Upstream resolution
When 1.1.1.1 cannot answer a query from cache, it contacts authoritative nameservers on your behalf. This page describes how 1.1.1.1 selects which nameserver to query, what happens when a nameserver is unreachable, and how the final response is determined.
1.1.1.1 minimizes privacy leakage by only sending the minimal query name to authoritative DNS servers. For example, if a client looks up foo.bar.example.com, the only part of the query 1.1.1.1 discloses to .com is that it needs to know who is responsible for example.com. The zone internals stay hidden.
1.1.1.1 upstreams to locally hosted root zone files ↗ instead of querying remote root servers for every lookup. This reduces latency, lowers privacy leakage, and decreases load on the DNS root server system.
When more than one authoritative nameserver is available for a zone (for example, multiple NS records at the root, TLD, or delegation level), 1.1.1.1 chooses between them based on measured performance. The resolver tracks per-upstream metrics — including round-trip time (RTT) and response quality — and queries the nameserver that has historically been fastest and most reliable from the data center serving the request.
If that nameserver does not answer in time or returns a transient error, 1.1.1.1 retries against another authoritative nameserver for the same zone. Refer to Retry behavior for details.
A small share of queries is also sent to other candidates so that latency measurements stay current and a previously slow server can be re-evaluated. For more background on the platform that powers this behavior, refer to the BigPineapple architecture blog post ↗.
If a chosen upstream nameserver does not respond in time or returns a transient error, 1.1.1.1 retries the query against another authoritative nameserver for the same zone. The temporarily unresponsive server is downranked so that subsequent queries prefer healthier alternatives. It is periodically re-probed to detect recovery.
Concurrent identical upstream queries are deduplicated so that a single in-flight request serves multiple waiting clients. The exact retry parameters and ranking logic are tuned over time and may change.
For a given query, 1.1.1.1 returns only one final answer to the client. When authoritative nameservers disagree, which response is selected depends on whether the upstream responses are authoritative answers or transient failures:
NOERROR(with answer orNODATA) versusNXDOMAIN: Both are valid authoritative answers. 1.1.1.1 returns the first valid response it receives and does not query the remaining authoritative nameservers to compare answers. Authoritative nameservers for the same zone are expected to be consistent — if one returnsNXDOMAINand another returnsNOERRORfor the same name, that indicates a misconfiguration on the authoritative side, and which answer reaches the client depends on which nameserver was queried.- Timeout versus a valid response: A timeout is not an answer. 1.1.1.1 retries against another authoritative nameserver and returns the first valid response (
NOERROR,NXDOMAIN, or other) it receives. SERVFAIL,REFUSED, or other transient failure versus a valid response: Transient failures are treated as upstream errors rather than authoritative answers. 1.1.1.1 retries against another authoritative nameserver and returns the first valid response it receives. Only if no authoritative nameserver returns a valid response does 1.1.1.1 return a failure to the client — typicallySERVFAIL, orREFUSEDif that is what the authoritative nameservers consistently returned.