NS Records: Understanding DNS Delegation and Nameservers (2026)

What Are NS Records?

An NS (Name Server) record is a DNS record that identifies which DNS servers are authoritative for a particular domain or zone. When a DNS resolver needs to look up records for your domain, NS records tell it which servers to ask.

Every domain must have at least two NS records for redundancy. Most registrars and DNS providers supply between two and four nameservers. Here is a typical NS configuration:

example.com.  IN  NS  ns1.dnsprovider.com.
example.com.  IN  NS  ns2.dnsprovider.com.
example.com.  IN  NS  ns3.dnsprovider.com.

These records tell the DNS system that ns1.dnsprovider.com, ns2.dnsprovider.com, and ns3.dnsprovider.com are the authoritative nameservers for example.com. Any DNS query for records within example.com should be directed to these servers.

How DNS Delegation Works

DNS is a hierarchical system. At the top are the root nameservers, which delegate to TLD (Top-Level Domain) nameservers (.com, .org, .net), which in turn delegate to your domain's nameservers. This chain of delegation is what makes DNS scalable.

When a resolver wants to look up mail.example.com, the process works as follows:

1. Root servers. The resolver queries a root nameserver, which responds with the NS records for the .com TLD.
2. TLD servers. The resolver queries a .com TLD nameserver, which responds with the NS records for example.com (these are the NS records you set at your registrar).
3. Authoritative servers. The resolver queries your domain's authoritative nameserver, which returns the actual record (the A record for mail.example.com).
4. Caching. The resolver caches the response according to the TTL value and returns it to the requesting application.

NS records exist at two levels: the parent zone (maintained at your registrar, also called the delegation records) and the child zone (maintained in your DNS zone file). Both should list the same nameservers. When they disagree, it creates what is called a "lame delegation," which can cause intermittent DNS resolution failures.

Authoritative vs Recursive Nameservers

Understanding the difference between these two types of nameservers is fundamental to DNS troubleshooting:

• Authoritative nameservers are the servers listed in your NS records. They hold the actual DNS zone data for your domain and provide definitive answers to queries. Examples include Cloudflare's nameservers (ns1.cloudflare.com), AWS Route 53 nameservers, and self-hosted BIND/PowerDNS servers.
• Recursive nameservers (resolvers) are the servers that perform the full lookup process on behalf of clients. They query root servers, TLD servers, and authoritative servers, then cache and return results. Examples include Google Public DNS (8.8.8.8), Cloudflare DNS (1.1.1.1), and your ISP's DNS resolver.

When you use our NS Lookup tool, you are querying for the authoritative nameservers of a domain. These are the servers that NS records point to.

Changing Nameservers

Changing nameservers is one of the most significant DNS operations you can perform. It redirects all DNS queries for your domain to different servers. There are two common scenarios:

Registrar Nameservers vs Custom Nameservers

Most domain registrars (Namecheap, GoDaddy, Google Domains) offer built-in DNS hosting with their own nameservers. These are often called "default" or "basic" nameservers. They work fine for simple configurations but may lack advanced features.

Custom nameservers point to a third-party DNS provider like Cloudflare, AWS Route 53, or Vercel. When you set custom nameservers at your registrar, the registrar updates the delegation records at the TLD level to point to your chosen provider.

Migrating DNS Providers Safely

Changing nameservers without preparation can cause downtime. Follow these steps to migrate safely:

1. Audit existing records. Use our DNS Lookup tool to document every DNS record in your current zone (A, AAAA, MX, TXT, CNAME, SRV, etc.).
2. Replicate in new provider. Create all records in your new DNS provider before changing nameservers. Verify each record is correct.
3. Lower TTLs. At least 48 hours before the switch, reduce the TTL on your NS records and all other records to 300 seconds. This ensures caches expire quickly after the change.
4. Update nameservers at registrar. Change the NS delegation at your domain registrar to point to the new provider.
5. Monitor propagation. Check that the new nameservers are responding correctly using our NS Lookup tool. Full propagation can take up to 48 hours, though most resolvers will pick up the change within a few hours.
6. Keep old records. Do not delete records from the old DNS provider until propagation is complete (at least 48-72 hours).

TTL Considerations for NS Records

The TTL (Time to Live) on NS records controls how long resolvers cache the delegation information. Key considerations:

• Default TTL is usually high. Most DNS providers set NS record TTLs between 3600 (1 hour) and 86400 (24 hours). This is appropriate for stable configurations because NS records rarely change.
• Lower before changes. If you plan to change nameservers, lower the TTL to 300 seconds at least 48 hours in advance (you need to wait for the old high TTL to expire from caches).
• TLD override. The parent zone (TLD) also has a TTL on the delegation records, and you cannot control this. The .com zone typically uses a 48-hour TTL on delegation records.
• SOA minimum TTL. The SOA record contains a minimum TTL field that affects negative caching (how long "record not found" responses are cached).

Subdomain Delegation with NS Records

NS records are not just for top-level domains. You can delegate a subdomain to different nameservers by creating NS records for the subdomain within your zone:

; Main domain uses Cloudflare
example.com.       IN  NS  ns1.cloudflare.com.
example.com.       IN  NS  ns2.cloudflare.com.

; Subdomain delegated to separate DNS
dev.example.com.   IN  NS  ns1.dev-dns.com.
dev.example.com.   IN  NS  ns2.dev-dns.com.

This is useful for organizations where different teams manage different subdomains, or when a subdomain needs to be hosted on a different infrastructure. Subdomain delegation is common for CDN configurations, development environments, and enterprise DNS architectures.

Troubleshooting NS Record Issues

• Lame delegation. When the NS records at the parent zone (registrar) and the child zone (your DNS provider) disagree, or when an NS record points to a server that does not host your zone. This causes intermittent resolution failures.
• Missing glue records. If your nameserver hostname is within the domain it serves (e.g., ns1.example.com is a nameserver for example.com), you need glue records (A records) at the parent zone. Without them, resolvers cannot find the nameserver's IP because they cannot query the zone it hosts.
• Single nameserver. Having only one NS record means a single point of failure. If that server goes down, your entire domain becomes unresolvable. Always maintain at least two NS records on geographically diverse servers.
• Propagation delays. After changing nameservers, some resolvers may still use cached old NS records. Use our DNS Lookup tool to verify resolution from different vantage points.

NS Records and DNSSEC

DNSSEC adds cryptographic signatures to DNS records to prevent tampering. For NS records specifically, DNSSEC protects the delegation chain by ensuring that the NS records returned by the parent zone are authentic. The parent zone includes a DS (Delegation Signer) record that chains trust from the parent to the child zone.

When changing nameservers on a DNSSEC-signed domain, you must also update the DS records at the registrar to match the new DNS provider's DNSKEY records. Failing to do so will break DNSSEC validation and make your domain unresolvable for DNSSEC-validating resolvers.

How to Check Your NS Records

Use our free tools to verify your nameserver configuration:

• NS Lookup — Query the authoritative nameservers for any domain and verify delegation.
• DNS Lookup — Check any DNS record type and verify records are resolving correctly.
• SOA Lookup — Check the Start of Authority record including serial number, TTL values, and zone transfer settings.