What is a Nameserver?

A nameserver is a server that holds DNS records and answers queries about them. When a resolver needs to know where example.com lives, it ultimately asks that domain's nameservers, and they return the matching records, such as the A record with the website's IP address.

Every domain is associated with a set of nameservers, usually two or more for redundancy. These are listed as the domain's delegation and are typically operated by a DNS provider or registrar. Whoever runs the nameservers a domain points to decides what answers visitors receive, so they are the effective control point for the domain.

The word nameserver covers two very different roles, and the distinction matters:

• Authoritative nameservers hold the real records for a domain. They are the source of truth and give definitive answers about the domains they are responsible for. When you edit your DNS, you are editing the records on your authoritative nameservers.
• Recursive nameservers (also called resolvers) do not own any records. They do the legwork of finding an answer on a user's behalf, querying authoritative servers and caching the results. Public examples include 1.1.1.1 and 8.8.8.8.

In short, recursive servers ask the questions and authoritative servers give the answers. We cover this split in depth in authoritative vs recursive DNS.

A domain reaches its nameservers through two cooperating pieces: delegation at the registrar and NS records in the zone.

1. Registrar delegation — at your domain registrar, you list the nameserver hostnames for your domain. This information is published to the parent zone (for example, the .com servers) and is what tells the rest of the internet which servers are authoritative.
2. NS records in the zone — the zone itself also contains NS records that name its authoritative servers. These should match the delegation at the registrar.

When the delegation at the parent and the NS records in the zone agree, resolution works smoothly. When they disagree, you can get inconsistent or failed lookups, a condition sometimes called a lame delegation.

Domains almost always list more than one nameserver, and there is a traditional structure behind them:

• Primary nameserver — holds the master copy of the zone, where edits are made. Its hostname often appears in the zone's SOA record.
• Secondary nameservers — hold read-only copies synchronized from the primary, usually through a zone transfer. They answer queries identically and provide redundancy.

Running several nameservers, ideally on diverse networks, means that if one becomes unreachable the others continue answering. This redundancy is why losing a single nameserver rarely takes a well-configured domain offline.

You can see a domain's current nameservers in a WHOIS record or by querying its NS records directly with a tool like dig example.com NS or nslookup -type=ns example.com. The result lists the authoritative hostnames the domain is delegated to.

Changing nameservers moves DNS authority to a different provider, and the order of operations matters: build a complete copy of your records on the new provider first, then update the delegation at your registrar. If you switch before the new servers are ready, lookups will fail until the records are in place.

Because a nameserver change is one of the most disruptive edits you can make, it is also a favorite target for attackers trying to hijack a domain. ZoneWatcher monitors your nameserver delegation and alerts you the instant it changes, so an unexpected switch never goes unnoticed.