At least once or twice each year the DevOps and IT world is abuzz about the most recent DNS outage that “crippled half the Internet”. In the aftermath, it seems there is no end to the sensational headlines or BrandName-pocalypse puns.
And then, roughly a year ago, everything changed. All the Captain Hindsights jumped in claiming a service called Secondary DNS could have prevented all of these outages. Brands that were using more than one DNS provider could completely avoid downtime or performance degradation.
In a nutshell, Secondary DNS allows a brand to use name servers from multiple providers to host their DNS information. That means that at any given time both providers’ name servers will be authoritative for answering incoming queries. If one provider is unable to answer queries, the other provider will answer all queries automatically.
If you run a dig in your command line tool for a domain with multiple DNS providers you will see something like this:
$ dig ns example.com +short
Secondary DNS has been around for years, so why is it just now that people are talking about it?
After talking with some of our clients and doing a bit of our own research, we found that there were 3 main reasons why brands weren’t using Secondary DNS.
To set up a Secondary DNS configuration, you need to have purchased DNS hosting/management services from two providers. Depending on your requirements and the providers you choose, this can cost you anywhere from $60 a year to a few thousand a month.
One thing to consider, if you use advanced features from one provider… you need your secondary provider to have those features, too. Otherwise, some of your query traffic will be answered normally as opposed to the optimized answers from your provider with advanced services. If this is important to you, then cost could be a major player when deciding whether to add a second DNS provider.
That brings us to our next reason why some brands have yet to use a secondary DNS provider. Organizations with a large global presence tend to use location-based routing techniques like Global Traffic Direction or regional load balancing. Some secondary DNS providers either don’t offer this service or lack the integration needed to support it.
When looking for a Secondary DNS provider, it’s important that you make sure both providers offer the functionality you need. Otherwise, you could experience performance degradation for a portion of your queries.
First, ask yourself whether or not it was hard to set up your DNS configurations with your current provider. If it was, maybe you should choose another provider… Setting up secondary DNS is very similar to how you setup your domain with a new DNS provider. You need to add your domains to that provider’s name servers, tell your registrar to point your IP address(es) to that provider, and then set up NS records for those IP’s to resolve to your domain. The only difference is, you will need to set up a way to transfer information from one provider to another using an IXFR/AXFR transfer (more on this in a bit).
In the end, whether or not Secondary DNS is difficult to implement is easy or not is entirely dependent on which provider you use.
We recommend looking first at your primary provider. Make sure they offer Secondary DNS integrations with other providers. For example, you can use Route 53 as a secondary provider, but you cannot use Route53 as your primary and have another provider as your secondary. These integrations make the whole process seamless and will only take up a fraction of the time.
While this may not be a misconception, it’s a little-known fact about Secondary DNS that can actually improve the performance of your domain (depending on the providers you choose). Recursive name servers (usually your ISP) use something call RTT (Round Trip Time) to calculate the speed each name server answers queries. Over time, the recursive servers will develop an affinity for the name servers that answer queries the fastest and will send more traffic to the faster name servers, which will reduce your overall resolution times.
Another thing we’ve found after talking to clients is that most thought there was only one way to setup Secondary DNS. There are actually three different kinds of configurations:
This is your traditional setup with one provider regularly updating a secondary provider with the zone information (configuration changes).
In this configuration, the Primary DNS provider will update the Secondary using an AXFR or IXFR transfer. Usually, the primary will send a NOTIFY to the secondary when any changes have been made. Otherwise, updates are detected by a scheduled serial number check configured in your SOA record.
This setup if often called a hybrid configuration or hidden master. It is almost exclusively used by organizations that have existing in-house infrastructure for their DNS management. In recent years, cloud-based DNS hosting has proven to outperform in-house hosting solutions across the board. Many organizations have started using hybrid configurations as a way to complement their existing infrastructure to increase scalability and resiliency.
If you need advanced configurations, like global load balancing, this is your best bet. You will need to have two providers as your primaries, both of which must have the functionality you need. Rather than having the providers update each other when a change has been made, you will need to update each provider manually. It is very important that you keep both providers in sync. Otherwise, some queries will be answered differently.
If you use Constellix as one of your primary providers in a primary / primary configuration, we offer integrations with four major providers:
If you use one of these providers as your second primary provider, we will make automated API calls to that provider to update your configurations every time you change a record.
Once you’ve decided which method is right for you, it’s very simple to setup.
1. First, you will need to update your Secondary provider with your Primary provider’s configurations.
2. Add the appropriate NS records to your domains at your secondary provider.
3. Notify your registrar that you added an additional provider.
When you are choosing a secondary DNS provider, it’s very important that you follow the same best practices as you would when choosing a primary provider. Your secondary provider will be authoritative for answering a sizeable amount of your incoming queries, so you will want to have a lot of trust in your provider. Also, if you want to enjoy the performance enhancing benefits we discussing early (thanks to RTT and recursive name servers) you will want to be sure your secondary provider delivers top of the charts performance.
We recommend looking at: