The Ultimate Guide to Secondary DNS
In this article, we explore the world of secondary DNS, and look at how this server strategy can help increase performance.
Join the DZone community and get the full member experience.Join For Free
- what is secondary dns?
- performance benefits
- top 3 secondary dns strategies
- how to set up secondary dns
- how to choose a secondary provider
what is secondary dns?
a dns management strategy is where multiple providers are available to answer queries for a domain. if you were to query a domain with secondary dns enabled, you would have (roughly) a 50/50 chance of having your query answered by either provider.
since you have two sets of nameservers answering queries, if one set were to be unavailable then the remaining provider would answer all queries. once the other provider is back online, both providers would return to sharing relatively equal amounts of query traffic.
the problem is, people commonly call this “backup dns,” similar to failover … but this is actually wrong because in a failover configuration you only have one active system at a given time. the secondary or “backup” system would only take over if the primary is down.
in the past, we’ve had clients send in support tickets saying that we must be down because their secondary provider was answering queries. wrong.
in a secondary dns configuration, two or more systems are always available to answer queries.
resolving nameservers send traffic to the authoritative nameservers using a round robin method. that way traffic is (somewhat) equally distributed across both nameserver sets. we’ll talk more about the (somewhat) part in a bit.
secondary dns is unique because it is the only strategy that can ensure 100% uptime during a single dns provider outage. you may remember the mirai botnet that took down a large dns provider last year. the attack reportedly took down “half the internet,” aka, domains that were single homed to that provider.
we talked to a few clients that were using constellix as either their primary or secondary to the provider that was affected.
none of them experienced downtime during the outage.
we also talked to some of our clients that were hesitant to try secondary dns because they thought it was outside of their budget. that’s a valid concern, but there are also some other things to consider.
it is more costly because you will have to pay for two dns management services.
but it isn’t…
because you’re still paying for the same amount of queries. it only gets expensive when you throw advanced location routing features into the mix.
paying for two services is still considerably less expensive than losing money from an outage. and don’t forget the aftershock of losing brand trust, referrals, and the association of your brand with “outage” or “down.”
why should you care?
scare tactics ahead!
but seriously, we need to talk about this. think of all the services your business depends on to thrive. from your payment processor to hosting services.
during the outage last year, we had the lowest sales day in 6 years because our credit card processor was affected.
if any of your third-party services were to fail, how much would it cost you?
what you can do about it
this is why secondary dns is important. it is just one of many parts of your business where you should have redundancies in place. or get comfortable with that number that made you cringe a second ago.
we recommend starting with dns. vet providers (more on this later), figure out which secondary dns configuration is best for your business, test, migrate, then take a few minutes to encourage the services you depend on to do the same.
what you probably didn’t know
secondary dns isn’t just for keeping your site online. it can also improve load times!
remember the dns tree?
resolving nameservers will start to prefer the faster provider in a secondary dns configuration. that means queries will more often be served to the better performing provider and over time actually improve resolution times.
resolvers look at the rtt (round trip time) or srtt (shortest round trip time) when an authoritative nameserver answers a query for a domain.
let’s look at evernote.com again. we already know they use dyn and dns made easy for their dns.
we used solvedns to test the response times of both providers’ nameservers. now, the screenshot only shows one set of nameservers, there were five more sets in the results. but overall, we saw significantly lower resolution times from dns made easy. if resolving nameservers saw the same rtts, they would send more queries to dns made easy nameservers.
this is why it is extremely important to evaluate your secondary provider for performance. even though it’s a “secondary” provider, it is still responsible for answering a significant amount of your query traffic and will impact average resolution times. long story short, if you choose a poor provider, you could hurt your performance.
top 3 secondary dns strategies
the secondary provider receives all the zone updates from the primary. query traffic is split evenly across both providers’ nameservers.
when the primary provider makes a change:
- the primary sends a “notify” to the secondary provider.
secondary requests an ixfr or axfr (incremental or full, respectively) zone transfer
- ixfr first then axfr.
- if the serial number in the soa record has changed, it pulls for an update. soa records hold the information about the zone and associated records.
- now both providers have the same record information. huzzah!
- easy to set up and maintain.
- doubles the number of authoritative nameservers (redundancy!).
- immediate transfer of zone information.
- does not support advanced location-based configurations like geodns or regional traffic direction.
- that also means primary/secondary doesn’t work with cdn’s (content delivery networks) because most require region-specific configurations.
only rfc compliant configurations allowed, which means no:
- weighted round robin.
- blackholing ips.
- matching ips based on the asn.
- region-specific routing.
- automatic routing to the closest pop (point of presence).
- basically, anything that didn’t exist 30 years ago…
hidden primary is also referred to as a master/slave configuration because only one set of name servers actually answers queries, the secondary nameservers. however, those nameservers are not shown when you query that domain. rather, the world will see the nameservers of the hidden primary.
the secondary, or slave, nameservers are completely dependant on updates. no local files can be created.
the primary nameservers send updates to the secondary nameservers. essentially, the hidden primary’s only purpose is to send updates to the secondary provider.
this configuration is typically used to complement on-premises dns infrastructure. it’s very costly and time-consuming to expand on-prem infrastructure, so most businesses are switching to hybrid configurations.
when they want to scale, they use a cloud-based dns provider as a secondary set of nameservers. that way they can continue to run their dns in-house, but propagate to the cloud when they need to. hybrid configurations also share the benefits of an anycast network: global scalability, cost effectiveness, and can be turned up in an instant.
only works with rfc compliant services.
a primary/primary setup means you have two providers equally authoritative for your domain. this is the most popular and widely used configuration, especially among enterprise and large-scale domains.
updates have to be created through each provider via a control panel or api. you just have to make sure both providers have the services you need.
this is the only technique that can be used with services that aren’t rfc compliant. overall, this is the best technique for faster and more accurate query routing. primary/primary also works great with cdns, because it allows for region-specific routing.
this can be more costly because you have to pay for two providers. you’ll also have to dedicate resources to keep both providers in sync, which can be labor intensive depending on how often updates are needed.
basic secondary dns setup
primary/secondary and hidden master:
secondary needs your primary’s configurations.
- zone info and records.
- do this is with the ixfr axfr updates.
manually either through apis or both control panels.
#2 add ns records
add the appropriate ns records to your domain.
primary/primary and primary/secondary:
- both providers need ns records.
- only need ns records for the hidden primary/master provider.
#3 notify registrar(s)
primary/primary and primary/secondary:
- through your registrar, you will need to add the lists of nameservers for both providers.
- you only need to add the nameservers of the hidden primary/master provider.
your primary dns provider will automatically send a notify to the secondary provider, prompting them to request an axfr/ixfr.
or if you have a primary/primary, you will need to update each provider manually.
or if you have constellix and are using one of the four integrated cloud providers, you will enter your api key and updates will happen instantly.
in our control panels
say you already have a primary and you chose dns made easy or constellix as your secondary provider. you will need to go to the secondary dns settings and add the domain and nameservers of your primary provider. dnsme/constellix will then automatically request an ixfr/axfr to import your existing records.
- how to set up secondary dns in dns made easy
make sure you check the serial number (in the soa record) to make sure everything is current.
choosing a secondary dns provider
we recommend that you treat your search for a secondary provider as you would for a primary. look for the same features, performance, and reliability because your secondary provider is just as responsible for your dns hosting as your primary.
propagation should also be a priority because you want to make sure updates are fast. resolution time is also a factor, because, as we mentioned earlier, the lower the rtt the shorter the load times. you also want to look for a long history of uptime, because if your secondary goes down it could impact performance since your traffic will be limited to only one nameserver set.
Published at DZone with permission of Blair McKee. See the original article here.
Opinions expressed by DZone contributors are their own.