS server answers that it cannot find some host, it means it could not reach any of the authoritative servers for that particular domain and did not have that information in its cache.

A DNS server can simultaneously be authoritative for some zones, and act as a resolver for any other zones. However, in enterprise usage, the recommended practice is to disable the "resolver" role from authoritative DNS servers, to make some DNS attacks impossible.

When you configure nameservers to /etc/resolv.conf, you'll need the "resolver" nameservers; when you're registering a new host or sub-domain to the DNS system, you'll need the "authoritative" nameservers.

If you want your domain to be accessible in the Internet, the "authoritative" DNS server(s) for your domain must be public. However, your own "resolver" nameserver(s) can always be private.