What is Authoritative DNS?
An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.
An authoritative DNS server is the system designated as the trusted source for DNS resource records within a particular zone (e.g., example.com). It stores the zone file, which contains the original mapping data such as A, AAAA, MX, CNAME, NS, and SOA records. When queried directly, the server responds with the definitive answer (an AA flag set in the response header) rather than a cached result from a previous query.
When a recursive resolver needs the IP address for a hostname like www.example.com, it first contacts a root server, then a TLD server (for .com), and finally the authoritative server for example.com. The authoritative server replies with the exact record from its zone data or, if the queried name does not exist in the zone, it returns an NXDOMAIN response. Authoritative servers do not perform recursion by default; they serve only the data for which they are responsible.
In the DNS hierarchy, authoritative servers sit at the leaf level of the resolution path. Their records are originally entered by domain administrators via a registrar or DNS hosting provider. Primary (master) authoritative servers hold the writable zone file, while secondary (slave) servers replicate it via zone transfer. Anycast addressing is commonly used to distribute authoritative servers globally for reliability and latency reduction, as described in RFC 1034 and RFC 2181.
Key facts
- Directly answers queries with the AA (Authoritative Answer) flag set.
- Each DNS zone must have at least two authoritative servers for redundancy.
- Zone data is usually entered manually or via dynamic DNS updates.
- Primary authoritative servers allow zone edits; secondary servers replicate via AXFR/IXFR.
- Authoritative servers never cache data; they only serve their own zone records.
How it works in practice
Related terms
References
More in DNS
A Record
A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.
AAAA Record
A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.
CAA Record
A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.
CNAME Record
A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.
DNS
The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.
DNS Anycast
DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.
DNS Caching
DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.
DNS Hijacking
DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.
DNSSEC
DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.
DoH
DNS over HTTPS (DoH) encrypts DNS queries and responses inside HTTPS traffic, preventing on-path observers from seeing or tampering with DNS lookups.