DNS Recursive Resolution

DNS recursive resolution is the process by which a recursive resolver queries the DNS hierarchy on behalf of a client, walking from root servers down to an authoritative name server to obtain a definitive answer.

While How DNS Works gives a broad overview of the DNS lookup chain including caching, this diagram focuses specifically on the recursive resolver's behavior — the detailed query-response exchanges it performs when no cached answer is available.

A recursive resolver (also called a full-service resolver) takes on the burden of iteratively querying the DNS hierarchy so the client doesn't have to. When a stub resolver on your machine sends a query, it simply expects a final answer; the recursive resolver handles all intermediate steps.

The resolver starts by querying one of the 13 root server clusters. Root servers don't hold IP-to-hostname mappings — they only know which TLD name servers are authoritative for each top-level domain. The response is a referral: "I don't know, but ask these servers."

The resolver follows the referral to the appropriate TLD name server (e.g., .com TLD servers). Again it receives a referral — this time pointing to the domain's own authoritative name server. Only the authoritative server holds the actual resource records (A, AAAA, MX, CNAME, etc.) for the domain.

Each intermediate step typically involves a UDP query on port 53, with TCP fallback for responses larger than 512 bytes (or always with EDNS0). DNSSEC adds cryptographic signatures at each delegation step, allowing resolvers to verify that responses haven't been tampered with.

The final authoritative answer is returned up the chain and cached at the resolver with the record's TTL. This recursive pattern is why changing a DNS record doesn't propagate instantly — each resolver must wait for its cached copy to expire before re-querying the authoritative server. For privacy-focused variants of this process, see DNS over HTTPS Flow and DNS over TLS Flow.