A DNS Server has two main functions. It can acts as a resolver / cache, and it can also acts as authoritative server.
Authoritative DNS is a DNS server who manage or have authority over DNS under its domain. This domain will answer any query for any domain under it authority. For example: DNS on xathrya.id will only responsible to translate domain name under xathrya.id such as mail.xathrya.id, labs.xathrya.id, etc. It will not and can not answer other domain outside of its authority.
A physical DNS, can has authority over two or more domain. For example, the domain celestial-links.net is under the same authority of domain which manage xathrya.id.
Another function DNS Server had is cache / resolver. DNS server will relay a query to other DNS who has authority over the requested domain name. When other DNS server has given the answer, this DNS will cache the answer as well as relay the answer to client.
Authoritive DNS tends to non-recursive when giving answer (since they have the answer), a cache server will do a recursive operation when a query comes. A recursion occurs when the DNS tries to resolves a domain name (see How DNS Works article) from root DNS to the authoritative DNS.
When designing a DNS server one should separate between DNS servers for authoritative function and Cache functions. Most people use two functions for a single server. This design is not bad but should be avoided.
At least there are two reasons for splitting the task of DNS server into two different server for authoritative DNS server and cache DNS server. Mainly it concerns about securities and performance.
First reason: Performance. A DNS should be scalable and have good performance. It’s about identities over internet and DNS is a vital component. When a DNS server down, some nodes / machine will not be accessed. Therefore DNS server should have good performance, it should be able to handle as many client for resolving as possible. With separation, a DNS can focus for each function. One can act as only an authoritative DNS server or as cache DNS server and thus the throughput will be as maximum as possible.
Second reason: security. When a hacker has successfully taking control of a DNS server, it only has one of the DNS function. Not both. There is no guarantee that all of our DNS servers will not be taken down, but at least hackers can not take both.
Another thing for consideration when designing a DNS server is the position on network.
Authoritative DNS server should be located inside of DMZ network (perimeter or area of publicly known network. This network is known and accessible by public network). An authoritative DNS server is answering queries, therefore it should be able to answer the request directly. If an authoritative DNS server is behind a proxy or NAT, it would decrease the response time.
In other side, the cache DNS server should be located on local network and not exposed to public network. For a network, there should be a cache DNS. This server will do queries for client inside of the network.dns