For some domains nslookup
gives me a Non-authoritative answer
section. What does this mean?
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional =
QUESTIONS:
www.example.com.SME, type = AAAA, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 1787 (29 mins 47 secs)
primary name server = a.root-servers.net
responsible mail addr = nstld.verisign-grs.com
------------
Non-authoritative answer:
------------
------------
Name: example.com
Address: 93.184.216.34
Aliases: www.example.com
Basically, it's what the name says it is. An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup on).
It's basically a distinction between a nameserver that's an official nameserver for the domain you're querying, and a nameserver that isn't. Nameservers that aren't authoritative are getting their answers second (or third or fourth...) hand - just relaying the information along from somewhere else.
So, for example, If I did an nslookup of
maps.google.com
right now, I would get a response from one of my configured nameservers. (Either from my ISP, or my domain.) It would come back as non-authoritative because neither my ISP's nameservers, nor my own are in the list of nameservers forgoogle.com
. They aren't Google's nameservers, so they're not the authoritative source that creates the NS records.The list of authoritative nameservers for Google is below (from whois.internic.net).
If I changed my configured DNS server to one of the ones in that list, and then did an
nslookup
againstmaps.google.com
, I'd get an authoritative answer back. Those servers are the authority, (or source) for what are valid names in Google's domains, and what aren't. All other nameservers, non-authoritative nameservers, get their NS records from the authoritative servers somewhere down the line.Non-authoritative answer simply means the answer is not fetched from the authoritative DNS server for the queried domain name.
First you have to understand how DNS system works. DNS system can be divided into three tiers. They are:
There's another class of DNS Server usually called local DNS server whose IP address is specified on your operating system.
When your browser connects to a website say example.com, the browser first queries your local DNS server to get the IP address of example.com.
If the local DNS server doesn't have the A record of example.com, it will query one of the root DNS servers.
The root DNS server will say: I don't have the A record but I know the top-level domain DNS server which is responsible for .com domains.
Then your local DNS server query the top-level domain DNS server which is responsible for .com domains. The TLD DNS server will respond: I don't know either but I know which DNS server is authoritative for example.com.
Then this query result is cached on your local DNS server but it can be outdated. When the TTL time has expired, your local DNS server will update the query result from the authoritative DNS server. Whenever you query a DNS record on your local DNS server, it returns a non-authoritative (unofficial) answer. If you want an authoritative answer, you must explicitly specify the authoritative DNS server when you use nslookup or other utilities. I think a local DNS server should be called caching DNS server.
When someone registers a domain name, he/she can specify which DNS server is the authoritative DNS server. This information is called an NS record. The NS record will tell a top-level domain DNS server which nameserver holds the domain's A record, MX record, etc.
The answer you've received is essentially a cached or forwarded response from your local DNS server. Basically, a non-authoritative name server is one that does not contain the records for the zone being queried; your local DNS is likely not going to have Google's name records, for example.
You can get the name servers that are authoritative for a given domain by running
host -t ns example.com
to retrieve the NS record for example.com.In the case of Google, we see:
If you subsequently run your
nslookup
command against one of those servers, you will get the authoritative answer:If you're using
nslookup
, to get the NS record type, you can run something like this in interactive mode:So, setting
querytype=ns
does what the abovehost
command did.From Wireshark Lab: DNS v6.01:
However, nslookup also indicates that the answer is “non-authoritative,” meaning that this answer came from the cache of some server rather than from an authoritative MIT DNS server
Non-authoritative name servers do not contain original source files of domain’s zone. They have a cache file for the domains that is constructed from all the DNS lookups done previously. If a DNS server responded for a DNS query which doesn’t have original file is known as a Non-authoritative answer.
If you are looking for even more clear explanation regarding servers connecting/networking with each other refer: https://www.cloudflare.com/en-in/learning/dns/what-is-dns/.
Above link shares detailed insights on exactly how DNS System works.