NS DNS Record: Nameservers and Delegation

Master Nameserver records, the cornerstone of DNS delegation.

NS (Nameserver) records are fundamental in DNS architecture. They indicate which DNS servers are authoritative for a given zone, creating the delegation chain that allows the global DNS system to function. Without correctly configured NS records, your domain would simply be unfindable on the Internet.

Unlike A or MX records that point to final destinations, NS records point to other DNS servers. When a resolver looks up your domain, it follows the NS chain from root servers to your authoritative nameservers. This hierarchical delegation is what makes DNS scalable and decentralized.

Understanding NS records is essential for any registrar migration, DNS hosting change, or secondary DNS setup. An NS error can make your entire domain inaccessible for hours or even days - the time it takes for caches to expire.

What is an NS Record?

An NS record defines the nameservers responsible for a DNS zone:

  • Zone delegation: NS records say "for this zone, go ask these servers". This is how .com delegates to your registrar, which delegates to your DNS host.
  • Authoritative servers: Servers listed in NS records are considered authoritative for the zone. Their responses are considered definitive, not cached.
  • Mandatory redundancy: DNS standards require at least two NS per zone, ideally on different networks, to ensure availability even if one server goes down.
  • Glue records: When an NS points to a name in its own zone (ns1.example.com for example.com), a "glue record" A is needed to avoid circular reference.

Why NS Records Are Critical

NS records have a major impact on the availability and resilience of your infrastructure:

  • Single point of failure: If all your NS are hosted in the same place and that service goes down, all your services (web, email, API) become unreachable. Geographic diversity is crucial.
  • Propagation time: NS often have very long TTLs (24-48h). An NS change can therefore take several days to fully propagate, plan your migrations accordingly.
  • Registrar validation: Your domain's NS must be registered in two places: in your DNS zone AND with the registrar. Any inconsistency causes subtle problems.
  • DNS attacks: NS are a prime target for attacks. An attacker who controls your NS controls all traffic to your domain. DNSSEC and monitoring are essential.

Configure Your NS Records

Follow these steps to properly configure your NS:

  1. Choose your DNS servers: Use your DNS host's servers (Cloudflare, AWS Route 53, etc.) or deploy your own BIND/PowerDNS servers. Aim for at least 2-3 geographically distributed servers.
  2. Configure the zone: Add NS records in your DNS zone. Each NS must point to an FQDN (full name with trailing dot or without in most interfaces).
  3. Update the registrar: In your registrar's panel, declare the same NS. This declaration is transmitted to the TLD (.com, .net, etc.) and enables delegation.
  4. Verify propagation: Use dig +trace or online tools to verify the delegation chain works. Monitor for 48h to ensure old caches expire.

NS Record Examples

Here are NS configuration examples in different contexts:

; Zone file for example.com
; Main NS (hosted with a DNS provider)
example.com.    IN    NS    ns1.dnsprovider.com.
example.com.    IN    NS    ns2.dnsprovider.com.
example.com.    IN    NS    ns3.dnsprovider.net.

; Delegating a subzone to other servers
dev.example.com.    IN    NS    ns1.dev-hosting.com.
dev.example.com.    IN    NS    ns2.dev-hosting.com.

; NS in its own zone (requires glue records)
example.com.    IN    NS    ns1.example.com.
example.com.    IN    NS    ns2.example.com.
ns1.example.com.    IN    A    203.0.113.10
ns2.example.com.    IN    A    203.0.113.11

; Verification with dig
$ dig NS example.com +short
ns1.dnsprovider.com.
ns2.dnsprovider.com.
ns3.dnsprovider.net.

$ dig +trace example.com | grep -A2 "example.com"

Note that each NS ends with a dot (absolute FQDN) and servers belong to different networks for resilience. The dig +trace command lets you follow the entire delegation chain.

NS Best Practices

Optimize your NS configuration for reliability and performance:

  • Server diversity: Use at least 2-3 NS servers on different networks and ASNs. If one provider goes down, the others continue responding.
  • Appropriate TTL: NS typically have 24-48h TTLs for stability. Temporarily reduce before a migration, then restore afterward.
  • Zone/registrar consistency: NS declared at the registrar and in your zone must match exactly. Any inconsistency can cause resolution problems.
  • Active monitoring: Monitor each NS's availability individually. A dead NS in the list degrades performance even if others respond.

NS Configuration Checklist

  • Minimum 2 NS servers configured
  • NS on different networks/providers
  • NS identical at registrar and in zone
  • Glue records configured if NS in its own zone
  • TTL set according to stability/migration needs
  • Availability monitoring for each NS

FAQ - NS Records

How many NS should I have?

The technical minimum is 2, but 3-4 is recommended for better resilience. Beyond 6-8, benefits diminish and management gets complex.

Can I use NS from different providers?

Yes, and it's even recommended to avoid a single point of failure. However, you'll need to synchronize your zones between providers, which can be complex.

Why don't my NS update instantly?

NS have long TTLs (often 24-48h) and TLD servers have their own cache. An NS change can take up to 72h to fully propagate.

What is a glue record?

It's an A record associated with the NS when the NS is in its own zone. Without it, resolution would be blocked: to find ns1.example.com, you'd need to ask example.com's NS, which is... ns1.example.com.

How do I test if my NS work?

Use dig NS yourdomain.com to see declared NS, then dig @ns1.yourdomain.com yourdomain.com to test each NS individually. dig +trace shows the complete chain.

Can MoniTao monitor my NS?

Yes, MoniTao monitors your DNS records including NS. You're alerted if an NS becomes unreachable or if your NS change unexpectedly.

Master Your Nameservers

NS records are the foundation of your DNS presence. A robust configuration with diverse servers, appropriate TTLs, and active monitoring ensures your domain remains accessible no matter what.

Take time to properly configure your NS and actively monitor them. MoniTao alerts you of nameserver problems before your users are impacted.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing