Help Center / mastery
DNS and Nameservers Explained
DNS and Nameservers Explained
Part 12 of 12 in the Domain Mastery series — Previous: Premium and Reserved Domains
Your domain name is just a label until you connect it to actual servers. DNS (Domain Name System) and nameservers are what make your domain point to your website, email, and other services. This article explains how it all works.
What DNS Does
DNS translates human-readable domain names into the IP addresses that computers use to find each other:
You type: www.example.com
DNS returns: 192.0.2.1
Your browser connects to: 192.0.2.1
Without DNS, you'd need to remember IP addresses for every website you visit.
What Are Nameservers?
Nameservers are the servers that hold your domain's DNS records. When someone visits your domain, the DNS system asks your nameservers where to find your website, email server, and other services.
Every active domain needs at least 2 nameservers. Having two ensures your domain keeps working even if one server has issues.
| Requirement | Details |
|---|---|
| Minimum nameservers | 2 |
| Maximum nameservers | 13 (typical) |
| Format | Must be a valid hostname (e.g., ns1.example.com) |
| Addresses | IPv4 and/or IPv6 |
Types of Nameservers
Your Own Nameservers (In-Bailiwick)
If your nameservers are under your own domain — for example, ns1.example.com serving example.com — they're called in-bailiwick or subordinate nameservers.
This creates a chicken-and-egg problem: to find example.com, you need to ask ns1.example.com, but to find ns1.example.com, you need to look up example.com.
The solution is glue records (explained below).
External Nameservers (Out-of-Bailiwick)
If your nameservers are under a different domain — for example, ns1.hostingprovider.net serving example.com — they're called out-of-bailiwick or external nameservers.
No glue records are needed because the nameserver can be found through normal DNS resolution.
Most domain owners use external nameservers provided by their hosting company, DNS service, or registrar.
Glue Records
Glue records solve the circular dependency problem for in-bailiwick nameservers. They store the nameserver's IP address directly in the parent zone (the registry).
When glue is needed:
| Setup | Glue Required? |
|---|---|
| ns1.example.com serves example.com | Yes |
| ns1.hostingprovider.net serves example.com | No |
| ns1.example.net serves example.com | No (.net is a different zone) |
If you use in-bailiwick nameservers, you must provide the IP addresses when setting them up. Your registrar's dashboard will prompt you for these addresses.
Important: If your nameserver's IP address changes, you must update the glue record. Mismatched glue records cause intermittent resolution failures.
Active vs. Inactive Domains
A domain's DNS activity depends on its nameserver configuration:
| State | Nameservers | DNS Status |
|---|---|---|
| Active | 2+ valid nameservers | Resolves in DNS, included in zone file |
| Inactive | Fewer than 2 (or none) | Does not resolve |
If you register a domain without setting nameservers, it will be in inactive status. Add at least two nameservers to make it active.
DNS Propagation
When you change your nameservers or DNS records, the change doesn't take effect instantly worldwide. This delay is called DNS propagation.
Why Propagation Takes Time
DNS uses caching to reduce load and speed up responses. When a DNS server looks up your domain, it stores the answer for a period defined by the TTL (Time To Live). Until that cached answer expires, the server won't check for updates.
| Record Type | Typical TTL | Propagation Time |
|---|---|---|
| TLD nameserver delegation | 48 hours | Up to 48 hours |
| Domain nameservers | 1-24 hours | Up to 24 hours |
| A/AAAA records (IP addresses) | 5 minutes to 1 hour | Minutes to hours |
Tips for Faster Propagation
- Lower TTL before planned changes — If you know you'll be changing nameservers, reduce the TTL in advance so caches expire sooner
- Wait for the old TTL — After making a change, wait at least as long as the previous TTL value
- Test from multiple locations — Your ISP might show the change before (or after) other locations
- Allow extra time for critical changes — Important changes (like migrating servers) should be planned with propagation in mind
DNSSEC: DNS Security
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that the DNS data hasn't been tampered with.
What DNSSEC protects against:
- DNS cache poisoning (attacker injects false records)
- Man-in-the-middle attacks on DNS responses
- Unauthorized modification of DNS data
What DNSSEC does not do:
- Encrypt your DNS queries (that's DNS-over-HTTPS or DNS-over-TLS)
- Protect your website content
- Replace HTTPS/SSL
Do You Need DNSSEC?
DNSSEC is recommended for security-conscious domain owners, especially for:
- Financial or healthcare organizations
- Government domains
- E-commerce sites
- Any domain where trust is critical
Setting up DNSSEC requires:
- Your DNS provider signs your zone with cryptographic keys
- A DS record is submitted to the registry through your registrar
- Resolvers can then verify the authenticity of your DNS records
Warning: Incorrect DNSSEC configuration can make your domain unreachable. If enabling DNSSEC, follow your DNS provider's instructions carefully.
Common DNS Issues
Domain Not Resolving
| Check | Possible Cause | Solution |
|---|---|---|
| No nameservers | Domain is inactive |
Add at least 2 nameservers |
| Hold status | clientHold or serverHold |
Check status codes |
| Wrong nameserver IPs | Glue record mismatch | Update host records at registrar |
| Recent change | Propagation in progress | Wait for TTL to expire |
Intermittent Resolution
| Check | Possible Cause | Solution |
|---|---|---|
| One NS down | Nameserver offline | Verify all nameservers are responding |
| Glue mismatch | IP changed but glue not updated | Update glue records |
| Lame delegation | Nameserver listed but not serving your zone | Configure server or update NS records |
Slow DNS
| Check | Possible Cause | Solution |
|---|---|---|
| Distant nameservers | High latency to NS | Use a DNS provider with global presence |
| Low TTL | Frequent lookups required | Increase TTL if records change rarely |
| Overloaded NS | Server can't handle queries | Use a managed DNS service |
Setting Up Nameservers
When you register a domain or need to change nameservers:
- Get your nameserver addresses from your hosting provider or DNS service (e.g.,
ns1.provider.com,ns2.provider.com) - Log into your registrar dashboard and find the nameserver settings
- Enter at least 2 nameservers
- If using your own domain's nameservers, provide the IP addresses for glue records
- Save and wait for propagation (typically 24-48 hours for nameserver changes)
Key Takeaway
Nameservers are the bridge between your domain name and your actual services. Every active domain needs at least two, and most domain owners use the nameservers provided by their hosting company or DNS service. When making changes, allow time for propagation, and keep your glue records updated if you use in-bailiwick nameservers.
This concludes the Domain Mastery series. Return to the Domain Lifecycle Overview or browse all articles in the Help Center.