Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo Demos
BlogsNewsPress ReleasesIT NewsTutorials
Give us your email and we'll send you the good stuff.
When it comes to DNS, there's nothing we love more - except DNS management. And maybe Secondary DNS. Or Failover. Even anomaly detection. Oh who are we kidding, if it's even remotely close to the topic of DNS, we got you covered!
A DNS management strategy where multiple providers are authoritative for answering queries for a domain. If you were to query a domain with Secondary DNS enabled, you would have (roughly) a 50/50 chance of having your query answered by either provider.
Since you have two sets of nameservers answering queries, if one set were to be unavailable then the remaining provider would answer all queries. Once the other provider is back online, both providers would return to sharing relatively equal amounts of query traffic.
The problem is, people commonly call this “backup DNS”, similar to Failover... but this is actually wrong because in a Failover configuration you only have one active system at a given time. The secondary or “backup” system would only take over if the primary is down.
In the past, we’ve had clients send in support tickets saying that we must be down because their secondary provider was answering queries. Wrong.
In a Secondary DNS configuration, two or more systems always authoritative for answering queries.
Resolving nameservers send traffic to the authoritative nameservers using round robin. That way traffic is (somewhat) equally distributed across both nameserver sets. We'll talk more about the (somewhat) part in a bit.
Secondary DNS is unique because it is the only strategy that can ensure 100% uptime during a single DNS provider outage. You may remember the Mirai botnet that took down a large DNS provider last year. The attack reportedly took down "half the Internet", aka: domains that were single homed to that provider.
We talked to a few clients that were using Constellix as either their primary or secondary to the provider that was affected.
None of them experienced downtime during the outage.
We also talked to some of our clients that were hesitant to try Secondary DNS because they thought it was outside of their budget. That's a valid concern, but there are also some other things to consider.
It is more costly because you will have to pay for two DNS management services.
But it isn’t…
Because you’re still paying for the same amount of queries. It only gets expensive when you throw advanced location routing features into the mix.
Paying for two services is still considerably less expensive than losing money from an outage. And don’t forget the aftershock of losing brand trust, referrals, and the seemingly forever association of your brand with “outage” or “down”.
Scare tactics ahead!
But seriously, we need to talk about this. Think of all the services your business depends on to thrive. From your payment processor to hosting services.
During the outage last year, we had the lowest sales day in 6 years because our credit card processor was affected.
If any of your third-party services were to fail, how much would it cost you?
This is why secondary DNS is important. It is just one of many parts of your business where you should have redundancies in place. Or get comfortable with that number that made you cringe a second ago.
We recommend starting with DNS. Vet providers (more on this later), figure out which secondary DNS configuration is best for your business, test, migrate, then take a few minutes to encourage the services you depend on to do the same.
Secondary DNS isn’t just for keeping your site online. It can also improve load times!
Remember our DNS tree?
Resolving nameservers will start to prefer the faster provider in a Secondary DNS configuration. That means queries will more often be served to the better performing provider and over time actually improve resolution times.
Resolvers look at the RTT (Round Trip Time) or SRTT (Shortest Round Trip Time) when an authoritative nameserver answers a query for a domain. The lower the RTT, the more often the resolver will that provider traffic.
Let’s look at evernote.com again. We already know they use Dyn and DNS Made Easy for their DNS.
We used SolveDNS to test the response times of both providers’ nameservers. Now, the screenshot only shows one set of nameservers, there were five more sets in the results. But overall, we saw significantly lower resolution times from DNS Made Easy. If resolving nameservers saw the same RTT’s, they would send more queries to DNS Made Easy nameservers.
This is why it is extremely important to evaluate your secondary provider for performance. Even though it’s a “secondary” provider, it is still responsible for answering a significant amount of your query traffic and will impact average resolution times. Long story short, if you choose a poor provider, you could hurt your performance.
This guide is an expanded version of a webinar we hosted last year which includes demonstrations of the Secondary DNS configurations we're about to show you. You can download the slide deck here.
The secondary provider receives all the zone updates from the primary. Query traffic is split evenly across both providers’ nameservers.
When the primary provider makes a change:
Hidden primary is also referred to as a Primary / Primary configuration because only one set of name servers actually answers queries, the secondary nameservers. However, those nameservers are not shown when you query that domain. Rather, the world will see the nameservers of the hidden primary.
The secondary, nameservers are completely dependent on updates. No local files can be created.
The primary nameservers send updates to the secondary nameservers. Essentially, the hidden primary’s only purpose is to send updates to the secondary provider.
This configuration is typically used to complement on-premises DNS infrastructure. It’s very costly and time-consuming to expand on-prem infrastructure, so most businesses are switching to hybrid configurations.
When they want to scale, they use a cloud-based DNS provider as a secondary set of nameservers. That way they can continue to run their DNS in-house, but propagate to the cloud when they need to. Hybrid configurations also share the benefits of an Anycast network: global scalability, cost effectiveness, and can be turned up in an instant.
Only works with RFC compliant services.
A primary/primary setup means you have two providers equally authoritative for your domain. This is the most popular and widely used configuration, especially among enterprise and large-scale domains.
Updates have to be created through each provider via control panel or API. Just have to make sure both providers have the services you need.
This is the only technique that can be used with services that aren’t RFC compliant. Overall, the best technique for faster and more accurate query routing. Primary/primary also works great with CDN’s, because it allows for region-specific routing.
Can be more costly, because you have to pay for two providers. You’ll also have to dedicate resources to keeping both providers in sync, which can be labor intensive depending on how often updates are needed.
Alright, so we just talked about the primary/primary setup and saw that the only real downside is the labor required for updates. Well, we just engineered a new kind of secondary DNS in Constellix that integrated with four major cloud DNS providers. Whenever you update a record, Constellix will automatically make API calls to update the secondary DNS service.
Only take a minute to set up. Just enter your API key! We currently offer integrations with the following vendors:
Secondary needs your primary’s configurations.
Manually either through API’s or both control panels
Add the appropriate NS records to your domain.
Primary / Primary and Primary / Secondary:
Your primary DNS provider will automatically send a NOTIFY to the secondary provider, prompting them to request an AXFR/IXFR.
Or if you have a primary / primary, you will need to update each provider manually.
Or if you have Constellix and are using one of the four integrated cloud providers, you will enter your API key and updates will happen instantly.
Say you already have a primary and you chose DNS Made Easy as your secondary provider. You will need to go to the secondary DNS settings and add the domain and nameservers of your primary provider. DNSME will then automatically request an IXFR/AXFR to import your existing records.
Make sure you check the serial number (in the SOA record) to make sure everything is current.
Secondary DNS in Constellix is a little different. You need to add the API keys for your other primary provider (since we only offer primary/primary).
We recommend that you treat your search for a secondary provider as you would for a primary. Look for the same features, performance, and reliability because your secondary provider is just as responsible for your DNS hosting as your primary.
Propagation should also be a priority because you want to make sure updates are fast. Resolution time is also a factor, because as we mentioned earlier, the lower the RTT the shorter load times. You also want to look for a long history of uptime, because if your secondary goes down it could impact performance since you traffic will be limited to only one nameserver set.
We recommend that you run your own tests. There are a bunch of free monitoring services like Sonar Lite, Turbobytes, SolveDNS, and DNSPerf to help you evaluate providers.
Sign up for news and offers from Constellix and DNS Made Easy