188

For some domains nslookup gives me a Non-authoritative answer section. What does this mean?

Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional =

    QUESTIONS:
        www.example.com.SME, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  (root)
        ttl = 1787 (29 mins 47 secs)
        primary name server = a.root-servers.net
        responsible mail addr = nstld.verisign-grs.com

------------
Non-authoritative answer:
------------

------------
Name:    example.com
Address:  93.184.216.34
Aliases:  www.example.com
mahen3d
  • 4,342
  • 14
  • 36
  • 57
  • 20
    www.xxx.com is not really an example domain name haha ;)... RFC suggests you use example.com. see http://www.iana.org/domains/reserved – Lzh Sep 15 '15 at 17:44
  • you can always run nslookup command with additional parameter of the authoritative nameserver.like nslookup maps.google.com NS1.GOOGLE.COM // which will always return the answer from the Google authoritative server – yarin Sep 15 '20 at 06:56

5 Answers5

156

Basically, it's what the name says it is. An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup on).

It's basically a distinction between a nameserver that's an official nameserver for the domain you're querying, and a nameserver that isn't. Nameservers that aren't authoritative are getting their answers second (or third or fourth...) hand - just relaying the information along from somewhere else.

So, for example, If I did an nslookup of maps.google.com right now, I would get a response from one of my configured nameservers. (Either from my ISP, or my domain.) It would come back as non-authoritative because neither my ISP's nameservers, nor my own are in the list of nameservers for google.com. They aren't Google's nameservers, so they're not the authoritative source that creates the NS records.

The list of authoritative nameservers for Google is below (from whois.internic.net).

Domain Name: GOOGLE.COM

Registrar: MARKMONITOR INC.

Whois Server: whois.markmonitor.com

Name Server: NS1.GOOGLE.COM

Name Server: NS2.GOOGLE.COM

Name Server: NS3.GOOGLE.COM

Name Server: NS4.GOOGLE.COM

Updated Date: 20-jul-2011

Creation Date: 15-sep-1997

Expiration Date: 14-sep-2020

If I changed my configured DNS server to one of the ones in that list, and then did an nslookup against maps.google.com, I'd get an authoritative answer back. Those servers are the authority, (or source) for what are valid names in Google's domains, and what aren't. All other nameservers, non-authoritative nameservers, get their NS records from the authoritative servers somewhere down the line.

Community
  • 1
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • So in short, if I understood correctly, if I buy a domain from GoDaddy but I change the NS records to resolve from Digital Ocean, then the response will Non-authoritative answer. Conversely, if I keep my NS records from GoDaddy, they will be Authoritative answers. – Dimitar Veljanovski May 31 '23 at 09:48
76

Non-authoritative answer simply means the answer is not fetched from the authoritative DNS server for the queried domain name.

First you have to understand how DNS system works. DNS system can be divided into three tiers. They are:

  • root DNS servers
  • top-level domain DNS servers
  • authoritative DNS servers

There's another class of DNS Server usually called local DNS server whose IP address is specified on your operating system.

When your browser connects to a website say example.com, the browser first queries your local DNS server to get the IP address of example.com.

  • If the local DNS server doesn't have the A record of example.com, it will query one of the root DNS servers.

  • The root DNS server will say: I don't have the A record but I know the top-level domain DNS server which is responsible for .com domains.

  • Then your local DNS server query the top-level domain DNS server which is responsible for .com domains. The TLD DNS server will respond: I don't know either but I know which DNS server is authoritative for example.com.

  • So your local DNS server queries the authoritative DNS server. Because the actual DNS record is stored on that authoritative DNS server, so it will give your local DNS server an answer.

Then this query result is cached on your local DNS server but it can be outdated. When the TTL time has expired, your local DNS server will update the query result from the authoritative DNS server. Whenever you query a DNS record on your local DNS server, it returns a non-authoritative (unofficial) answer. If you want an authoritative answer, you must explicitly specify the authoritative DNS server when you use nslookup or other utilities. I think a local DNS server should be called caching DNS server.

When someone registers a domain name, he/she can specify which DNS server is the authoritative DNS server. This information is called an NS record. The NS record will tell a top-level domain DNS server which nameserver holds the domain's A record, MX record, etc.

LinuxBabe
  • 985
  • 6
  • 9
  • 13
    This explained much more than all of the other answers combined. Explaining the topology of how DNS works is extremely useful in providing context for this issue. – Levi Roberts Mar 01 '17 at 10:05
  • So essentially if result(of nslookup) comes from a cached response on some server, then that server is said to be non-authoritative server since at that instant of time, it didn't go to actual authoritative server(coz at this instant, IP address might've changed but cached response will wait until TTL expires)? – theprogrammer Jan 03 '22 at 23:08
  • 1
    Also where is this "local DNS server" located? is it on my machine or at ISP or somewhere in between? – theprogrammer Jan 03 '22 at 23:09
50

The answer you've received is essentially a cached or forwarded response from your local DNS server. Basically, a non-authoritative name server is one that does not contain the records for the zone being queried; your local DNS is likely not going to have Google's name records, for example.

You can get the name servers that are authoritative for a given domain by running host -t ns example.com to retrieve the NS record for example.com.

In the case of Google, we see:

$ host -t ns google.com
google.com name server ns4.google.com.
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns3.google.com.

If you subsequently run your nslookup command against one of those servers, you will get the authoritative answer:

$ nslookup www.google.com ns1.google.com
Server:         ns1.google.com
Address:        216.239.32.10#53

www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 173.194.43.49
Name:   www.l.google.com
Address: 173.194.43.50
Name:   www.l.google.com
Address: 173.194.43.48
Name:   www.l.google.com
Address: 173.194.43.52
Name:   www.l.google.com
Address: 173.194.43.51

If you're using nslookup, to get the NS record type, you can run something like this in interactive mode:

$ nslookup
> set querytype=ns
> google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
google.com      nameserver = ns3.google.com.
google.com      nameserver = ns4.google.com.
google.com      nameserver = ns1.google.com.
google.com      nameserver = ns2.google.com.

Authoritative answers can be found from:
ns1.google.com  internet address = 216.239.32.10

So, setting querytype=ns does what the above host command did.

cjc
  • 24,916
  • 3
  • 51
  • 70
  • 2
    just curious... what does `#` mean in `Address: 127.0.0.1#53`? – cwhsu Mar 02 '18 at 06:30
  • Guess it because of the listening port right? Like what's stated here https://nlp.stanford.edu/IR-book/html/htmledition/dns-resolution-1.html – cwhsu Mar 02 '18 at 07:27
9

From Wireshark Lab: DNS v6.01: However, nslookup also indicates that the answer is “non-authoritative,” meaning that this answer came from the cache of some server rather than from an authoritative MIT DNS server

TheLogicGuy
  • 191
  • 1
  • 1
1

Non-authoritative name servers do not contain original source files of domain’s zone. They have a cache file for the domains that is constructed from all the DNS lookups done previously. If a DNS server responded for a DNS query which doesn’t have original file is known as a Non-authoritative answer.

If you are looking for even more clear explanation regarding servers connecting/networking with each other refer: https://www.cloudflare.com/en-in/learning/dns/what-is-dns/.

Above link shares detailed insights on exactly how DNS System works.

Apoorv Gunjan Pathak
  • 11
  • 2