Recursive resolution — how you reach an answer

Recursive from the user's side, iterative going outward

In Chapter 2 we saw how delegation splits responsibility between parent and child zones. In this chapter we follow the flow of queries — how that hierarchy is actually walked to reach the final answer.

Browsers and apps do not typically query root servers directly. What the user sees is the recursive resolver, and they ask it: "please return the final answer."

Meanwhile, when the recursive resolver goes out, it typically walks root → TLD → authoritative servers iteratively (step by step, one referral at a time). Once you separate these two layers, the words recursive (asking one party for the whole answer) and iterative (asking each level in turn) fall into place more easily.

A diagram of recursive resolution stepping through root, TLD, and authoritative servers — Even though the user's request is "please resolve this in one go," behind the scenes the resolver walks step by step, receiving referrals along the way.

Practice 3-1 — Walk the full-miss path by hand

First, confirm the basic path for a cache miss.

Chapter 3 / Practice 1

Q11. When the recursive resolver's cache is empty, which is closest to the typical flow for resolving `www.example.com A`?

A Authoritative server → root → .com → recursive resolver B root → .com → authoritative server C Browser → HTTP server → authoritative server D root → authoritative server → .com

Show hint

The root first tells you where to go for the TLD; the TLD tells you the authoritative servers beyond it.

Chapter 3 / Practice 2

Q12. Suppose the recursive resolver already has valid cached entries for the NS of `.com` and the NS of `example.com`, but not for `www.example.com A` itself. How many additional outbound queries are needed to obtain this final A record?

queries

Show hint

You already know where to go, so you only need to ask the place that holds the authoritative data.

Follow it with the simulator

The simulator below walks through an example of looking up www.example.com A. Toggling cache hits shows that outbound queries drop drastically in one stroke. In the practice questions, we count that difference as numbers.

Simulator behavior in plain text: On a full miss with empty caches, the recursive resolver first asks a root server and receives a referral to the .com NS. Next it asks the .com TLD server and gets a referral to the example.com NS. Finally it asks the example.com authoritative server and receives the final RRset for www.example.com A. That is 3 outbound queries in total. By contrast, when the recursive resolver already holds a valid cached copy of that RRset, it can answer with 0 outbound queries. When only some of the intermediate caches (root / TLD / parent NS) are present, the number drops by exactly that much.

Practice 3-2 — How many queries disappear with the cache

When many users share the same resolver, the gap between the first lookup and subsequent ones becomes enormous.

Chapter 3 / Practice 3

Q13. When the recursive resolver still has a valid cached entry, what happens with outbound queries to root / TLD / authoritative servers for the same name and type?

A 3 queries always happen B It can be 0 queries C The longer the TTL, the more queries are guaranteed D They are converted into HTTP

Show hint

Recall the cache-hit case from the simulator.

Chapter 3 / Practice 6

Q16. 20 users share the same recursive resolver. Only the first lookup is a full miss, and the remaining 19 lookups for the same `www.example.com A` happen inside the TTL. What is the total number of outbound queries to root / TLD / authoritative servers?

queries

Show hint

Only the first lookup walks root → TLD → authoritative server; after that the cache takes over.

Distinguish referral from authoritative answer

root and TLD servers usually do not return the final A / AAAA. Instead they return a referral: "for that, please go to this NS group." An authoritative server, by contrast, returns the authoritative data of the zone it is responsible for as an authoritative answer.

Response kind	Meaning	How it looks
referral	I do not hold the final answer, but I know where to go next	NS or glue appears in AUTHORITY / ADDITIONAL
authoritative answer	Returns the authoritative data of the zone it is responsible for	The final RRset appears in ANSWER
cached answer	Reuses previously obtained data while its TTL lasts	Looks like the final answer from the user's side, but is not necessarily straight from the authoritative server

You also need to distinguish NXDOMAIN (the name does not exist) from a NODATA-equivalent state (the name exists but only certain types are missing).

Practice 3-3 — Tell referral, NXDOMAIN, and NODATA apart

In troubleshooting, just separating "does the name not exist, or does the type not exist" already moves you forward.

Chapter 3 / Practice 4

Q14. Which is the most appropriate description of what root and TLD servers tend to return?

A An authoritative answer containing the final A / AAAA B A referral pointing to the NS group you should query next C Always NXDOMAIN D An HTTP 301 redirect

Show hint

It is the response "I do not hold the final answer, but I know where to go next."

Chapter 3 / Practice 5

Q15. Suppose the name `mail.example.com` itself exists and has only MX, with no A record. What is the closest description of the result of looking up `mail.example.com A`?

A The name itself does not exist, so you get NXDOMAIN B The name exists but there is no A, so it is NOERROR and no A is returned C It is always rewritten into a CNAME D It always becomes a DNSSEC error

Show hint

"The name does not exist" is different from "data of that type does not exist."

Recursive resolution — how you reach an answer

Recursive from the user's side, iterative going outward

Practice 3-1 — Walk the full-miss path by hand

Q11. When the recursive resolver's cache is empty, which is closest to the typical flow for resolving www.example.com A?

Q12. Suppose the recursive resolver already has valid cached entries for the NS of .com and the NS of example.com, but not for www.example.com A itself. How many additional outbound queries are needed to obtain this final A record?

Follow it with the simulator

Practice 3-2 — How many queries disappear with the cache

Q13. When the recursive resolver still has a valid cached entry, what happens with outbound queries to root / TLD / authoritative servers for the same name and type?

Q16. 20 users share the same recursive resolver. Only the first lookup is a full miss, and the remaining 19 lookups for the same www.example.com A happen inside the TTL. What is the total number of outbound queries to root / TLD / authoritative servers?

Distinguish referral from authoritative answer

Practice 3-3 — Tell referral, NXDOMAIN, and NODATA apart

Q14. Which is the most appropriate description of what root and TLD servers tend to return?

Q15. Suppose the name mail.example.com itself exists and has only MX, with no A record. What is the closest description of the result of looking up mail.example.com A?

Key takeaways from this chapter

Q11. When the recursive resolver's cache is empty, which is closest to the typical flow for resolving `www.example.com A`?

Q12. Suppose the recursive resolver already has valid cached entries for the NS of `.com` and the NS of `example.com`, but not for `www.example.com A` itself. How many additional outbound queries are needed to obtain this final A record?

Q16. 20 users share the same recursive resolver. Only the first lookup is a full miss, and the remaining 19 lookups for the same `www.example.com A` happen inside the TTL. What is the total number of outbound queries to root / TLD / authoritative servers?

Q15. Suppose the name `mail.example.com` itself exists and has only MX, with no A record. What is the closest description of the result of looking up `mail.example.com A`?