How to find authoritative nameservers with dig

A DNS lookup is only as trustworthy as the server that answered it. When a domain is delegated to several authority servers, dig can list the NS set and confirm which servers answer with authority for the zone.

A plain NS query usually starts with the resolver configured on the workstation. That answer is a starting list, but recursive resolvers can cache old nameserver data during registrar changes, DNS-provider moves, and zone repairs.

A direct query to a listed nameserver keeps the check on the server being tested. With recursion disabled, the aa flag in the response header shows an authoritative answer; missing aa, REFUSED, or a mismatched SOA or NS answer means the hostname needs parent-side delegation or provider review.

Related: How to trace DNS delegation with dig
Related: How to query a specific DNS server with dig
Tool: Nameserver Health Check

Steps to find authoritative nameservers with dig:

  1. Query the zone for its NS records. 
    $ dig +noall +answer iana.org NS
iana.org.		4502	IN	NS	a.iana-servers.net.
iana.org.		4502	IN	NS	b.iana-servers.net.
iana.org.		4502	IN	NS	c.iana-servers.net.
iana.org.		4502	IN	NS	ns.icann.org.

    Use the delegated zone name, such as iana.org, rather than a host inside the zone. The TTL can be lower than the authoritative TTL when the local resolver is answering from cache.

  2. Query one listed nameserver for the zone SOA record with recursion disabled. 
    $ dig @a.iana-servers.net iana.org SOA +norecurse +noall +comments +answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8492
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
iana.org.		3600	IN	SOA	sns.dns.icann.org. noc.dns.icann.org. 2026062320 7200 3600 1209600 3600

    The aa flag means the server answered authoritatively for the zone. +norecurse prevents a recursive lookup from hiding whether the selected server has authority.

  3. Query another listed nameserver with the same SOA check. 
    $ dig @b.iana-servers.net iana.org SOA +norecurse +noall +comments +answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50623
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
iana.org.		3600	IN	SOA	sns.dns.icann.org. noc.dns.icann.org. 2026062320 7200 3600 1209600 3600

    The same SOA owner, primary nameserver, and serial on another authority server show that both servers are serving the same zone version.
    Related: How to check SOA serial numbers with dig

  4. Ask an authoritative server for the zone NS set. 
    $ dig @a.iana-servers.net iana.org NS +norecurse +noall +comments +answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55782
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
iana.org.		86400	IN	NS	a.iana-servers.net.
iana.org.		86400	IN	NS	b.iana-servers.net.
iana.org.		86400	IN	NS	c.iana-servers.net.
iana.org.		86400	IN	NS	ns.icann.org.

    The authoritative NS answer should match the intended provider or registrar delegation. If the resolver list and authoritative list disagree after the relevant cache period, trace the delegation path from the parent zone before changing host records.