Blog November 3, 2017

Ultimate Guide to Secondary DNS

The Basics

What is Secondary DNS?

A DNS management strategy where multiple providers are authoritative for answering queries for a domain. If you were to query a domain with Secondary DNS enabled, you would have (roughly) a 50/50 chance of having your query answered by either provider.

dig showing secondary dns

Since you have two sets of nameservers answering queries, if one set were to be unavailable then the remaining provider would answer all queries. Once the other provider is back online, both providers would return to sharing relatively equal amounts of query traffic.

Backup DNS

The problem is, people commonly call this “backup DNS”, similar to Failover… but this is actually wrong because in a Failover configuration you only have one active system at a given time. The secondary or “backup” system would only take over if the primary is down.

In the past, we’ve had clients send in support tickets saying that we must be down because their secondary provider was answering queries. Wrong.

via GIPHY

In a Secondary DNS configuration, two or more systems always authoritative for answering queries.

Resolving nameservers send traffic to the authoritative nameservers using round robin. That way traffic is (somewhat) equally distributed across both nameserver sets. We’ll talk more about the (somewhat) part in a bit. 

Benefits

Secondary DNS is unique because it is the only strategy that can ensure 100% uptime during a single DNS provider outage. You may remember the Mirai botnet that took down a large DNS provider last year. The attack reportedly took down “half the Internet”, aka: domains that were single homed to that provider.

We talked to a few clients that were using Constellix as either their primary or secondary to the provider that was affected.

None of them experienced downtime during the outage.

Disadvantages

We also talked to some of our clients that were hesitant to try Secondary DNS because they thought it was outside of their budget. That’s a valid concern, but there are also some other things to consider. 

It is more costly because you will have to pay for two DNS management services.

But it isn’t…

Because you’re still paying for the same amount of queries. It only gets expensive when you throw advanced location routing features into the mix.

But…

Paying for two services is still considerably less expensive than losing money from an outage. And don’t forget the aftershock of losing brand trust, referrals, and the seemingly forever association of your brand with “outage” or “down”.

Why should you care?

Scare tactics ahead!

via GIPHY

But seriously, we need to talk about this. Think of all the services your business depends on to thrive. From your payment processor to hosting services.

During the outage last year, we had the lowest sales day in 6 years because our credit card processor was affected.

If any of your third-party services were to fail, how much would it cost you?

via GIPHY

What You Can Do About It

This is why secondary DNS is important. It is just one of many parts of your business where you should have redundancies in place. Or get comfortable with that number that made you cringe a second ago.

We recommend starting with DNS. Vet providers (more on this later), figure out which secondary DNS configuration is best for your business, test, migrate, then take a few minutes to encourage the services you depend on to do the same.

What You Probably Didn’t Know

Performance Benefits

Secondary DNS isn’t just for keeping your site online. It can also improve load times!

Remember our DNS tree?

 

Resolving nameservers will start to prefer the faster provider in a Secondary DNS configuration. That means queries will more often be served to the better performing provider and over time actually improve resolution times.

Resolvers look at the RTT (Round Trip Time) or SRTT (Shortest Round Trip Time) when an authoritative nameserver answers a query for a domain. The lower the RTT, the more often the resolver will that provider traffic. 

Let’s look at evernote.com again. We already know they use Dyn and DNS Made Easy for their DNS.

We used SolveDNS to test the response times of both providers’ nameservers. Now, the screenshot only shows one set of nameservers, there were five more sets in the results. But overall, we saw significantly lower resolution times from DNS Made Easy. If resolving nameservers saw the same RTT’s, they would send more queries to DNS Made Easy nameservers.

This is why it is extremely important to evaluate your secondary provider for performance. Even though it’s a “secondary” provider, it is still responsible for answering a significant amount of your query traffic and will impact average resolution times. Long story short, if you choose a poor provider, you could hurt your performance.

Top 3 Secondary DNS Strategies

This guide is an expanded version of a webinar we hosted last year which includes demonstrations of the  Secondary DNS configurations we’re about to show you. You can download the slide deck here.

Primary / Secondary

The secondary provider receives all the zone updates from the primary. Query traffic is split evenly across both providers’ nameservers.

Secondary DNS Configuration

Updates

When the primary provider makes a change:

  1. The primary sends a “NOTIFY” to the secondary provider
  2. Secondary requests an IXFR or AXFR (incremental of full, respectively) zone transfer
    1. IXFR first then AXFR
    2. If the serial number in the SOA record has changed, it pulls for an update. SOA records hold the information about the zone and associated records.
  3. Now both providers have the same record information. Huzzah!

IXFR AXFR DNS Transfer

Benefits

  1. Easy to set up and maintain
  2. Doubles the number of authoritative nameservers (redundancy!)
  3. Immediate transfer of zone information

Disadvantages

  1. Does not support advanced location-based configurations like GeoDNS or regional traffic direction.
  2. That also means primary/secondary doesn’t work with CDN’s (Content Delivery Networks) because most require region-specific configurations.
  3. Only RFC compliant configurations allowed, which means no:
    1. Weighted round robin
    2. Blackholing IP’s
    3. Matching IP’s based on the ASN
    4. Region-specific routing
    5. Automatic routing to the closest PoP (point of presence)
    6. Basically, anything that didn’t exist 30 years ago…

Hidden Primary

Hidden primary is also referred to as a Master / Slave configuration because only one set of name servers actually answers queries, the secondary nameservers. However, those nameservers are not shown when you query that domain. Rather, the world will see the nameservers of the hidden primary.

Secondary DNS Configuration

Updates

The secondary, or slave, nameservers are completely dependant on updates. No local files can be created.  

The primary nameservers send updates to the secondary nameservers. Essentially, the hidden primary’s only purpose is to send updates to the secondary provider.

Benefits

This configuration is typically used to complement on-premises DNS infrastructure. It’s very costly and time-consuming to expand on-prem infrastructure, so most businesses are switching to hybrid configurations.

When they want to scale, they use a cloud-based DNS provider as a secondary set of nameservers. That way they can continue to run their DNS in-house, but propagate to the cloud when they need to. Hybrid configurations also share the benefits of an Anycast network: global scalability, cost effectiveness, and can be turned up in an instant.

Disadvantages

Only works with RFC compliant services.

Primary / Primary

A primary/primary setup means you have two providers equally authoritative for your domain. This is the most popular and widely used configuration, especially among enterprise and large-scale domains.

Secondary DNS Configuration

Updates

Updates have to be created through each provider via control panel or API. Just have to make sure both providers have the services you need.

Benefits

This is the only technique that can be used with services that aren’t RFC compliant. Overall, the best technique for faster and more accurate query routing. Primary/primary also works great with CDN’s, because it allows for region-specific routing.

Disadvantages

Can be more costly, because you have to pay for two providers. You’ll also have to dedicate resources to keeping both providers in sync, which can be labor intensive depending on how often updates are needed.

New Kind of Secondary DNS

The Constellix Advantage

Alright, so we just talked about the primary/primary setup and saw that the only real downside is the labor required for updates. Well, we just engineered a new kind of secondary DNS in Constellix that integrated with four major cloud DNS providers. Whenever you update a record, Constellix will automatically make API calls to update the secondary DNS service.

Only take a minute to set up. Just enter your API key! We currently offer integrations with the following vendors:

  • DNS Made Easy
  • AWS Route 53
  • Google Cloud
  • Microsoft Azure

Basic Secondary DNS Setup

#1 Transfer

Primary / Secondary and Hidden Master:

Secondary needs your primary’s configurations.

  • Zone info and records
  • Do this is with the IXFR AXFR updates

Primary / Primary:

Manually either through API’s or both control panels

#2 Add NS Records

Add the appropriate NS records to your domain.

Primary / Primary and Primary / Secondary:

  • Both providers need NS records.

Hidden primary:

  • Only need NS records for the hidden primary / master provider.

#3 Notify Registrar(s)

Primary / Primary and Primary / Secondary:

  • Through your registrar, you will need to add the lists of nameservers for both providers.

Hidden Primary:

  • Only need to add the nameservers of the hidden primary / master provider.

#4 Updates

Your primary DNS provider will automatically send a NOTIFY to the secondary provider, prompting them to request an AXFR/IXFR.

Or if you have a primary / primary, you will need to update each provider manually.

Or if you have Constellix and are using one of the four integrated cloud providers, you will enter your API key and updates will happen instantly.

In Our Control Panels

Say you already have a primary and you chose DNS Made Easy or Constellix as your secondary provider. You will need to go to the secondary DNS settings and add the domain and nameservers of your primary provider. DNSME/Constellix will then automatically request an IXFR/AXFR to import your existing records.

Make sure you check the serial number (in the SOA record) to make sure everything is current.

Choosing a Secondary DNS Provider

We recommend that you treat your search for a secondary provider as you would for a primary. Look for the same features, performance, and reliability because your secondary provider is just as responsible for your DNS hosting as your primary.

Propagation should also be a priority because you want to make sure updates are fast. Resolution time is also a factor, because as we mentioned earlier, the lower the RTT the shorter load times. You also want to look for a long history of uptime, because if your secondary goes down it could impact performance since you traffic will be limited to only one nameserver set.  

We recommend that you run your own tests. There are a bunch of free monitoring services like Sonar Lite, Turbobytes, SolveDNS, and DNSPerf to help you evaluate providers.