DNS - NSLOOKUP what is the meaning of the non-authoritative answer?

Solution 1:

Basically, it's what the name says it is. An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup on).

It's basically a distinction between a nameserver that's an official nameserver for the domain you're querying, and a nameserver that isn't. Nameservers that aren't authoritative are getting their answers second (or third or fourth...) hand - just relaying the information along from somewhere else.

So, for example, If I did an nslookup of maps.google.com right now, I would get a response from one of my configured nameservers. (Either from my ISP, or my domain.) It would come back as non-authoritative because neither my ISP's nameservers, nor my own are in the list of nameservers for google.com. They aren't Google's nameservers, so they're not the authoritative source that creates the NS records.

The list of authoritative nameservers for Google is below (from whois.internic.net).

Domain Name: GOOGLE.COM


Whois Server: whois.markmonitor.com

Name Server: NS1.GOOGLE.COM

Name Server: NS2.GOOGLE.COM

Name Server: NS3.GOOGLE.COM

Name Server: NS4.GOOGLE.COM

Updated Date: 20-jul-2011

Creation Date: 15-sep-1997

Expiration Date: 14-sep-2020

If I changed my configured DNS server to one of the ones in that list, and then did an nslookup against maps.google.com, I'd get an authoritative answer back. Those servers are the authority, (or source) for what are valid names in Google's domains, and what aren't. All other nameservers, non-authoritative nameservers, get their NS records from the authoritative servers somewhere down the line.

Solution 2:

The answer you've received is essentially a cached or forwarded response from your local DNS server. Basically, a non-authoritative name server is one that does not contain the records for the zone being queried; your local DNS is likely not going to have Google's name records, for example.

You can get the name servers that are authoritative for a given domain by running host -t ns example.com to retrieve the NS record for example.com.

In the case of Google, we see:

$ host -t ns google.com
google.com name server ns4.google.com.
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns3.google.com.

If you subsequently run your nslookup command against one of those servers, you will get the authoritative answer:

$ nslookup www.google.com ns1.google.com
Server:         ns1.google.com

www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Name:   www.l.google.com
Name:   www.l.google.com
Name:   www.l.google.com
Name:   www.l.google.com

If you're using nslookup, to get the NS record type, you can run something like this in interactive mode:

$ nslookup
> set querytype=ns
> google.com

Non-authoritative answer:
google.com      nameserver = ns3.google.com.
google.com      nameserver = ns4.google.com.
google.com      nameserver = ns1.google.com.
google.com      nameserver = ns2.google.com.

Authoritative answers can be found from:
ns1.google.com  internet address =

So, setting querytype=ns does what the above host command did.

Solution 3:

Non-authoritative answer simply means the answer is not fetched from the authoritative DNS server for the queried domain name.

First you have to understand how DNS system works. DNS system can be divided into three tiers. They are:

  • root DNS servers
  • top-level domain DNS servers
  • authoritative DNS servers

There's another class of DNS Server usually called local DNS server whose IP address is specified on your operating system.

When your browser connects to a website say example.com, the browser first queries your local DNS server to get the IP address of example.com.

  • If the local DNS server doesn't have the A record of example.com, it will query one of the root DNS servers.

  • The root DNS server will say: I don't have the A record but I know the top-level domain DNS server which is responsible for .com domains.

  • Then your local DNS server query the top-level domain DNS server which is responsible for .com domains. The TLD DNS server will respond: I don't know either but I know which DNS server is authoritative for example.com.

  • So your local DNS server queries the authoritative DNS server. Because the actual DNS record is stored on that authoritative DNS server, so it will give your local DNS server an answer.

Then this query result is cached on your local DNS server but it can be outdated. When the TTL time has expired, your local DNS server will update the query result from the authoritative DNS server. Whenever you query a DNS record on your local DNS server, it returns a non-authoritative (unofficial) answer. If you want an authoritative answer, you must explicitly specify the authoritative DNS server when you use nslookup or other utilities. I think a local DNS server should be called caching DNS server.

When someone registers a domain name, he/she can specify which DNS server is the authoritative DNS server. This information is called an NS record. The NS record will tell a top-level domain DNS server which nameserver holds the domain's A record, MX record, etc.

Solution 4:

From Wireshark Lab: DNS v6.01: However, nslookup also indicates that the answer is “non-authoritative,” meaning that this answer came from the cache of some server rather than from an authoritative MIT DNS server