Secondary DNS
Blog April 21, 2017

Secondary DNS: Everything You’ve Ever Wanted to Know and More

At least once or twice each year the DevOps and IT world is abuzz about the most recent DNS outage that “crippled half the Internet”. In the aftermath, it seems there is no end to the sensational headlines or BrandName-pocalypse puns.

And then, roughly a year ago, everything changed. All the Captain Hindsights jumped in claiming a service called Secondary DNS could have prevented all of these outages. Brands that were using more than one DNS provider could completely avoid downtime or performance degradation.

What is Secondary DNS (in 30 seconds)

In a nutshell, Secondary DNS allows a brand to use name servers from multiple providers to host their DNS information. That means that at any given time both providers’ name servers will be authoritative for answering incoming queries. If one provider is unable to answer queries, the other provider will answer all queries automatically.

If you run a dig in your command line tool for a domain with multiple DNS providers you will see something like this:

$ dig ns example.com +short
ns1.primary.com
ns2.primary.com
ns3.primary.com
ns1.secondary.com
ns2.secondary.com
ns3.secondary.com

Secondary DNS has been around for years, so why is it just now that people are talking about it?

Top 3 Misconceptions

After talking with some of our clients and doing a bit of our own research, we found that there were 3 main reasons why brands weren’t using Secondary DNS.

#1 Affordability

To set up a Secondary DNS configuration, you need to have purchased DNS hosting/management services from two providers. Depending on your requirements and the providers you choose, this can cost you anywhere from $60 a year to a few thousand a month.

One thing to consider, if you use advanced features from one provider… you need your secondary provider to have those features, too. Otherwise, some of your query traffic will be answered normally as opposed to the optimized answers from your provider with advanced services. If this is important to you, then cost could be a major player when deciding whether to add a second DNS provider.

#2 Advanced Functionality

That brings us to our next reason why some brands have yet to use a secondary DNS provider. Organizations with a large global presence tend to use location-based routing techniques like Global Traffic Direction or regional load balancing. Some secondary DNS providers either don’t offer this service or lack the integration needed to support it.

When looking for a Secondary DNS provider, it’s important that you make sure both providers offer the functionality you need. Otherwise, you could experience performance degradation for a portion of your queries.

#3 Difficulty Implementing

First, ask yourself whether or not it was hard to set up your DNS configurations with your current provider. If it was, maybe you should choose another provider… Setting up secondary DNS is very similar to how you setup your domain with a new DNS provider. You need to add your domains to that provider’s name servers, tell your registrar to point your IP address(es) to that provider, and then set up NS records for those IP’s to resolve to your domain. The only difference is, you will need to set up a way to transfer information from one provider to another using an IXFR/AXFR transfer (more on this in a bit).

IXFR AXFR zone transfer

In the end, whether or not Secondary DNS is difficult to implement is easy or not is entirely dependent on which provider you use.

We recommend looking first at your primary provider. Make sure they offer Secondary DNS integrations with other providers. For example, you can use Route 53 as a secondary provider, but you cannot use Route53 as your primary and have another provider as your secondary. These integrations make the whole process seamless and will only take up a fraction of the time.

Did You Know?

While this may not be a misconception, it’s a little-known fact about Secondary DNS that can actually improve the performance of your domain (depending on the providers you choose). Recursive name servers (usually your ISP) use something call RTT (Round Trip Time) to calculate the speed each name server answers queries. Over time, the recursive servers will develop an affinity for the name servers that answer queries the fastest and will send more traffic to the faster name servers, which will reduce your overall resolution times.

Secondary DNS Configurations

Another thing we’ve found after talking to clients is that most thought there was only one way to setup Secondary DNS. There are actually three different kinds of configurations:

Primary / Secondary

This is your traditional setup with one provider regularly updating a secondary provider with the zone information (configuration changes).

secondary dns configuration

In this configuration, the Primary DNS provider will update the Secondary using an AXFR or IXFR transfer. Usually, the primary will send a NOTIFY to the secondary when any changes have been made. Otherwise, updates are detected by a scheduled serial number check configured in your SOA record.

Benefits:

  • Easy to setup and maintain
  • Double the name servers authoritative for your domain
  • Immediate zone transfer (IXFR / AXFR transfer from one set of name servers to another)

Disadvantages:

  • Does not support advanced location-based configurations
  • Does not work with CDN’s
  • Only works with RFC compliant configurations

Hidden Primary

This setup if often called a hybrid configuration or hidden master. It is almost exclusively used by organizations that have existing in-house infrastructure for their DNS management. In recent years, cloud-based DNS hosting has proven to outperform in-house hosting solutions across the board. Many organizations have started using hybrid configurations as a way to complement their existing infrastructure to increase scalability and resiliency.

hidden master secondary dns

Benefits

  • No need to redevelop existing DevOps tools (a common plight when migrating to a cloud-based DNS provider)
  • Extra layer of security to your existing architecture

Disadvantages

  • Only works with RFC compliant configurations

Primary / Primary

If you need advanced configurations, like global load balancing, this is your best bet. You will need to have two providers as your primaries, both of which must have the functionality you need. Rather than having the providers update each other when a change has been made, you will need to update each provider manually. It is very important that you keep both providers in sync. Otherwise, some queries will be answered differently.

primary primary secondary dns

Benefits:

  • Can use advanced features like traffic direction, GeoIP services, weighted round robin, and ANAME records.
  • Works with non-RFC compliant configurations
  • CDN-friendly!

Disadvantages:

  • Can be more costly, since you will be paying for the same services at two different providers.
  • Updates are more laborious

However…

If you use Constellix as one of your primary providers in a primary / primary configuration, we offer integrations with four major providers:

  • AWS Route 53
  • Microsoft Azure
  • Google Cloud DNS
  • DNS Made Easy

If you use one of these providers as your second primary provider, we will make automated API calls to that provider to update your configurations every time you change a record.

Getting Started

Once you’ve decided which method is right for you, it’s very simple to setup.
1. First, you will need to update your Secondary provider with your Primary provider’s configurations.

  • Primary / Secondary and Hidden Primary: Use a NOTIFY and AXFR/IXFR zone transfer. Learn how here.
  • Primary / Primary: Updates occur at each provider through their control panel or API.

2. Add the appropriate NS records to your domains at your secondary provider.

  • Hidden Primary: Only show the NS records of the provider you want to be shown publicly.
  • Primary / Primary and Primary / Secondary: Need to add NS records for both providers.

3. Notify your registrar that you added an additional provider.

  • Hidden Primary: Only show the name servers of the provider you want to be shown publicly.
  • Primary / Primary and Primary / Secondary: Need to add lists of name servers for both providers.

Best Practices

When you are choosing a secondary DNS provider, it’s very important that you follow the same best practices as you would when choosing a primary provider. Your secondary provider will be authoritative for answering a sizeable amount of your incoming queries, so you will want to have a lot of trust in your provider. Also, if you want to enjoy the performance enhancing benefits we discussing early (thanks to RTT and recursive name servers) you will want to be sure your secondary provider delivers top of the charts performance.

We recommend looking at:

  • Uptime history
  • Performance (consistently low resolution times)
  • Scale (how large is their network? Do they have points of presence at locations critical for your business?)
  • Support
  • Pricing