What is an NS Record in DNS?
Quick Definition: NS records point users to the authoritative name servers that host all the other DNS records for your domain.
DNS is the lifeblood of the internet; without converting human-readable names to IP addresses, navigating to our favorite website would be much more cumbersome and common failover techniques less reliable. It acts like a giant phone book, where you look up a name to find the associated number/IP address to contact that server.
For all the DNS records we create, one record is the glue that holds them all together: the name server (NS) record. Without NS records, all other records are useless. So, what do NS records do? Why are they so crucial? How do we set them up?
Today, we'll answer these questions as we examine the record type that puts the NS into DNS!
What are NS Records?
NS records point clients to the server that holds all your other DNS records. This server is also known as the authoritative server, as it is the primary source for resolving records for your domain.
To better understand NS records, think about the phone book analogy again. If you want to look up someone's number, you at least need to know what city's phone book to look in.
Once you know that, it's just a matter of finding their name and their phone number. For DNS, the phone book is the name server, and the NS records tell you which phone book to check.
You can see now that DNS lookups are almost impossible without NS records. The internet depends on these resolution heroes. So, what do NS records actually look like?
Components of NS Records
NS records have three main components: the domain name, the TTL (or time to live, how long a client should cache a record), and the value (A records pointing to the authoritative servers).
If we do an NS lookup against cbtnuggets.com using a handy tool like DNSChecker, here's what is returned (as of this article's publication date):
0 Name : cbtnuggets.com | value: ns-1154.awsdns-16.org. | ttl: 60
1 Name : cbtnuggets.com | value: ns-118.awsdns-14.com. | ttl: 60
2 Name : cbtnuggets.com | value: ns-1991.awsdns-56.co.uk. | ttl: 60
3 Name : cbtnuggets.com | value: ns-764.awsdns-31.net. | ttl: 60
There are multiple records, which is handy for load balancing and failover. The TTLs are 60 seconds. You can also easily see who's hosting the authoritative name servers for our domain: AWS, using their Route 53 DNS service.
Load Balancing and NS Records
Speaking of load balancing, NS records conveniently have this feature baked in. Typically a DNS host will provide multiple values to set for your NS records (four is common, like the AWS example, but per the RFC standard, two is mandatory).
Clients treat these records differently; some will try the first record, and some will randomly pick one. To avoid overloading the first server, the values might be sent to you randomly. Either way, the load is distributed across all the given name servers.
For failover, the behavior is as you might expect: the client tries one server, and if it does not get a response in the expected amount of time, it goes down the list and tries servers until it receives a reply.
Who's Got the Record?
The astute admin might notice a problem brewing. An authoritative server is required for looking up a domain's DNS records. An NS record is a DNS record that points you to a nameserver. So, without knowing where the authoritative server for a domain is, how do you find the NS record? In other words, you don't know which city's phone book to check for someone's number, but the correct phone book tells you their city.
The answer is (thankfully) simple: nameservers don't hold NS records, TLD servers do. Let's go through resolving an NS record using this diagram:
You type cbtnuggets.com. Your computer asks your local DNS server (the one you got from DHCP) for the record, but it doesn't have it cached.
It reaches out to the root servers, which maintain a list of authoritative servers for all top-level domains (TLDs are the .coms, .orgs, etc.). The root server points your DNS server over to the .com TLD servers.
Which responds with the NS record for cbtnuggets.com.
Finally, your DNS server reaches out to Route 53, asks for the A record for cbtnuggets.com, and then:
Returns the resolved record to you.
Authoritative and Non-Authoritative Name Servers
In this example, the server the NS record ultimately points you to is the authoritative server. It holds the original and complete zone file, which contains all the DNS records for the domain. The file is directly updated when you edit DNS records on Route 53 or whatever service hosts your DNS.
After the whole lookup process finishes, your DNS server caches the A record for cbtnuggets.com; it stores it for the duration of the TTL to answer other queries without completing the whole process. That DNS server becomes a non-authoritative server. It can resolve the record, but only temporarily, and it does not store the original record, just a copy.
NS Records in Action
When you register a domain, many registrars will automatically host your DNS for you and set your NS record to point to themselves. But if you want to host your DNS elsewhere, you must modify the NS record. You, however, have zero access to update anything on the TLD servers.
So, how do you edit your NS records? Who has the power to update the TLD servers?!
Domain registrars do. Your registrar should have a way to set your NS records somewhere in their web interface, which they then pass along to the TLD servers on your behalf.
Registrars have authority for your domain to do this; they are the ones who "bought" it on your behalf, after all. However, registering a domain is a completely different process from setting DNS records; NS records exist in this other realm, removed from your other records.
Every registrar's web interface and specific process will be slightly different. If it isn't obvious after logging into your account, a quick search of their help docs or contacting support should get you to the right spot.
The only other thing you need is the actual NS values, which will come from your DNS host. Again, their site or help docs should get you the correct values.
Handling Common Challenges in NS Record Configuration
Setting NS records is simple but not always bulletproof. Here are some issues to be aware of.
Propagation Delays: With NS records, you update your registrar, and they update the TLD servers. How quickly do registrars send these updates? It varies and most won't give you a specific answer; since the process is a little opaque, don't be surprised about longer delays.
Account Security: Protect your registrar login credentials and always use MFA! This account is the key to your domain kingdom; with a compromised account a hacker can change the NS records and completely take over your domain without touching the authoritative server.
Configuration Errors: Mistyping or copying and pasting bad values is always possible, and propagating a bad record can cause major downtime. Triple-check your work and set low TTLs well before making changes to minimize outages.
Conclusion
NS records are integral to your DNS infrastructure and the first step in getting users and customers to your sites. Effective management of NS records starts with understanding how they work and their uniqueness amongst other record types. Hopefully, we've shed some light on this topic to help level up your dazzling DNS dexterity and discernment!
Want to learn more about DNS? Take our course on DNS Implementation with Garth Schulte.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.