When you see a Non-authoritative answer in nslookup output, it means the response came from a DNS resolver's cache rather than directly from the authoritative nameserver for that domain. This occurs because most DNS queries are served by recursive resolvers (like your ISP's DNS or public DNS services like Google's 8.8.8.8) that cache previous lookups to improve performance.
The DNS lookup process follows this hierarchy:
1. Local cache (your computer/router)
2. Recursive resolver (ISP/Public DNS)
3. Root servers
4. TLD servers (.com, .net, etc.)
5. Authoritative nameservers
When a recursive resolver has a cached answer, it will return it as "non-authoritative" to indicate this isn't fresh from the source.
Compare these two outputs:
# Non-authoritative (from cache)
nslookup example.com
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
# Authoritative (direct from nameserver)
nslookup example.com ns1.example.com
Name: example.com
Addresses: 93.184.216.34
You need authoritative answers when:
- Debugging DNS changes (TTL considerations)
- Setting up new domains
- Troubleshooting propagation issues
To bypass cached results:
# Windows
nslookup -norecurs example.com ns1.example.com
# Linux/macOS
dig +norecurse example.com @ns1.example.com
Understanding this distinction helps with:
- TTL (Time To Live) configuration
- DNS change propagation timing
- Troubleshooting stale records
Here's how to verify if a DNS change has propagated:
#!/bin/bash
DOMAIN="example.com"
AUTH_NS="ns1.example.com"
# Check authoritative
echo "Authoritative answer:"
dig +short @$AUTH_NS $DOMAIN
# Check public DNS (likely cached)
echo "\nPublic DNS (may be cached):"
dig +short $DOMAIN
When you see a Non-authoritative answer in NSLOOKUP output, it means the response came from your local DNS resolver's cache rather than directly from the authoritative nameservers for that domain. This is a normal part of DNS resolution and doesn't indicate any problem with your query.
The DNS system uses a hierarchical caching mechanism:
1. Your computer checks local cache
2. Queries configured DNS resolver (usually your ISP or public DNS like 8.8.8.8)
3. The resolver checks its cache
4. If not cached, resolver queries root servers → TLD servers → authoritative servers
Key differences:
- Authoritative: Comes directly from the domain's nameservers (shows "aa" flag in dig output)
- Non-authoritative: Comes from a resolver's cache (common in NSLOOKUP)
Here's how to force an authoritative lookup:
nslookup
> set norecurse
> server a.root-servers.net
> example.com
Compare with normal lookup:
nslookup example.com
You mainly need authoritative answers when:
- Debugging DNS propagation issues
- Verifying recent DNS changes
- Checking for DNS poisoning/cache poisoning
For more detailed DNS information:
# Using dig for authoritative check
dig +norecurse example.com @a.root-servers.net
# Using whois to find authoritative servers
whois example.com | grep "Name Server"
Breaking down your example:
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
This shows the cached IP address for example.com from your resolver.
The Time-To-Live (TTL) value determines how long resolvers cache records. You can view this with:
dig example.com
;; ANSWER SECTION:
example.com. 3599 IN A 93.184.216.34
The 3599 value is the TTL in seconds.
- Non-authoritative doesn't mean incorrect - just potentially stale
- All normal DNS lookups start non-authoritative
- Browser DNS prefetching adds another caching layer
Python example using dnspython:
import dns.resolver
def get_authoritative_answer(domain):
# Find authoritative nameservers
ns = dns.resolver.resolve(domain, 'NS')
# Query directly
answers = dns.resolver.resolve(domain, 'A',
nameserver=ns.rrset[0].to_text())
return answers
print(get_authoritative_answer('example.com'))