An NS (Nameserver) record specifies which servers are authoritative for a domain. When a resolver looks up example.com, it follows the delegation chain from the root zone down to the NS records published at the registry, then queries those servers for every other record on the domain. NS records sit alongside other DNS entries but are special: they define where the rest of the zone lives.
Why it matters
If NS records are wrong, your domain is unreachable. Email, websites, APIs, and certificate renewal all stop because no resolver can find the right server to ask. NS misconfiguration also causes inconsistent behaviour across regions, where some users see a working site and others see SERVFAIL. Because NS records control the entire zone, they are also a high-value target for hijacking.
How to check
- List the parent-side delegation with
dig +trace example.com NSand confirm it matches the records inside the zone. - Keep at least two NS records pointing to nameservers on different networks for redundancy.
- Make sure each NS value is a valid hostname with a working DNS A record, not an IP address.
- Allow up to 48 hours after a change for caches to expire — review the TTL on both the parent and child sides.
- Pair NS hardening with DNSSEC to detect tampering with delegation responses.
- Audit registrar lock settings to prevent unauthorised NS changes.