Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo Demos
BlogsNewsPress ReleasesIT NewsTutorials
Give us your email and we'll send you the good stuff.
Tanya Valdez is a Technical Writer at Constellix. She makes the information-transfer material digestible through her own transfer of information to our customers and readers. Connect with her on LinkedIn.
Domain name service (DNS) providers are not immune to downtime. It’s unfortunate, but the harsh reality is that many experience outages more than their customers realize (or more than they want to come to terms with). When is enough actually enough? The truth of the matter is that you don’t have to be at the mercy of your DNS provider’s infrastructure reliability. In fact, you can add the much-needed redundancy to your domain quite easily by setting up Secondary DNS.
This resource will help explain the main function of a primary and a secondary DNS server, what the differences are, the most used configurations, and why the service has become a necessity for domains in this internet day and age.
Primary DNS is the main authoritative DNS server (or nameserver) that serves as the initial stop for a query as the user-entered domain name is translated into an IP address that the system can understand—after all, we don’t speak the same language, so we need a translator to help us with every website visit. When we type the name of a website into a browser, the DNS server will take the entry and convert it into the domain’s corresponding IP address and then connects us. This is similar to how operators worked back in the day when we had to call for a phone number that we didn’t know. We would tell them the name of the person or business and they would locate the appropriate number and transfer us. When another DNS server is added to a domain, one will become the primary. The primary DNS server houses the domain’s original DNS zone files.
A DNS Zone file hosts all of the records for the domains that are stored on the DNS server and are managed by the organization’s administrator. Essentially, it is a managerial space within the DNS environment that defines procedures for proper DNS operations in relation to the domain(s).
Each zone file includes a Start of Authority (SOA) record, which includes the administrative information about the zone, such as its name, serial number, and e-mail address of the administrator of the zone file. The DNS Zone file also includes the Time to Live (TTL) to specify how long the records will be kept on the DNS server’s cache. All records that have been configured in the DNS management portal are stored on the server. They further define the domain and dictate actions that the server needs to take pertaining to the rules set in the record.
Tip: See our DNS Record Types Cheat Sheet for a downloadable resource of the most common DNS record types and their purpose.
Secondary DNS service affords you an extra set of authoritative nameservers to answer queries for your domain. The information that is stored on both nameservers is identical. Secondary DNS allows your domain zone file to be backed up automatically and stored as a copy on a secondary server. If one provider is unreachable, the other will systematically step in to answer the queries. Since the resolvers learn the servers’ speed patterns, they can also prefer the faster resource as the initial point-of-contact for incoming queries.
Having Secondary DNS is much like setting a destination on a map application on your mobile phone and letting it guide you. If there are two ways to get to the same location, it will take you through the path of “least resistance"—the one that will not only get you there but take the faster route. Secondary DNS is a mission-critical configuration that provides extra redundancy for your domain since you are able to establish a supporting set of automatically updated zone files. This is essential in bypassing DNS service outages, misconfigurations, natural disasters, and targeted attacks such as distributed denial-of-service (DDoS) attempts.
Did you know? Organizations with a large global presence benefit from using location-based routing techniques like Global Traffic Direction or regional load balancing. Since some secondary DNS providers either don't offer this service or lack the integration needed to support it, it’s important to also research services and products that are available to you when looking for a Secondary DNS provider.
You may still be a little confused about what the difference between a primary and secondary DNS server is since they both store the same information and are active and ready to answer online requests for a domain. There is one main difference and that is how the resources are stored on the server. The primary contains the original zone files and the secondary secures a copy. That means record configurations are updated a little differently.
There are two Secondary DNS strategies that are used most often to define how the nameservers will handle updates:
Constellix offers a primary/primary configuration that allows two DNS providers to be established as primaries. Both providers will need to maintain the same configurations for the records. Integrated tools, such as Terraform and octoDNS, update both DNS nameservers easily through API calls.
This Secondary DNS configuration contains only one set of nameservers that answers queries—the secondary set. When the domain is queried, those nameservers are not shown. Instead, those of the hidden primary are displayed.
This is often used as a safeguard against attacks on the primary DNS, such as distributed denial-of-service (DDoS) attacks. It’s also beneficial for disguising the use of a different DNS provider as the primary DNS provider from public DNS lookups.
For this type of grouping, only the secondary nameservers would need to be listed at your registrar. This way the real primary provider is truly hidden. To maintain updates, they will need to be configured so that when the primary provider’s records are updated, they are discreetly sent to your secondary nameservers, maintaining privacy for the first.
Our sister company DNS Made Easy offers another Secondary DNS strategy with traditional primary/secondary configurations which allows the primary nameserver to automatically update the secondary via AXFR/IXFR transfers.
With these basic configurations, two sets of nameservers hold record information that will be obtainable by end users. Having this extra set adds redundancy to your domain. Not only will queries be routed to the healthiest resource, but Secondary DNS can also assist in load balancing. The service can be configured to route the majority of your site’s traffic to a specific DNS provider to assist with costs associated with pricey providers or even based on their reliability to secure your brand’s reputation. Secondary DNS should also be part of your DNS strategy with the increasing security threats and is a necessity to ensure your domain remains online when your DNS provider has an outage.
See our 5 Top Secondary DNS Myths Debunked blog post for some answers to some common misconceptions.
For a more in-depth look at Secondary DNS and other related working parts mentioned in this piece, here are some additional resources:
Sign up for news and offers from Constellix and DNS Made Easy