What’s the Difference Between Recursive DNS and Authoritative DNS - 2022
Understanding the Difference Between Recursive DNS and Authoritative DNS?
So, you’ve decided to make the move to a third-party DNS service and are trying to decide which option is best for you. As you contemplate which option best fits your needs, you’ll likely notice the terms recursive DNS and authoritative DNS tossed around. It is important to understand the difference between these two components of the domain name system and the role that each plays in browsing the web. Spoiler alert – for the average internet user, one of these types of services likely won’t apply.
Authoritative DNS – If you’ve ever built a website you may have been asked, as the site’s administrator, to assign DNS records for the site. This DNS record assignment — which these days, is often autogenerated by the host is the master record for a domain. DNS records are stored on authoritative DNS servers and act as the permanent — unless edited reference point for your site. Anytime you visit a domain for the first time or if the cache — think unique breadcrumbs or CliffsNotes from a previous visit has expired or been removed, your recursive DNS server will need to locate and contact the authoritative DNS server when you conduct a DNS query (e.g., visit a domain in your browser).
Recursive DNS – If your browser already knows where a domain is located — thanks to caching then your browser can immediately connect without sending the query to an upstream DNS recursive resolver . However, your browser will always need to locate and query the recursive DNS server when it has no existing cache from the site to reference as a shortcut. So, how does cache improve the browsing process? Let’s explore.
When visiting a site for the first time, browsers or other applications need to send the given hostname to a recursive DNS server, which then tries to find the authoritative server for that particular name. The recursive server traverses the name, seeing if it already knows about parts of it in it’s cache, and if there is no information, the recursive server fetches information about authoritative servers for part of the name until it is able to talk to the authoritative server that contains the desired answer. Then the recursive resolver hands back the single answer to the computer that asked the question, where it is often put into a cache_ that holds details about the website locally for a certain amount of time, often referred to as TTL or time to live. If we think of authoritative DNS servers as the authoritative record holder for a domain’s information, we can look at recursive DNS resolvers as the workhorse of the system. Recursive DNS resolvers are responsible for not only utilizing stored cache to expedite DNS queries but also sorting through massive directories for a site’s information when your browser has no previous data to reference — ideally, while prioritizing performance and safety.
The speed at which this task is completed is exceptionally impressive considering that there were over 350 million registered domain names by March 2022, according to Verisign. Given this information, it should become easier to recognize the resource intensive task placed upon recursive DNS resolvers when locating a domain’s information before the end user loses patience. Interestingly, because of the cache at the recursive resolver being used by many people, it often is the case that a more heavily used DNS resolver is faster, since it remembers a larger set of frequently asked names and doesn’t need to reach out all across the internet to get new answers each time there is a question.
Ultimately, the predominant — but not only purpose of recursive DNS resolvers is to reduce the load placed on authoritative DNS servers, resulting in a faster experience for end users browsing the web.
Hang on…You’ve Lost me. Could You Please Use Recursive and Authoritative DNS Resolvers in a Sentence?
While we’re not spelling bee champions, we can certainly look at these two types of DNS resolvers in a different light. Try this example:
Let’s say you’re curious to see the property tax records for your home. If you’ve never accessed this information before, you will probably find yourself at the county tax office (or wherever your city stores tax records) sorting through tons of alphabetically organized records.
You can think of the tax office at the authoritative DNS server in this situation, as they house and maintain the master copy of not only your tax records but everyone else’s records as well. This means flipping through tens of thousands of other people’s records to find yours can be a slow process. To add to the situation, imagine that everyone else in your town also wants to view their tax records at the same time as you. Chaos will likely ensue and wait times — i.e., load speeds will skyrocket.
Once you’ve located your tax records, you make a photocopy and store the copy in a desk drawer at home. Fast forward a few weeks, and let’s say you want to review the tax records again. Instead of relying on the slow process of querying the authoritative source for a second time (i.e., the county tax office), you can simply shuffle through your desk drawer because you’ve stored a copy of the records there from your last visit to the authoritative source. In this sense, you’re now acting as a recursive resolver by utilizing a copy of the desired information and reducing the load on the authoritative server (i.e., not adding to the line of people requesting information at the tax office).
Of course, this is a macro-view of authoritative and recursive DNS resolvers, but hopefully this example provides a better understanding of their foundational purposes. For more in-depth information surrounding the function and purpose of DNS servers, check out our archive of informational articles.
How to Choose the Best Recursive DNS Service?
Most ISPs offer customers a recursive DNS resolver as part of their service — it’s a basic component of almost every network provider’s offering. However, as the internet becomes more deeply ingrained in the fabric of society, these ISP provided solutions may not be the best option for those who are concerned with optimizing performance, security, and privacy.
Remember, ISPs generally have no vested interest or financial gain in providing users with a robust and secure DNS resolver. This alone should paint a picture of the questionable quality of most ISP-provided DNS resolvers. Fortunately, for users who are leery of ISP-provided DNS services there are other options available.
Quad9, which was ranked as one of the top three best DNS servers of 2022 by TechRadar, is a non-profit organization that’s been providing free public DNS services since 2017. Quad9’s free recursive anycast DNS platform provides end users with robust security protections, high-performance, and privacy. Collaborating with over 20 threat intelligence providers around the globe, Quad9 blocks known malicious domains, preventing your computers and smart devices from connecting to malware-ridden or phishing sites.
Additionally, there’s no registration, credit card info, software installation, or personal information required to use Quad9’s service. Setup is a quick process, taking only a few seconds. Quad9 has even created a short video guide to walk users through the process of configuring their DNS server on both Mac and Windows systems, as well as other devices.
The Takeaway
We’ve entered an era where the security and privacy of our cyber presence is just as important as our real-life assets. Although ISPs, regulators, politicians, the media, and others often give lip service to protecting ourselves online, this unfortunately isn’t enough to make an impact without action from each individual.
That’s why non-profits like Quad9 are essential for those who want to take self-preservation into their own hands. If you are considering making the switch to a DNS resolver aimed at best protecting you, then you’re a step ahead of most. Just as antivirus software and malware scanners may have initially felt bloated and complicated, the time spent familiarizing yourself with them often paid dividends, even if only by peace of mind.
Utilizing public recursive DNS resolvers is poised to follow a similar trend, quickly evolving from a best practice into a must-have. In the meantime, if you choose Quad9 and find yourself confused or uncertain if you’re implementing things correctly, their support team is always happy to provide on-boarding assistance.
Until next time stay safe, and keep private.
References: