A DNS lookup is only as trustworthy as the server that answered it. When a domain is delegated to several authority servers, dig can list the NS set and confirm which servers answer with authority for the zone.
A plain NS query usually starts with the resolver configured on the workstation. That answer is a starting list, but recursive resolvers can cache old nameserver data during registrar changes, DNS-provider moves, and zone repairs.
A direct query to a listed nameserver keeps the check on the server being tested. With recursion disabled, the aa flag in the response header shows an authoritative answer; missing aa, REFUSED, or a mismatched SOA or NS answer means the hostname needs parent-side delegation or provider review.
Related: How to trace DNS delegation with dig
Related: How to query a specific DNS server with dig
Tool: Nameserver Health Check
Steps to find authoritative nameservers with dig:
- Query the zone for its NS records.
$ dig +noall +answer iana.org NS iana.org. 4502 IN NS a.iana-servers.net. iana.org. 4502 IN NS b.iana-servers.net. iana.org. 4502 IN NS c.iana-servers.net. iana.org. 4502 IN NS ns.icann.org.
Use the delegated zone name, such as iana.org, rather than a host inside the zone. The TTL can be lower than the authoritative TTL when the local resolver is answering from cache.
- Query one listed nameserver for the zone SOA record with recursion disabled.
$ dig @a.iana-servers.net iana.org SOA +norecurse +noall +comments +answer ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8492 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; ANSWER SECTION: iana.org. 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. 2026062320 7200 3600 1209600 3600
The aa flag means the server answered authoritatively for the zone. +norecurse prevents a recursive lookup from hiding whether the selected server has authority.
- Query another listed nameserver with the same SOA check.
$ dig @b.iana-servers.net iana.org SOA +norecurse +noall +comments +answer ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50623 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; ANSWER SECTION: iana.org. 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. 2026062320 7200 3600 1209600 3600
The same SOA owner, primary nameserver, and serial on another authority server show that both servers are serving the same zone version.
Related: How to check SOA serial numbers with dig - Ask an authoritative server for the zone NS set.
$ dig @a.iana-servers.net iana.org NS +norecurse +noall +comments +answer ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55782 ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; ANSWER SECTION: iana.org. 86400 IN NS a.iana-servers.net. iana.org. 86400 IN NS b.iana-servers.net. iana.org. 86400 IN NS c.iana-servers.net. iana.org. 86400 IN NS ns.icann.org.
The authoritative NS answer should match the intended provider or registrar delegation. If the resolver list and authoritative list disagree after the relevant cache period, trace the delegation path from the parent zone before changing host records.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
