DNS

What is Recursive DNS?

Also known as: Resolver

Definition

A recursive DNS resolver is a server that accepts queries from clients and performs the full iterative lookup process, starting at the DNS root zone and following referrals until it reaches an authoritative answer or fails.

A recursive DNS resolver, also called a recursive resolver or simply a recurse, is the type of DNS server most end-user devices are configured to use. It acts as an intermediary. When a client sends a query (for example, "what is the A record for www.example.com?"), the recursive resolver does not itself host the answer for that domain. Instead, it walks the DNS hierarchy on behalf of the client. It first contacts one of the 13 root server clusters (a root hint file lists their addresses). The root server responds with a referral to the servers responsible for the .com top-level domain. The resolver then queries a .com TLD server, which refers it to the authoritative name servers for example.com. Finally, the resolver queries one of the example.com authoritative servers, which returns the IP address. This process is defined in RFC 1034 and RFC 1035.

The recursive resolver caches each answer it receives according to the Time-to-Live (TTL) value returned by the authoritative server. Subsequent queries for the same record within the TTL period are answered from cache, which speeds up resolution and reduces load on upstream servers. The resolver must also handle negative responses (NXDOMAIN) and cache them as well. Modern recursive resolvers implement additional features such as DNSSEC validation (RFC 4033), query minimization (RFC 9156) to improve privacy, and rate-limiting to mitigate amplification attacks.

The recursive resolver sits between the stub resolver in the user's operating system (which issues a simple one-shot query) and the authoritative DNS servers that hold the actual zone data. Common implementations include BIND (named), Unbound, PowerDNS Recursor, and the Google Public DNS or Cloudflare 1.1.1.1 public services. In enterprise or home networks, the recursive resolver may be a dedicated appliance or a function running on a router or DHCP server. The distinction between recursive and authoritative servers is critical for security and operational reasons: a recursive resolver should not be configured as authoritative for a zone, and vice versa, to avoid cache poisoning or data leakage.

Key facts

  • A recursive resolver performs the full lookup chain from root servers to authoritative name servers.
  • It caches results based on TTL values to improve performance and reduce network traffic.
  • The resolver is a target for DNS amplification attacks if left open to the Internet without rate limiting.
  • DNSSEC validation is typically performed at the recursive resolver level to verify responses.
  • Stub resolvers in operating systems rely entirely on a recursive resolver to complete DNS lookups.

How it works in practice

When you type a URL into a browser, the operating system's stub resolver (e.g., the glibc getaddrinfo() function) sends a query to the recursive resolver configured in the network settings, often provided by the ISP or a public service like 8.8.8.8. The recursive resolver then does the multi-step walk to find the answer, caches it, and returns the IP address to the browser, all in milliseconds.

Related terms

Authoritative Name Server Stub Resolver Root Name Server Iterative DNS Query DNSSEC DNS Cache

References

More in DNS

A Record

A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.

AAAA Record

A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.

Authoritative DNS

An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.

CAA Record

A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.

CNAME Record

A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.

DNS

The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.

DNS Anycast

DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.

DNS Caching

DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.

DNS Hijacking

DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.

DNSSEC

DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.

Who Is Online

In total there are 81 users online: 0 registered, 75 guests and 6 bots.

Bots: Facebook Googlebot Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340