What are Stealth NS Records?

Stealth NS records are sent when the authoritative zone file has been delegated to a different nameserver.

For example, at the registrar level, I delegate to use the following nameservers for my domain, ‘massivedns.com’:

ns1.massivedns.com
ns2.massivedns.com

However, when a user queries the nameservers, they inform the user that the zone has been delegated elsewhere under the following nameservers:

ns1.fastdot.com
ns2.fastdot.com

The user then queries the delegated nameservers for the appropriate records and the lookup is completed.

Stealth NS records can also indicate a misconfiguration or discrepancy.

For example, Stealth NS records can be sent if only 2/3 of your ‘hypothetical’ nameservers are configured at the registry, and all 3/3 nameservers are assigned as authoritative within your zone file; this will cause 1/3 of your nameservers to be sent as a Stealth NS record.

Stealth NS records are achievable by using the NS Resource Record in your zone-file.

What are StealthNS Records?

What are Nameservers?

Nameservers are responsible for translating human-readable domain names (such as massivedns.com) into an IP address.

Nameservers are similar to address books, a person looks up the address (domain name) and the address book (nameserver) provides the location (IP address).

Each domain name must have a nameserver assigned in order for resolution to occur.

 

What are Glue Records / Child Nameservers / Private Nameservers?

Glue records are the binding (or glue) of IP addresses to your nameservers, e.g.

ns1.domain.com = 8.8.8.8
ns2.domain.com = 8.8.4.4

Glue records are held at the parent (GTLD / ccTLD / sGTLD) nameservers.

Example Scenario: Domain Nameservers Without Glue Records

Here’s an example scenario of a domain that does not have Glue records configured for its nameservers:

  1. [Guest] Hi, domain.com, what are your nameservers?
  2. [Host] Hi, Guest, my nameservers are ns1.domain.com and ns2.domain.com
  3. [Guest] Fantastic, I’ll head over there now. Could you provide me with the IP addresses so I can reach them?
  4. [Host] Sorry, I don’t know the IP addresses of the nameservers.
  5. [Guest] Okay, I’ll try ns1.domain.com and ns2.doman.com again.

Immediately, you will notice that the guest is now stuck in a loop as the IP addresses of the nameservers were not provided upon lookup.

Example Scenario: Domain Nameservers With Glue Records

Here’s an example scenario of a domain that has Glue records configured for its nameservers:

  1. [Guest] Hi, domain.com, what are your nameservers?
  2. [Host] Hi, Guest, my nameservers are ns1.domain.com and ns2.domain.com
  3. [Guest] Fantastic, I’ll head over there now. Could you provide me with the IP addresses so I can reach them?
  4. [Host] Sure, the IP addresses are 8.8.8.8 and 8.8.4.4.
  5. [Guest] Great, I’ve reached your nameserver IP’s and can query domain.com for its records

Now, we can see that the guest can successfully reach the nameservers because the exact locations (IP addresses) have been provided. The guest can now poll the nameserver for its appropriate records.

 

Example DNS Lookup