Nameserver: The complete guide to setup, management, and troubleshooting

Nameservers are essential for any functioning website or email domain. Without proper nameserver configuration, emails wouldn't reach their destinations, and visitors would encounter loading errors when trying to access websites.

At their core, nameservers serve as interpreters that translate human-readable domain names into the numerical IP addresses that computers use to locate websites. In this guide, we'll go over how this process works and how to configure nameservers for optimal performance.

Introduction to nameservers

Nameservers are a class of servers that play a key role in converting alphabetical domain names like www.expressvpn.com into numerical IP addresses, which devices actually use to locate and communicate with each other.

A real-world analogy can be found in GPS coordinates. These alphanumeric strings refer to actual physical locations, but people generally refer to places using street addresses. When a person inputs an address into a navigation tool, most services immediately convert the address into GPS coordinates in order to provide directions, a process known as geocoding. Nameservers fill a similar role when it comes to accessing websites and email services.

Nameservers are a part of the Domain Name System (DNS), a distributed global database containing information about domains and their associated IP addresses. Within that system, nameservers store and maintain this information (DNS records) for a specific domain. A domain is simply a website’s address, such as www.example.com. It shouldn’t be confused with a website, which is a collection of web pages at a domain.

Types of nameservers

There are multiple kinds of nameservers, which are normally categorized by role and position within the DNS hierarchy.

Root nameserver

Root nameservers sit at the very top of the DNS hierarchy. They don’t store specific domain information but instead direct queries to the appropriate top-level domain (TLD) nameservers, such as .com, .org, or .net.

TLD nameserver

Top-level domain (TLD) nameservers manage information for domains that share the same extension. For example, a .com TLD nameserver knows where to find the authoritative nameservers for all .com domains. When a query reaches a TLD nameserver, it points the request toward the authoritative nameserver for the specific domain being looked up.

Authoritative nameserver

Authoritative nameservers store the actual DNS records for a domain, such as its IP address (A record), mail server (MX record), and other settings. When a DNS query reaches an authoritative nameserver, it provides the final answer, completing the domain lookup process.

Primary vs. secondary servers

Primary and secondary servers are specific roles for authoritative nameservers. Primary nameservers can be edited, while secondaries are read-only copies. In most settings, a domain will use one primary nameserver with multiple secondaries, with each additional nameserver contributing to increased DNS resilience.

Secondary servers receive information from primary nameservers in a process known as zone transfer. This allows secondary servers to act as a backup for the associated primary nameserver. They can provide extra support during high traffic situations to prevent primaries from being overloaded by requests.

DNS resolver vs. nameservers

While not one of the nameservers, the DNS resolver plays an essential role in how domain names are translated into IP addresses.

The resolver, also known as a recursive resolver, acts as the intermediary between the user and the DNS system. When you enter a domain name in your browser, the resolver receives the query and takes on the task of finding the correct IP address. It contacts a sequence of nameservers, starting with the root, then the TLD, and finally the authoritative nameserver, unless the answer is already cached.

Nameservers, on the other hand, make up the core of the DNS infrastructure. They hold and provide the actual information needed to complete the lookup process.

In essence, the resolver performs the lookup, while the nameservers supply the information that resolves the query.

How DNS and nameservers interact

Let’s assume you wanted to visit www.example.com and typed it into your browser address bar. Here’s what happens after you tap the Enter key:

1. Browser establishes contact: Your browser sends a DNS request to a DNS resolver.
2. Resolver queries the root nameserver: The resolver asks the root nameserver where to find the top-level domain (TLD) nameserver (e.g., .com or .org) and receives an answer.
3. Resolver queries the TLD nameserver: After being asked, the TLD nameserver informs the resolver which authoritative nameserver holds the records for the sought-after domain.
4. Resolver queries the authoritative nameserver: The resolver asks the authoritative nameserver for the domain’s IP address, then receives a response.
5. Resolver responds to the browser: The resolver passes the IP address on to the browser.
6. Content retrieval: Once the browser connects to the IP address, the web server sends the requested page for the browser to display.

If your browser fails to reach any of the nameservers configured to support a website, you may get an error message. This can also happen if a nameserver is slow to respond or doesn’t find an IP address for the requested website.

Checking your nameservers

If you manage a domain or are simply curious, you may sometimes want to check the status of a nameserver. There are a few ways of doing this.

WHOIS lookup tools

WHOIS is a general command for querying domain registration information. They won’t provide technical details about your nameservers, but they can pull up ownership records. There are many options out there capable of running the command, including one offered by Google.

1. Find an online WHOIS lookup tool, like whois.com.
   
2. Type in the domain name you want to check and run the search.
3. Look for the nameserver section to find the relevant information.
   

Hosting provider dashboard

If you own or administrate a domain, you can also use your provider’s console to check the status of your nameservers. This will likely provide additional insights that aren’t available through public tools.

The exact steps for doing so vary across hosting providers. Log into your account to look for your dashboard, or check the service’s documentation for precise instructions.

Command-line methods

You can also look up domain nameservers via the terminal on Windows, macOS, or Linux devices.

Command-line method for Windows

1. Open the Windows command prompt. You can find it by searching for CMD in the system tray.
2. Enter the following command: nslookup -type=ns [yourdomain].tld (for example, nslookup -type=ns example.com).
   
3. Press Enter to run the code. You’ll be presented with information about the website’s nameservers.
   

Command-line methods for macOS/Linux

1. Launch the Terminal on your macOS or Linux device.
2. Enter the following command: dig +short ns [yourdomain].tld (for example, dig +short ns example.com).
   
3. Press the Enter or return key to run the code. You’ll get the nameservers associated with the requested domain.
   

Online DNS tools

Whereas WHOIS tools show ownership information, online DNS lookup tools (such as www.nslookup.io) can provide information about a domain’s nameservers and mail servers. Just exercise caution, as fake DNS sites exist to hijack domains, steal information, and otherwise scam users.

Finding the nameserver IP address

Some of the methods from above, such as the Windows terminal lookup, automatically provide you with the IPv4 and IPv6 addresses associated with nameservers. Online tools (such as www.nslookup.io and www.dnschecker.org) sometimes show these as well but may only display IPv4 addresses.

Setting up nameservers

If you have recently purchased a domain name, you were likely automatically assigned nameservers from the domain registrar. You can choose to keep using the assigned nameservers or switch to new ones.

Choosing the right nameservers

Your choice of nameservers will impact your website’s speed, reliability, and security. Different providers offer distinct advantages. For example, Amazon's Route 53 focuses on high uptime and scalability, while Cloudflare emphasizes performance optimization and global server distribution.

Once you’ve chosen a nameserver provider, connect your domain to the service. The exact instructions will differ, so use your new provider’s resources or get someone with admin experience to help.

Configuring with a domain registrar

If your domain registrar isn’t the same as your nameserver provider, you’ll have to update your records to reflect the nameserver change. Otherwise, the affected domain won’t be able to locate the nameserver responsible for handling client requests, rendering the site inaccessible.

Once again, the exact process of configuring the new nameservers with your domain registrar depends on the service you’re using. Check your domain registrar’s help guides, reach out to its customer support, or get technical help to complete the setup.

Registering custom or private nameservers

Rather than outsourcing to a third-party provider like Amazon or Cloudflare, some domain admins set up their own nameservers. These are called private nameservers.

Private nameservers can offer improved privacy and flexibility. They can also help with branding, especially if you resell domain registration services. Some admins do this so that anyone who checks will see that the site’s DNS infrastructure is tied to the brand. This demonstrates greater vertical integration and may reinforce trust.

The downside is that private nameservers can require significant technical expertise to set up and keep running. Someone will need to manage their uptime and perform ongoing monitoring and maintenance. This is usually more expensive than outsourcing the task.

Nameserver propagation explained

Nameserver propagation, which is a subset of DNS propagation, refers to the time it takes for updates related to a domain’s ownership, hosting provider, or IP address to be recognized across the entire internet. Until propagation completes, some users may still see outdated content or be directed to the old server, even after you’ve updated your domain’s settings.

How long do changes take?

Nameserver changes can sometimes be deployed quite quickly, but DNS providers often recommend waiting 24–72 hours. The exact time may be affected by factors such as:

• Domain name registrar’s efficiency: Nameserver changes must be updated at the top-level domain, which is maintained by the domain registry. Timing depends on how quickly a registrar updates the authoritative records with new information.
• Time to live (TTL) values: The TTL determines how long server information is cached before it’s automatically purged. Higher TTL values mean DNS servers will cache nameserver information longer before updating to your new configuration.
• Internet service provider (ISP): Some ISPs may ignore the TTL by caching nameserver information for longer than specified. This conserves the ISP’s resources by reducing repeated queries, but it delays the transition to new nameservers until cached data expires.

How to monitor propagation progress

You can look up your domain’s nameservers using online DNS checkers to see whether changes have spread across the internet. It’s a good idea to check using multiple sources, as different services may update their records at varying intervals.

Enhancing security and performance

Unsecured nameservers can be hijacked by an attacker to redirect a website’s users to a phishing site or reroute sensitive emails.

Beyond security, performance is the other important factor when it comes to nameserver configuration. Without the right setup, admins risk managing domains that are vulnerable to threats and slow to load.

For security and performance reasons, it’s important to employ DNSSEC, DDoS protection, and other measures.

DNSSEC protection

DNS Security Extensions (DNSSEC) uses cryptographic methods to authenticate DNS requests and responses. Deploying DNSSEC on nameservers makes it possible for DNSSEC-validating recursive servers (typically run by ISPs or other network operators) to validate nameserver responses on behalf of their clients.

In other words, end users can tell whether they’re getting a legitimate or tampered response from your nameservers. If the response isn't genuine, access is blocked and a warning message is usually displayed.

DDoS protection

Cybercriminals can exploit internet infrastructure to flood a target IP address with responses, preventing it from handling legitimate requests. This is known as a distributed denial of service (DDoS) attack and can effectively take down websites for extended periods. When targeted at nameservers, DDoS attacks can prevent visitors’ browsers from locating the website.

To defend against DDoS attacks, admins often turn to third-party services. Providers like Cloudflare leverage a global infrastructure network to handle the excessive loads caused by a flood of malicious requests. This points to a challenge associated with hosting your own nameservers: services like Cloudflare work by effectively sharing infrastructure across a huge number of domains. If you’re relying entirely on your own resources, you’ll need lots of bandwidth to mitigate DDoS and other volume-based attacks. This can be expensive and difficult to scale.

Some admins also rely on rate limiting to protect domains from DNS amplification attacks. It’s common to limit both the number of requests that nameservers can send to each other and the responses that can be sent to external IP addresses in a given time period. This prevents attackers from manipulating nameservers into overloading a domain or IP address. The principles behind rate limiting can also defend against other kinds of attacks that rely on flooding.

Performance tips for DNS setup

Optimal domain performance demands that nameservers respond quickly under any traffic conditions. This can be achieved using a number of strategies:

• Overprovisioning nameservers: Configuring nameservers with more bandwidth than they need to handle both legitimate and malicious requests is vital. Cost concerns mean this can only go so far, but it is an important consideration.
• Implement security measures: Securing your systems with protective DNS measures like DNSSEC means that your nameservers will have more resources to meet the needs of legitimate users. This is ultimately more efficient than spending all server resources on fending off an attack.
• Set up for wide geographical coverage: Combining nameservers with global mirrors that are closer to audiences brings performance gains for end users. Whenever a client requests a domain, the site’s nameservers identify and respond with the IP address of the closest server, resulting in faster load times.
• Employ other measures: Outside of proper nameserver configuration, other measures like reverse proxy servers may enhance your domain's performance while adding an extra layer of security against malicious requests.

Troubleshooting nameserver issues

As an integral part of the broader DNS, nameservers can contribute to certain connectivity issues. You should check out our dedicated DNS guide for more detailed troubleshooting. In this section, we’re looking at nameserver-specific issues and how to resolve them.

Website not loading? Common causes

• Internet connection issues: Test the domain using a different internet connection to determine whether the issue is ISP-related before investigating other causes.
• Non-existent or misspelled domain: Confirm that you’ve spelled the domain name correctly and check whether it’s live using publicly available tools. If you see an NXDOMAIN error, this indicates that a website doesn’t exist at the domain you’re trying to access.
• Misconfigured local DNS settings: Make sure that client devices (such as your computer or router) have the right DNS settings. Incorrect local DNS settings can prevent your browser from contacting nameservers properly, resulting in connection failures.
• Cache issues: Use your operating system’s command-line tool to flush the system-level DNS resolver cache, forcing it to retrieve fresh information. As a secondary measure, you may also want to clear your browser’s cache to remove any lingering DNS records that it may have stored.

Diagnosing propagation delays

If you’ve waited for more than 72 hours and your new nameservers aren’t active yet, it’s best to contact your domain registrar. You may also consider consulting with a DNS specialist if the issue persists, especially if you have an independent setup and can’t rely on assistance from a provider.

Fixing registrar or DNS misconfigurations

Nameservers may work incorrectly if they aren’t properly configured by the registrar or custom nameserver provider. For example, enabling DNSSEC at your domain registrar while using Akamai’s nameservers may cause domain name resolution failures.

On the other hand, Cloudflare supports DNSSEC, but you must disable it at your domain registrar when switching your nameservers over to Cloudflare. Once the nameserver change has been fully propagated, you can re-enable DNSSEC.