D
DNS Monitor

What Are Nameservers? A Practical Guide

Nameservers are the backbone of DNS. This guide explains what nameservers do, how they work, why your registrar asks you to set them, and how to check and change them.

Every domain on the internet has nameservers assigned to it. They are the starting point for every DNS lookup, the servers that tell the rest of the internet where to find your website, email, and every other service associated with your domain. If your nameservers are misconfigured or unreachable, your domain disappears from the internet entirely.

Despite their importance, most domain owners only think about nameservers twice: once when they register a domain and once when something breaks. This guide explains what nameservers are, how they fit into the DNS resolution process, and how to manage them correctly. For the broader picture of how DNS works, see DNS Resolution: How It Works.

What Nameservers Actually Do

A nameserver is a server that stores DNS records for one or more domains and responds to queries about those records. When someone types your domain into a browser, their DNS resolver eventually reaches your authoritative nameservers to get the IP address (or other record) needed to connect.

Think of it this way: your domain registrar is where you bought the domain name. Your nameservers are where you store the instructions for what that domain does. These can be the same company (many registrars provide DNS hosting) or different companies (you might register at Namecheap but use Cloudflare for DNS).

The nameserver assignment for a domain is stored at the registry level (the organization that manages the top-level domain, like Verisign for .com). When you set nameservers at your registrar, the registrar updates this record at the registry. From that point on, anyone looking up your domain is directed to those nameservers for the answer.

Types of Nameservers

Authoritative Nameservers

Authoritative nameservers hold the definitive DNS records for a domain. When a recursive resolver asks "what is the IP address of example.com?", the authoritative nameserver for example.com provides the answer.

Every domain has at least two authoritative nameservers for redundancy. If one goes down, the other continues answering queries. Most DNS providers assign two to four nameservers to each domain.

Examples of authoritative nameserver assignments:

example.com    NS    ns1.cloudflare.com
example.com    NS    ns2.cloudflare.com

example.com    NS    ns-1234.awsdns-56.org
example.com    NS    ns-789.awsdns-01.co.uk

Recursive Resolvers (Not Nameservers, but Often Confused)

Recursive resolvers are the servers that your device contacts to look up DNS records. They are sometimes called "DNS servers" or even "nameservers" in casual conversation, but they serve a different role. A recursive resolver does not hold authoritative records. Instead, it queries authoritative nameservers on your behalf, caches the results, and returns the answer to your device.

Common recursive resolvers include Google Public DNS (8.8.8.8), Cloudflare DNS (1.1.1.1), and your ISP's DNS servers. When your operating system's network settings ask for a "DNS server" address, it is asking for a recursive resolver, not an authoritative nameserver.

For more on public resolvers, see Public DNS Providers.

Root Nameservers

Root nameservers are the top of the DNS hierarchy. There are 13 root nameserver addresses (labeled a.root-servers.net through m.root-servers.net), each operated by a different organization and served by hundreds of physical servers worldwide through anycast.

When a recursive resolver has no cached answer for a query, it starts at the root nameservers. The root nameservers do not know the IP address of every domain. They know which nameservers are responsible for each top-level domain (.com, .org, .uk, etc.) and refer the resolver to those TLD nameservers. The TLD nameservers then refer the resolver to the domain's authoritative nameservers.

TLD Nameservers

TLD (top-level domain) nameservers are responsible for a specific domain extension. The .com TLD nameservers know the authoritative nameservers for every .com domain. The .org TLD nameservers know the authoritative nameservers for every .org domain.

You never interact with TLD nameservers directly. They are managed by the registry operators (Verisign for .com and .net, Public Interest Registry for .org, etc.).

How a DNS Query Uses Nameservers

When someone visits your website, the DNS resolution process follows a chain of nameserver queries. Here is the sequence for www.example.com, assuming no cached records:

  1. The user's device asks its configured recursive resolver for the IP address of www.example.com.
  2. The recursive resolver asks a root nameserver: "Who handles .com domains?"
  3. The root nameserver responds with the .com TLD nameservers.
  4. The recursive resolver asks a .com TLD nameserver: "Who handles example.com?"
  5. The TLD nameserver responds with the authoritative nameservers for example.com (e.g., ns1.dnsprovider.com).
  6. The recursive resolver asks the authoritative nameserver: "What is the A record for www.example.com?"
  7. The authoritative nameserver responds with the IP address.
  8. The recursive resolver returns the IP address to the user's device and caches the result.

This entire process typically takes 20-100ms. Cached results skip most of these steps.

Checking Your Current Nameservers

You can look up the nameservers assigned to any domain using command-line tools or online services.

Using dig

dig NS example.com +short

This returns the authoritative nameservers for the domain.

Using nslookup

nslookup -type=NS example.com

Using whois

whois example.com | grep -i "name server"

The whois output shows the nameservers registered at the registry level, which is the authoritative assignment.

For a comprehensive guide to checking DNS records, see How to Check DNS Records.

Changing Nameservers

You change nameservers at your domain registrar, not at your DNS provider. The process is straightforward but carries risk if done incorrectly.

When to Change Nameservers

Common reasons to change nameservers include:

  • Switching DNS providers. Moving from your registrar's default DNS to a dedicated provider like Cloudflare, Route 53, or Dnsimple.
  • Setting up a CDN. Services like Cloudflare require you to point your nameservers to their infrastructure to proxy your traffic.
  • Moving to managed hosting. Some hosting providers require their nameservers for certain features to work.

The Process

  1. Set up your DNS records at the new DNS provider first. Create all A, AAAA, CNAME, MX, TXT, and other records before changing nameservers. If you change nameservers before the records exist at the new provider, your domain will be unreachable during the transition.
  2. Note the new nameserver hostnames provided by your DNS provider (e.g., ns1.newprovider.com, ns2.newprovider.com).
  3. Log into your domain registrar.
  4. Find the nameserver settings for your domain.
  5. Replace the current nameservers with the new ones.
  6. Save the changes.

For a step-by-step walkthrough, see How to Change Nameservers.

Set up DNS records before changing nameservers

The most common mistake when switching DNS providers is changing nameservers before creating records at the new provider. This causes downtime because the new nameservers have no records to serve. Always set up your complete DNS zone at the new provider first.

Propagation Time

After changing nameservers, the update propagates through the DNS system. The registry (e.g., Verisign for .com) updates its records relatively quickly, usually within minutes. But DNS caches around the world may hold the old nameserver assignment for up to 48 hours, depending on TTL values.

During propagation, some users may be directed to the old nameservers and others to the new ones. This is normal. To minimize the impact, lower the TTL on your records at the old provider before changing nameservers, and keep both the old and new DNS providers active until propagation completes.

For more on this topic, see DNS Propagation Explained.

Nameserver Redundancy

Every domain should have at least two nameservers, and they should be on different networks. If both nameservers share the same data center or network, a single outage takes both offline and makes your entire domain unreachable.

Most DNS providers automatically assign nameservers on different networks and in different geographic locations. For critical domains, consider using nameservers from two entirely different DNS providers (a multi-provider strategy). This protects against provider-level outages. See Multi-DNS Provider Strategy.

The NS records themselves should have high TTL values (typically 86400 seconds, or 24 hours) because nameserver changes are infrequent and caching them widely reduces load on the TLD nameservers.

Nameserver Security

Nameservers are a high-value target for attackers. If someone compromises your nameserver records, they can redirect your domain's traffic anywhere.

Registry Lock

For critical domains, enable registry lock (also called domain lock) at your registrar. This prevents nameserver changes without additional verification, such as a phone call to the registrar's support team.

DNSSEC

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that the records came from the authoritative nameserver and were not tampered with in transit. When DNSSEC is enabled, even if an attacker intercepts DNS queries, they cannot forge valid responses.

For more on DNSSEC, see What Is DNSSEC?.

Monitoring

Monitor your nameserver assignments for unauthorized changes. A nameserver hijack is one of the most damaging attacks on a domain because it gives the attacker complete control over where the domain's traffic goes. DNS monitoring tools alert you when nameserver records change, giving you time to respond before users are affected.

Common Nameserver Problems

Domain not resolving. If your domain suddenly stops working, the first thing to check is the nameserver assignment. Run dig NS yourdomain.com and verify the nameservers are correct and responding.

Mismatched nameservers. If the nameservers registered at the registrar do not match the nameservers actually hosting your DNS zone, queries may reach servers that have no records for your domain.

Lame delegation. This occurs when the nameserver records at the registry point to servers that do not have a zone configured for your domain. The nameserver receives the query but cannot answer it. This results in DNS errors and makes your domain unreachable.

Expired domain. When a domain expires, the registrar may change the nameservers to their own parking servers. Your original DNS records still exist at your DNS provider, but they are no longer being queried.

References

  1. RFC 1035, "Domain Names - Implementation and Specification," November 1987. https://datatracker.ietf.org/doc/html/rfc1035
  2. IANA, "Root Servers," https://www.iana.org/domains/root/servers
  3. Cloudflare Learning Center, "What is a nameserver?" https://www.cloudflare.com/learning/dns/glossary/name-server/

Monitor your nameservers for changes

DNS Monitor alerts you the moment your nameserver records change, whether authorized or not. Catch hijacks, misconfigurations, and expired domains before they affect your users.

Try DNS Monitor

Related Articles