Loading learning content...
When you type www.google.com into your browser, your computer doesn't directly contact root servers, TLD servers, or Google's authoritative servers. Instead, it sends a single query to a local DNS server—a recursive resolver that does all the hierarchical traversal work on your behalf.
Local DNS servers are the workhorses of DNS. While authoritative servers merely hold data, resolvers actively navigate the DNS hierarchy, cache results, and optimize performance. They're the layer that makes DNS feel instantaneous, even though resolution might require querying servers on three continents. Understanding resolvers means understanding how DNS actually works for end users.
By the end of this page, you will understand: (1) The role and operation of recursive resolvers, (2) How recursion traverses the DNS hierarchy, (3) Caching mechanisms and TTL behavior, (4) Stub resolvers vs. full resolvers, (5) ISP resolvers vs. public DNS services, (6) Resolver security features (DNSSEC validation, DoH, DoT), and (7) How to configure and troubleshoot resolver behavior.
A recursive resolver (also called a recursive DNS server, caching resolver, or simply "local DNS server") is a DNS server that accepts queries from clients and performs the full resolution process on their behalf.
The 'recursive' in recursive resolver:
The term 'recursive' refers to how the resolver handles queries:
The client doesn't need to know about root servers or the DNS hierarchy—it just asks and receives. The resolver recursively resolves by following referrals until it obtains the final answer.
Key differences from authoritative servers:
| Characteristic | Recursive Resolver | Authoritative Server |
|---|---|---|
| Data source | Cache (from querying authoritatives) | Zone files (configured locally) |
| Queries other servers | Yes - traverses hierarchy | No - serves own data only |
| AA flag in responses | Typically No | Yes (for its zones) |
| RD flag handling | Accepts and processes requests with RD=1 | Ignores RD flag; doesn't recurse |
| Primary clients | End-user devices, applications | Other DNS servers, resolvers |
| Caching | Essential function | Not applicable (serves own data) |
| DNSSEC role | Validates signatures | Signs zone data |
The RD (Recursion Desired) flag in DNS queries indicates whether the client wants the server to perform recursion. Recursive resolvers honor this flag; authoritative servers ignore it. When your application queries your local resolver, RD is set to 1. When your resolver queries authoritative servers, RD is still set but ignored—authoritatives only provide referrals or direct answers.
DNS resolution involves two types of resolvers that work together:
Stub Resolver (Client-Side)
Every operating system includes a stub resolver—a minimal DNS client library that:
/etc/resolv.conf on Linux, DHCP-provided settings on Windows)The stub resolver doesn't traverse the DNS hierarchy—it simply forwards to a configured resolver and waits for answers. It's "stub" because it only handles the first hop.
12345678910111213
# DNS servers (up to 3)nameserver 8.8.8.8nameserver 8.8.4.4nameserver 1.1.1.1 # Default domain for unqualified namesdomain example.com # Search domains for name completionsearch example.com corp.example.com # Optionsoptions timeout:2 attempts:3 rotateFull Recursive Resolver (Network-Side)
Full resolvers perform the actual resolution work:
The resolution flow:
[Application] → [Stub Resolver (OS)] → [Full Resolver (Network)] → [DNS Hierarchy]
| | | |
makes forwards recursively authoritative
request to resolver resolves answers
| Aspect | Stub Resolver | Full Recursive Resolver |
|---|---|---|
| Location | On every client device (OS) | Network infrastructure (ISP, enterprise, cloud) |
| Performs recursion | No - forwards to full resolver | Yes - traverses DNS hierarchy |
| Cache size | Small - OS-level, limited | Large - millions of cached records |
| Configuration | Simple - just nameserver addresses | Complex - tuning, security, policies |
| Examples | Windows DNS Client, glibc resolver | BIND (recursive mode), Unbound, Knot Resolver |
| Scale | Per-device | Serves hundreds to millions of clients |
Before querying any resolver, stub resolvers typically check: (1) The hosts file (/etc/hosts or C:\Windows\System32\drivers\etc\hosts), (2) The OS DNS cache, and sometimes (3) Browser-level caches. These shortcuts bypass DNS entirely for known hosts—useful for local development but also a historical attack vector.
Caching is the recursive resolver's superpower. Without caching, every DNS query would require traversing the hierarchy—three to six round-trips for each resolution. With caching, most queries resolve in one hop or less.
What gets cached:
Resolvers cache much more than just final answers:
| Cached Data | Example | Benefit | Typical TTL |
|---|---|---|---|
| Final answers (A, AAAA) | www.google.com → 142.250.185.68 | Immediate response for repeat queries | 300 - 3600 sec |
| NS records for zones | google.com NS → ns1.google.com | Skip TLD query for google.com domains | 86400 - 172800 sec |
| Glue records (NS addresses) | ns1.google.com → 216.239.32.10 | Know authoritative server IPs | 86400 - 172800 sec |
| TLD referrals | .com NS → a.gtld-servers.net | Skip root query for .com domains | 172800 sec |
| Negative responses (NXDOMAIN) | notreal.google.com → NXDOMAIN | Don't re-query non-existent names | SOA minimum (300-3600 sec) |
| NODATA responses | google.com has no AAAA | Don't re-query for absent record types | SOA minimum (300-3600 sec) |
How TTL works:
Every cached record has a TTL (Time-To-Live) countdown:
www.example.com 300 IN A 93.184.216.34TTL behavior across the chain:
1234567891011121314151617181920212223
# Query 1: Resolver fetches from authoritative$ dig @8.8.8.8 www.example.com A;; ANSWER SECTION:www.example.com. 300 IN A 93.184.216.34; ^^^-- Original TTL from authoritative # Query 2: 60 seconds later$ dig @8.8.8.8 www.example.com A;; ANSWER SECTION:www.example.com. 240 IN A 93.184.216.34; ^^^-- TTL has decremented # Query 3: 200 seconds later (260 total)$ dig @8.8.8.8 www.example.com A;; ANSWER SECTION:www.example.com. 40 IN A 93.184.216.34; ^^-- Only 40 seconds until expiration # Query 4: 50 seconds later (cache expired, re-resolved)$ dig @8.8.8.8 www.example.com A;; ANSWER SECTION:www.example.com. 300 IN A 93.184.216.34; ^^^-- Fresh TTL from new authoritative queryCache efficiency metrics:
Well-configured resolvers achieve high cache hit rates:
| Metric | Typical Value | Meaning |
|---|---|---|
| Cache hit rate | 85-95% | Percentage of queries answered from cache |
| Cache size | 10,000 - 1,000,000+ entries | Depends on resolver scale |
| Average resolution time (cache hit) | <1 ms | Served from memory |
| Average resolution time (cache miss) | 20-100 ms | Must query hierarchy |
Cache warming:
Some resolvers implement cache warming or prefetching:
Resolver caches are attractive targets for attackers. If an attacker can inject false records into a cache (cache poisoning), all clients of that resolver receive malicious data. Defenses include DNSSEC validation, source port randomization, query ID randomization, and secure transport (DoT/DoH).
Users have choices about which recursive resolver handles their DNS. The two main options represent different tradeoffs:
ISP-Provided Resolvers
By default, most Internet connections use the ISP's resolvers (assigned via DHCP):
Advantages:
Disadvantages:
| Provider | IPv4 Addresses | IPv6 Addresses | Notable Features |
|---|---|---|---|
| Google Public DNS | 8.8.8.8, 8.8.4.4 | 2001:4860:4860::8888, ::8844 | DNSSEC validation, DoH/DoT, global Anycast |
| Cloudflare | 1.1.1.1, 1.0.0.1 | 2606:4700:4700::1111, ::1001 | Privacy focus, fastest DNS, WARP integration |
| Quad9 | 9.9.9.9, 149.112.112.112 | 2620:fe::fe, 2620:fe::9 | Malware blocking, non-profit, privacy focused |
| OpenDNS (Cisco) | 208.67.222.222, 208.67.220.220 | 2620:119:35::35, ::123 | Content filtering, phishing protection, enterprise |
| AdGuard DNS | 94.140.14.14, 94.140.15.15 | 2a10:50c0::ad1:ff, ::ad2:ff | Ad blocking, privacy focus |
Public DNS advantages:
CDN and geo-routing considerations:
Content Delivery Networks (CDNs) use the resolver's IP address to determine where to direct users. When you use a public DNS:
Both Google DNS and Cloudflare support ECS for supported CDNs, minimizing geo-routing impact.
EDNS Client Subnet improves CDN routing but reveals your approximate location to authoritative servers. Privacy-focused resolvers (like Cloudflare in strict mode) can disable ECS, sacrificing some CDN optimization for privacy. For most users, the default ECS behavior provides good performance with minimal privacy impact.
Modern recursive resolvers implement multiple security mechanisms to protect users from attacks and ensure query/response integrity.
DNSSEC Validation
DNSSEC-validating resolvers verify cryptographic signatures on DNS responses:
DNSSEC prevents cache poisoning and man-in-the-middle attacks on DNS.
123456789101112131415
# Query with DNSSEC validation (+dnssec)$ dig @8.8.8.8 +dnssec google.com A ;; HEADER:;; flags: qr rd ra ad; ...;; ^^ AD flag: Authenticated Data (DNSSEC validated) ;; ANSWER SECTION:google.com. 225 IN A 142.250.185.206google.com. 225 IN RRSIG A 8 2 300 ... ;; Signature verified through chain:;; Root DNSKEY → signs .com DS;; .com DNSKEY → signs google.com DS ;; google.com DNSKEY → signs A recordDNS over HTTPS (DoH) and DNS over TLS (DoT)
Traditional DNS uses unencrypted UDP/TCP on port 53—visible to anyone intercepting network traffic. DoH and DoT provide encryption:
| Protocol | Port | Transport | Encryption | Visibility |
|---|---|---|---|---|
| Traditional DNS | 53 | UDP/TCP | None | Queries visible on network |
| DNS over TLS (DoT) | 853 | TLS | TLS 1.2/1.3 | Encrypted; port identifies DNS traffic |
| DNS over HTTPS (DoH) | 443 | HTTPS | TLS 1.2/1.3 | Encrypted; blends with other HTTPS |
| DNS over QUIC (DoQ) | 853 or 8853 | QUIC | QUIC-based TLS | Encrypted; reduced latency |
DoH vs. DoT tradeoffs:
| Aspect | DoT | DoH |
|---|---|---|
| Visibility | Dedicated port (853) - filterable | Port 443 - blends with HTTPS traffic |
| Censorship resistance | Can be blocked by port | Difficult to block without breaking web |
| Enterprise control | Easier to monitor/filter | Harder for enterprises to inspect |
| Performance | Slightly lower overhead | HTTP/2 adds overhead but enables multiplexing |
| Browser integration | Requires system/app configuration | Native in Firefox, Chrome, Edge, Brave |
Additional resolver security:
Modern browsers default to DoH for supported providers, encrypting DNS from your browser to the resolver. However, this bypasses network-level DNS policies and enterprise controls. Organizations often disable browser DoH to maintain visibility and security policy enforcement.
Many organizations deploy their own recursive resolvers rather than relying on ISP or public DNS. This provides control, security, and integration with internal DNS.
Common deployment scenarios:
1. Enterprise Internal Resolver
| Software | Developer | Key Features | Common Use |
|---|---|---|---|
| BIND 9 (resolved) | ISC | Full-featured, authoritative + recursive, widely documented | ISPs, enterprises, general purpose |
| Unbound | NLnet Labs | Security-focused, DNSSEC validation, fast | Security-conscious deployments |
| Knot Resolver | CZ.NIC | Modular, Lua scripting, modern design | Research, flexible deployments |
| PowerDNS Recursor | PowerDNS.com | High performance, RPZ support, Lua hooks | Large-scale ISP deployments |
| dnsmasq | thekelleys.org.uk | Lightweight, DHCP+DNS combo | Home routers, small networks |
| Windows DNS Server | Microsoft | AD integration, GUI management | Windows enterprise environments |
Split-horizon DNS:
Enterprises often implement split-horizon (split-brain) DNS:
app.example.com → 10.0.1.50)app.example.com → 203.0.113.50)This enables internal users to access services via private network while external users use public addresses.
Forwarding vs. recursion:
Resolvers can operate in different modes:
| Mode | Behavior | Use Case |
|---|---|---|
| Full recursion | Resolver queries hierarchy directly (root → TLD → authoritative) | Primary recursive resolver; no upstream dependency |
| Forwarding | Resolver forwards all queries to upstream resolver(s) | Internal resolver forwarding to corporate/ISP resolver |
| Conditional forwarding | Forward specific zones to specific servers; recurse for others | Forward corp.example.com to internal; recurse external |
| Stub zones | Forward zone to authoritative servers (not recursive) | Internal zones that shouldn't use recursion |
Home users often deploy Pi-hole, AdGuard Home, or similar DNS-based ad blockers. These act as local resolvers that filter queries to known advertising and tracking domains. They demonstrate resolver-level content filtering in a consumer context—the same principle enterprises use for security policies.
Understanding resolver behavior is essential for troubleshooting DNS issues. Here are key diagnostic techniques and common problems.
Essential DNS diagnostic tools:
123456789101112131415161718192021222324252627282930
# 1. Basic query to specific resolver$ dig @8.8.8.8 www.example.com A # 2. Trace resolution path (shows each step)$ dig +trace www.example.com; Shows: root referral → TLD referral → authoritative answer # 3. Query with DNSSEC information$ dig +dnssec example.com # 4. Short output (just the answer)$ dig +short www.google.com # 5. Check specific resolver$ nslookup www.example.com 8.8.8.8 # 6. Query for NS records$ dig example.com NS # 7. Reverse DNS lookup$ dig -x 8.8.8.8 # 8. Check what resolver your system uses$ cat /etc/resolv.conf # Linux$ ipconfig /all # Windows (shows DNS servers) # 9. Flush local DNS cache$ sudo systemd-resolve --flush-caches # Linux (systemd)$ sudo dscacheutil -flushcache # macOS$ ipconfig /flushdns # WindowsCommon resolver issues and solutions:
| Symptom | Likely Cause | Diagnosis | Solution |
|---|---|---|---|
| SERVFAIL for all queries | Resolver misconfiguration or unreachable | dig @resolver test.com from resolver host | Check resolver configuration, upstream connectivity |
| SERVFAIL for one domain | DNSSEC validation failure | dig +cd (disable validation) to test | Domain owner must fix DNSSEC; or temporarily disable validation |
| Slow resolution | High latency to upstream, poor cache hit rate | dig timing, check cache stats | Use closer resolver, tune cache settings |
| Wrong/old answers | Stale cache, caching proxy interference | Query authoritative directly | Flush cache; verify no transparent DNS proxy |
| NXDOMAIN for valid domain | Split-horizon issue, domain not delegated | dig +trace, verify NS records | Check delegation at registrar; verify internal zone |
| Intermittent failures | Overloaded resolver, network issues | Query multiple resolvers, check logs | Add resolver capacity; check network path |
| Resolution works; application fails | Application DNS caching, incorrect hosts file | Check /etc/hosts, application cache | Clear application cache; check hosts file |
The +trace diagnostic:
The dig +trace command is invaluable for debugging. It performs iterative resolution from root, showing each referral:
123456789101112131415161718
$ dig +trace www.github.com ; Start at root. 518400 IN NS a.root-servers.net.;; Received from 198.41.0.4 (A root) ; Root refers to .com TLDcom. 172800 IN NS a.gtld-servers.net.;; Received from 192.5.6.30 (.com TLD) ; .com refers to github.com authoritativegithub.com. 172800 IN NS ns-421.awsdns-52.com.;; Received from 205.251.193.165 (AWS DNS) ; github.com authoritative provides answerwww.github.com. 3600 IN CNAME github.com.github.com. 60 IN A 140.82.114.3;; Received from 205.251.193.165 (AWS DNS)SERVFAIL is DNS's generic error response—it indicates 'something went wrong' but doesn't specify what. Common causes include DNSSEC validation failure, authoritative server unreachability, and upstream resolver issues. Use 'dig +cd' (checking disabled) to bypass DNSSEC validation and isolate whether the issue is validation-related.
Local DNS servers—recursive resolvers—are the user-facing layer of DNS. They accept simple queries from clients and perform the complex work of traversing the DNS hierarchy, caching results, and ensuring fast, secure resolution.
What's next:
We've now covered all four tiers of DNS servers: root servers (apex), TLD servers (organization), authoritative servers (source of truth), and local resolvers (user-facing). The final page explores Delegation—the mechanism that ties these tiers together, enabling the distributed authority that makes DNS scalable and manageable.
You now understand local DNS servers (recursive resolvers) in depth—their role in resolution, the stub/full resolver distinction, caching mechanics, ISP vs. public DNS choices, security features, enterprise deployment, and troubleshooting techniques. This knowledge enables you to configure, optimize, and debug DNS resolution at the client and network level.