DNS Server Types
DNS server classification by function. Authoritative, recursive, forwarding, master/slave, stub, and stealth roles.
DNS Server Types
DNS servers are categorized by function. A single BIND instance can serve multiple roles, but production best practice is role separation.
Authoritative Server
options {
recursion no;
};
zone "inside.domusdigitalis.dev" IN {
type master;
file "inside.domusdigitalis.dev.zone";
};-
Returns the
aa(Authoritative Answer) flag in responses -
Does not resolve queries for zones it doesn’t own — returns REFUSED
-
Should have recursion disabled to prevent abuse
-
Can be master (primary) or slave (secondary)
dig @10.50.1.90 inside.domusdigitalis.dev SOA | grep "flags" | grep -o "aa"Recursive Resolver (Caching Resolver)
options {
recursion yes;
allow-recursion { 10.50.0.0/16; 127.0.0.0/8; };
};-
Sets the
ra(Recursion Available) flag in responses -
Caches answers to speed up repeated queries
-
Must be restricted to trusted networks — open resolvers are DDoS amplifiers
-
What most clients point at in
/etc/resolv.conf
dig @10.50.1.90 google.com A | grep "flags" | grep -o "ra"Forwarding Resolver
options {
forwarders { 10.50.1.50; 8.8.8.8; };
forward first;
};-
Does not contact root/TLD servers directly
-
forward first: try forwarders, fall back to iterative resolution -
forward only: forwarders or SERVFAIL — no fallback -
Reduces outbound DNS traffic and centralizes caching upstream
Master (Primary) Server
zone "inside.domusdigitalis.dev" IN {
type master;
file "inside.domusdigitalis.dev.zone";
allow-transfer { 10.50.1.3; };
also-notify { 10.50.1.3; };
};-
Zone edits happen here — the single source of truth
-
Sends NOTIFY to slaves when the zone changes
-
Slaves pull updates via AXFR/IXFR zone transfers
-
also-notifytriggers immediate slave sync instead of waiting for SOA refresh
Slave (Secondary) Server
zone "inside.domusdigitalis.dev" IN {
type slave;
masters { 10.50.1.2; };
file "slaves/inside.domusdigitalis.dev.zone";
};-
Periodically checks the master’s SOA serial (based on refresh timer)
-
Pulls a new copy if the serial has incremented
-
Provides redundancy — answers queries if the master is down
-
Zone file is written by named — the directory must be writable by the named user
sudo rndc retransfer inside.domusdigitalis.devStub Server
zone "lab.example.com" IN {
type stub;
masters { 10.50.2.10; };
};-
Maintains only SOA and NS records — not the full zone
-
Lighter than a slave — no AXFR, less storage
-
Use when you need delegation awareness without hosting the zone
-
Updates NS records automatically when the master’s NS set changes
Stealth Server
A stealth (hidden) server is a master that is not listed in the zone’s NS records. It serves as the actual source of zone data, but clients never query it directly — only slaves do.
-
Not listed in NS records — invisible to external queries
-
Slaves replicate from it and serve the public
-
Protects the master from direct query traffic and attacks
-
Common in enterprise DNS architectures
Role Comparison
| Role | Recursion | Zone Data | Typical Use |
|---|---|---|---|
Authoritative-only |
No |
Master or slave |
Public DNS, zone hosting |
Recursive/caching |
Yes |
None (cache only) |
Client resolver |
Forwarding |
Via upstream |
None |
Internal resolver with upstream delegation |
Master |
Optional |
Writable original |
Zone editing, AXFR source |
Slave |
Optional |
Read-only replica |
Redundancy, geographic distribution |
See Also
-
Authoritative — authoritative server deep dive
-
Recursive — recursive resolver deep dive
-
Forwarders — forwarding resolver deep dive