The Domain Name System (DNS) is one of the most essential parts of the Internet’s infrastructure. By using DNS, you can connect to a website like Cisco Umbrella without having to know the website’s IP address. (After all, who wants to remember every website’s IP address?)
This post is focused on the relationship between authoritative and recursive DNS nameservers. If you want to read more about general DNS mechanics, one of our engineers, Phillip Thomas, did an excellent job explaining that in an earlier blog post called “Speed, Security, and Safety Through DNS.”
What is a Recursive DNS Server?
You might have been able to guess what a recursive DNS server does by its name—it recurses, which means that it refers back to itself. Recursive DNS nameservers are responsible for providing the proper IP address of the intended domain name to the requesting host. Recursive nameservers are like the phone operator looking up a phone number from multiple phone books on behalf of the requesting party (the users’ computer on behalf of an application), some phone books will list just last names, then other phone books exist per last name, and list first names.
For example, when making a request to a website from your browser, the host (computer) will then make a request to recursive DNS server to find the IP address associated with the website; this is assuming your operating system and Web browser do not already have a response cached. From there, the recursive server will check to see if it has a cached DNS record from the authoritative nameserver, and still has a valid time-to-live (TTL). If the recursive server does not have the DNS record cached, it begins the recursive process of going through the authoritative DNS hierarchy, which I will explain further down in this post.
What are Authoritative DNS Nameservers?
Simply, authoritative DNS nameservers are responsible providing answers to recursive DNS nameservers with the IP “mapping” of the intended website. The authoritative nameservers’ responses to the recursive nameservers contain important information for each domain, such as corresponding IP addresses and other necessary DNS records. Essentially authoritative nameservers are like the Yellow Pages publishing multiple phone books, one per region. Yet they don’t actually create the phone book listings—that’s the responsibility of domain name registrars.
Putting it Together
To better illustrate how both of the nameservers interact with each other, let’s imagine that you are at your computer and you want to search for pictures of cats so you type www.google.com into your Web browser to go to Google. However, your computer doesn’t know where the server for “www.google.com” is located, so your computer sends a query to a recursive DNS nameserver (Cisco Umbrella) to locate the IP address of the website for you. The recursive DNS nameserver is now assigned the task of finding the IP address of the website you are searching for. If the recursive DNS nameserver does not already have the DNS record cached in its system, it will then query the authoritative DNS hierarchy to get the answer.
Each part of a domain like www.google.com has a specific DNS nameserver (or group of redundant nameservers) that is authoritative.
At the top of the tree are the root domain nameservers. Every domain has an implied/hidden “.” at the end that designates the DNS root nameservers at the top of the hierarchy. Root domain nameservers know the IP addresses of the authoritative nameservers that handle DNS queries for the Top Level Domains (TLD) like “.com”, “.edu” or “.gov”. It first asks the root domain nameservers for the IP address of the TLD server, in this case, “.com” (for google.com).
Afterwards it asks the authoritative server for “.com”, where it can find the “google.com” domain’s authoritative server. Then “google.com” is asked where to find “www.google.com”. Once the IP address is known for the website the recursive DNS server responds to your computer with the appropriate IP address. The end result of which is that you are now happy because you can search pictures of cats all day long. Below is an illustration of the process:
Why does this matter?
This post was written to generally point out the differences between the two nameservers. However, authoritative DNS outages happen frequently and can be a big problem. But since you are using Cisco Umbrella, in such a case, you have nothing to worry about.