← DNS ServersServer Type

Recursive Resolver

The workhorse of everyday DNS. A recursive resolver accepts queries from clients and does whatever it takes to find a definitive answer — querying root servers, TLD servers, and authoritative nameservers on your behalf.

Overview

The "Full-Service" Resolver

When your browser needs to resolve thedns.guru into an IP address, the request goes first to a recursive resolver — typically the one configured by your DHCP server or manually set in your network settings.

Unlike stub resolvers (the minimal resolver built into your operating system), a recursive resolver will follow the DNS delegation tree from root to TLD to authoritative nameserver until it has a definitive answer. It then caches the result for the record's TTL and returns it to the client.

The word "recursive" refers to the DNS RECURSION DESIRED (RD) flag in the query, which tells the resolver to perform this full lookup on the client's behalf rather than returning a referral.

~1ms
Cached response
20–100ms
Cold resolution
3–4
Upstream queries
Key DistinctionRecursive resolvers perform the entire lookup chain. Authoritative nameservers only answer for their own zones. A recursive resolver never has zone authority — it only relays and caches answers.
Resolution Algorithm

How a Recursive Resolver Works

Step-by-step resolution when no cache entry exists

1

Client sends a query

Your OS stub resolver sends a UDP (or TCP) DNS query to the configured recursive resolver, typically on port 53. The query sets the RD (Recursion Desired) bit to 1.

dig thedns.guru @1.1.1.1
2

Resolver checks its cache

The resolver first looks up the QNAME in its local cache. If a valid (non-expired) entry exists — positive or negative — it returns it immediately without any upstream queries.

3

Priming / Root hints query

On a cache miss, the resolver consults its root hints file to find the addresses of root nameservers. If the resolver's cache of root NS records has expired, it performs a "priming query" to refresh them.

4

Iterative queries down the hierarchy

The resolver queries a root nameserver for the QNAME. The root returns a referral to the TLD nameservers. The resolver then queries the TLD, which refers it to the authoritative nameservers. Finally, the authoritative NS returns the answer.

5

DNSSEC validation (if enabled)

Validating resolvers verify the chain of trust from the IANA root KSK through the zone's RRSIG and DNSKEY records. If validation fails, SERVFAIL is returned to the client.

6

Cache the response, return to client

The resolver stores each response in its cache keyed by (QNAME, QTYPE, QCLASS) for the record's TTL. The answer is returned to the client. Subsequent queries for the same name are served from cache.

Caching

Cache Behavior & TTL

Caching is what makes DNS fast at scale

Positive Cache

Successful DNS responses are cached for the record's TTL. During this window any identical query is answered from cache without contacting upstream servers.

Negative Cache (RFC 2308)

NXDOMAIN (name does not exist) responses are also cached, up to the SOA minimum TTL or the value in the AUTHORITY section — whichever is smaller.

Serve-Stale (RFC 8767)

Some resolvers can serve expired cache entries for a configurable window while re-validating in the background, reducing latency during upstream outages.

TTL Floor / Ceiling

Resolvers may enforce a minimum TTL (e.g., 30 seconds) to prevent cache thrashing, and a maximum TTL to limit stale data. These are configurable in resolver software.

Cache Poisoning RiskAttackers have historically tried to inject forged answers into resolver caches (Kaminsky attack, 2008). Modern resolvers mitigate this with source port randomization, 0x20 encoding, and DNSSEC validation. Always use a resolver that supports DNSSEC.
Public Resolvers

Choosing a Recursive Resolver

Popular third-party options beyond your ISP's default

🟠 Cloudflare
1.1.1.1 / 1.0.0.1

Privacy-first resolver that does not log querier IPs. Consistently fastest globally. Also offers 1.1.1.2 (malware blocking) and 1.1.1.3 (malware + adult content).

🔵 Google Public DNS
8.8.8.8 / 8.8.4.4

Largest DNS service by query volume. Strong anycast network with global coverage. Logs limited metadata for 48 hours and anonymized data for longer-term analysis.

🟣 Quad9
9.9.9.9 / 149.112.112.112

Security-focused resolver that blocks malicious domains using 25+ threat intel feeds. Non-profit operated. Strong privacy policy with no IP logging.

OpenDNS (Cisco)
208.67.222.222 / 208.67.220.220

Offers both a free tier and enterprise FamilyShield (adult content filtering). One of the earliest public DNS services. Supports DNSSEC validation.

🟢 NextDNS
Custom per account

Fully configurable cloud-based resolver with per-device logs, blocklists, parental controls, and analytics. Free tier available; paid plans for higher query volume.

🔘 ISP Resolver
Assigned via DHCP

Default for most home users. Performance varies widely by provider. Typically located geographically close to you. May inject ads on NXDOMAIN or log queries.

Transport Protocols

DNS-over-? — Encrypted Resolver Protocols

Classic DNS sends queries in plaintext. These protocols add encryption.

ProtocolPortStandardNotes
DNS (classic)53RFC 1035UDP preferred; falls back to TCP for responses > 512 bytes or with EDNS(0).
DNS-over-TLS (DoT)853RFC 7858Wraps DNS in TLS. Dedicated port — easy for network admins to block.
DNS-over-HTTPS (DoH)443RFC 8484Sends DNS queries as HTTPS POST/GET. Blends with web traffic; hard to block.
DNS-over-QUIC (DoQ)853RFC 9250Uses QUIC transport (0-RTT resume). Lowest latency encrypted option.
DNSCrypt443 / 5443Older protocol by OpenDNS. Not an IETF standard but widely deployed.
RecommendationUse DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to prevent your ISP or on-path observers from seeing which domains you resolve. Most modern operating systems, browsers, and home routers support at least one of these protocols natively.
Diagnostics

Testing Your Recursive Resolver

Useful commands for querying and debugging resolver behavior

Query a specific resolver

# Send query to Cloudflare resolver dig thedns.guru A @1.1.1.1 # Check DNSSEC validation dig thedns.guru +dnssec @8.8.8.8 # Query over DoT with kdig kdig thedns.guru @tls://1.1.1.1

Inspect resolver cache

# Windows — view local DNS cache ipconfig /displaydns # Windows — flush local cache ipconfig /flushdns # Linux (systemd-resolved) resolvectl statistics resolvectl flush-caches

Trace the full resolution

# Trace delegation from root down dig thedns.guru +trace # Show authority section dig thedns.guru +noall +authority

Test DoH endpoint

# Query Cloudflare via DoH (curl) curl -s "https://1.1.1.1/dns-query? name=thedns.guru&type=A" \ -H "accept: application/dns-json" \ | jq .

Related Topics

Root Nameserver

The first stop in iterative resolution — recursive resolvers query root servers to find TLD nameservers.

Authoritative Nameserver

The final answer comes from authoritative nameservers, which recursive resolvers cache and serve to clients.

Cache Poisoning

Resolver caches are the primary target of poisoning attacks — DNSSEC validation is the defense.