Recursive vs. Iterative DNS Queries

When your browser needs to find example.com, your computer sends a single DNS query and waits for an answer. One question, one response. But behind that simplicity, your DNS resolver is making multiple queries of a completely different type—following referrals from servers that refuse to do the work themselves.

These two query types, recursive and iterative, work together in every DNS lookup. Understanding them reveals how DNS stays simple for billions of devices while distributing the work across a global hierarchy.

Recursive Queries: "Find This for Me"

A recursive query is a delegation of responsibility: "Get me the answer. I don't care how."

When your computer queries a DNS resolver for example.com, it's making a recursive query. One question in, one answer out. Your computer doesn't want referrals. It doesn't want to be told "try asking someone else." It wants the IP address, or confirmation that the domain doesn't exist.

Your Computer → Resolver: "What's the IP for example.com?"
Resolver → [does whatever it takes]
Resolver → Your Computer: "93.184.216.34"

The resolver accepts full responsibility. It might query five different servers to find the answer, but your computer never sees that. This is how your phone, laptop, and smart thermostat all work—they make recursive queries and trust their resolver to handle everything else.

Iterative Queries: "Ask Them Instead"

An iterative query gets a different response: the best answer the server currently has, which might be a referral to someone who knows more.

When a resolver receives your recursive query and doesn't have the answer cached, it starts making iterative queries to authoritative DNS servers:

Resolver → Root Server: "What's the IP for example.com?"
Root Server → Resolver: "Don't know. Ask the .com server at 192.5.6.30"

Resolver → .com Server: "What's the IP for example.com?"
.com Server → Resolver: "Don't know. Ask example.com's nameserver at 199.43.133.53"

Resolver → example.com Nameserver: "What's the IP for example.com?"
example.com Nameserver → Resolver: "93.184.216.34"

Each server answers only what it knows. Root servers know who handles .com. The .com servers know who's authoritative for example.com. The authoritative nameserver knows the actual IP.

The resolver follows each referral until it reaches the server with the definitive answer.

Why This Division Exists

Recursive queries are convenient. Iterative queries are survivable.

If root servers agreed to "find this for me," they'd be making outbound queries on behalf of every resolver on Earth. They'd collapse in seconds. Instead, root servers handle tens of thousands of queries per second by doing almost nothing: "Not my zone. Ask them."

Clients use recursive queries because:

• One question, one answer—no complexity for the device
• Phones and laptops aren't built to follow referrals across the DNS hierarchy
• Caching happens at the resolver, benefiting everyone who uses it
• Billions of simple devices stay simple

Resolvers use iterative queries because:

• Authoritative servers only answer questions about their own zone
• No server trusts another to make queries on its behalf
• The workload distributes naturally across the hierarchy
• Root servers stay sane by refusing to do work for anyone

This isn't a limitation. It's how DNS survives serving the entire Internet.

The Complete Path

When you visit www.connected.app for the first time:

1. Your computer → Resolver: Recursive query ("Find www.connected.app for me")
2. Resolver → Root server: Iterative query → "Ask the .app server"
3. Resolver → .app server: Iterative query → "Ask connected.app's nameserver"
4. Resolver → connected.app nameserver: Iterative query → "76.76.21.21"
5. Resolver → Your computer: "76.76.21.21"

Your computer made one query. The resolver made three. Your computer trusted the resolver to handle the complexity. The resolver trusted no one—it verified each step itself.

Practical Implications

This distinction matters when things break:

• No response to recursive queries: Your resolver is down or unreachable
• Resolver can't complete iterative queries: Firewall blocking outbound DNS, or upstream servers unreachable
• DNS poisoning attacks: Often target the iterative path between resolvers and authoritative servers
• Slow lookups: Each hop in the iterative path adds latency; good resolvers minimize this with aggressive caching

Public resolvers like Cloudflare (1.1.1.1) and Google (8.8.8.8) are popular because they're highly available recursive resolvers with excellent iterative query performance. They accept your delegation of trust and handle it well.