Skip to content

How does DNS resolution work — recursive vs authoritative?

Short answer

A stub resolver asks a recursive resolver for a name. If it isn't cached, the recursive resolver walks the hierarchy: it queries a root server (which points to the TLD), the TLD server (which points to the domain's authoritative servers), and finally the authoritative server, which holds the actual record. The answer is cached along the way per its TTL. DNS uses port 53 — UDP for most queries, TCP for large ones.

DNS turns human-friendly names into IP addresses, and it does so through a distributed, hierarchical lookup that no single server could answer alone. Understanding the recursive-versus-authoritative split is the heart of the question.

The resolution walk

  1. Your device's stub resolver asks its configured recursive resolver (often your ISP's or a public one like 1.1.1.1) for www.example.com.
  2. If the recursive resolver doesn't have the answer cached, it starts at the top. It queries a root server, which doesn't know the IP but replies "ask the .com TLD servers."
  3. It queries a .com TLD server, which replies "ask example.com's authoritative name servers."
  4. It queries the authoritative server for example.com, which actually holds the zone and returns the A/AAAA record.
  5. The recursive resolver caches the answer for its TTL and returns it to your device.

Recursive vs authoritative

A recursive resolver does the legwork on the client's behalf, chasing referrals and caching results. An authoritative server is the source of truth for a particular zone — it answers definitively for the domains it's responsible for and never goes asking elsewhere.

Ports and transport

DNS runs on port 53, using UDP for typical small queries (fast, no handshake) and falling back to TCP when a response is too large for a single datagram or for zone transfers.

Security

Because classic DNS is unauthenticated, it's vulnerable to cache poisoning — injecting forged answers. DNSSEC signs records so resolvers can verify authenticity; DoH/DoT encrypt the query in transit.

Interviewers want the root→TLD→authoritative chain, the recursive/authoritative distinction, port 53, and ideally a word on caching or poisoning.

Likely follow-ups

  • What is the difference between a recursive resolver and an authoritative server?
  • How does DNS cache poisoning work and how does DNSSEC mitigate it?
  • When does DNS fall back from UDP to TCP?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.