What is Redundant DNS and Why is it Important?
Outages are typically caused by DDoS attacks, configuration or software errors, or equipment failures. Every business that has experienced a DNS failure is well aware of the impact on revenue and reputation.
DNS redundancy is a strategy and a best practice for addressing this risk. It involves deploying a second DNS network that does not share the same infrastructure (servers, networks and data centers) as the first. The most common way to set up redundant DNS is via secondary DNS, where one DNS provider is set up as the primary DNS name server and the other as the secondary. There are, however, alternatives that could be better.
How can you achieve DNS redundancy for 100% availability? This page will help you understand:
Basics of Primary and Secondary DNS
DNS redundancy using two DNS providers
NS1 Dedicated DNS + NS1 Managed DNS - two DDOS-protected DNS networks, one provider
What is Dedicated DNS?
Dedicated DNS is managed service that provides NS1 customers a unique solution to DNS redundancy. Dedicated DNS is a single tenant, anycasted DNS service that is not shared with other NS1 customers. With Dedicated and Managed DNS, you get two independent DNS networks managed under a single pane of glass.
Primary & Secondary DNS Basics
There can be confusion when it comes to understanding primary and secondary DNS. A Primary DNS server stores the zone files (DNS records) and is where changes to the zone files are made. A secondary DNS server stores a copy of the zone files and the source of that copy is the primary DNS. There are DNS protocols (NOTIFY, AXFR, IXFR) that automate the propagation of changes made on the primary to the secondary. Things to be aware of:
A primary DNS can be used solely for providing zone files to the secondary and not answer DNS queries. This is called a hidden master.
When primary and secondary DNS servers are both answering queries, there is no preference as to which receive the queries. The primary DNS may in fact receive fewer queries.
Secondary DNS is one way, but not the only way of achieving DNS redundancy.
Secondary DNS only provides redundancy when it is deployed on separate infrastructure from the primary.
You cannot have a secondary DNS in "standby mode" to be activated only if the primary goes down as a way of achieving redundant DNS.
Three DNS Topologies for Redundancy
There are three common topologies for implementing redundant DNS with two providers:
Primary / Secondary
In a primary/ secondary configuration, Provider 1 is the primary and all updates to the zone files are first made on that system. Provider 2 is set up as secondary to Provider 1, and receives automatic updates whenever a zone change is made on the primary. The nameservers of both systems are registered as authoritative for the zones, and both answer queries.
Hidden Master, Two Secondary DNS Providers
In the Hidden Master using two secondary DNS providers configuration, the primary DNS server is deployed behind the corporate firewall, and is the source of the DNS records. There are two DNS providers, each defined as secondary DNS servers to the hidden master primary.
Primary / Primary
Two DNS providers can also be set up as primary, which is called primary/ primary. No zone information passes from one to the other. Updates to the zone files must be made independently on each system. This can be done manually or automated via API's or DNS management tools.
Considerations With Dual Provider DNS Redundancy
Using two different DNS companies to achieve redundancy has drawbacks because doing so requires you to reduce capabilities down to a "lowest common denominator," so you are likely to lose valuable traffic routing and security capabilities.
While many DNS service providers support DNSSEC, the security protocol that protects you and your users from DNS hijacking and phishing, there are limitations when you deploy it using two different DNS providers. Some providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. So if security is important to you and / or if you are required to comply with DNSSEC, dual provider configurations aren't for you.
Over the years, DNS has become more sophisticated and many DNS providers offer advanced features that help you route users to the resource that provides the best experience; such as geo-routing, active failover, GSLB and performance-based routing.
These features are implemented using meta data that is associated with the DNS records. This metadata is not part of standard DNS and is different from platform to platform. As a result:
Each DNS provider uses proprietary DNS configuration data used for routing decisions. This meta data is incompatible across providers, and cannot be transferred by the DNS zone transfer mechanism, AXFR. If for example you want both systems to use geo-routing, you won’t able to synchronize records using a zone transfer.
The options for dealing with this constraint are:
Use a Primary/Primary setup and maintain both systems independently. This entails twice the management overhead.
Revert to standard DNS without using the meta data that make traffic routing work - losing traffic management capabilities.
Write scripts or use API's to translate these special DNS records to a format acceptable by the other network. This essentially automates a primary/primary configuration but can be complex to set up and maintain.
Using NS1 with Secondary DNS
NS1 supports a secondary DNS setup, with NS1 running alongside another, separate DNS provider (while this can limit your ability to leverage advanced traffic management features).
NS1 is experienced in working with customers to ensure there are no record synchronization issues, and can help you establish dual provider redundancy. We support toolkits like OctoDNS and Terraform that can make it easier to manage multiple DNS providers.
How NS1's Dedicated DNS Works
Dedicated DNS is an independent anycasted DNS network, deployed for your organization and not shared with other NS1 customers. NS1 designs, deploys and manages the Dedicated DNS network to meet the traffic needs of your organization.
The Dedicated DNS network is physically separate from the NS1 Managed DNS network. Dedicated DNS is deployed on different servers, with separate network connectivity and in different data centers.
The DNS nameservers comprising your Dedicated DNS network are added to your Managed DNS portal page. Activation is simple. You delegate your zones and records to those additional servers and notify your registrar of those additional delegations. Your Dedicated DNS network will start answering queries along with your Managed DNS and the two together provides a fully redundant DNS system.
Next-Generation DNS on Both Networks
You can leverage NS1’s next-generation DNS features across both networks:
Anycasted network for reliability and high performance
Instant global DNS propagation
Routing based on precise geo-IP
Routing based on network and server parameters such as bandwidth, latency, availability, capacity and load
Routing based on Real User Monitoring
Implement DNSSEC on both networks and protect your brand and your users from DNS hijacking and phishing attacks
Both the NS1 Managed DNS and Dedicated DNS (the second, separate network) are managed via the same administration portal. When you update a DNS record, it is immediately updated on both networks.
There is no primary-secondary relationship—all DNS servers are defined as primary. Updates are transferred in real time via NS1’s management systems.
Both systems are “live” and answer queries. In the event of outage on one system, DNS queries are answered by the other with little or no user impact.
Compare: NS1 Dedicated DNS vs. Dual Provider
NS1 Dedicated DNS
Step 1: NS1 deploys your Dedicated DNS network
Step 2: NS1 enables the network in your Managed DNS portal account
Step 3: You enable Dedicated DNS servers on your existing zones with one click
Step 4: You update your registrar with the additional Dedicated DNS nameservers
Step 1: You sign up with an additional DNS provider
Step 2: You design and implement a process for transferring and synchronizing records based on your traffic management requirements
Step 3: You test to make sure the process is error free
Step 4: You update your registrar
Step 5: You monitor and manage both systems