Skip to main content Skip to search

Redundant DNS

DNS is a mission-critical service for every enterprise. When DNS fails, or is taken down in an attack, the websites, applications and online services that depend on it effectively disappear from the internet taking revenue and brand reputation down with it. Redundancy at the DNS layer is now a requirement to practically eliminate the risk of application failure due to DNS outages or attacks.

How can you achieve DNS redundancy for 100% availability? This page will help you understand:

  • Basics of Primary and Secondary DNS
  • DNS redundancy using two DNS providers
  • NS1 Dedicated DNS + NS1 Managed DNS - two DDOS-protected DNS networks, one provider

What is Redundant DNS and Why is it Important?

Outages are typically caused by DDoS attacks, configuration or software errors, or equipment failures. Every business that has experienced a DNS failure is well aware of the impact on revenue and reputation.

DNS redundancy is a strategy and a best practice for addressing this risk. It involves deploying a second DNS network that does not share the same infrastructure (servers, networks and data centers) as the first. The most common way to set up redundant DNS is via secondary DNS, where one DNS provider is set up as the primary DNS name server and the other as the secondary. There are, however, alternatives that could be better.

What is Dedicated DNS?

Dedicated DNS is managed service that provides NS1 customers a unique solution to DNS redundancy. Dedicated DNS is a single tenant, anycasted DNS service that is not shared with other NS1 customers. With Dedicated and Managed DNS, you get two independent DNS networks managed under a single pane of glass.

Primary & Secondary DNS Basics

There can be confusion when it comes to understanding primary and secondary DNS. A Primary DNS server stores the zone files (DNS records) and is where changes to the zone files are made. A secondary DNS server stores a copy of the zone files and the source of that copy is the primary DNS. There are DNS protocols (NOTIFY, AXFR, IXFR) that automate the propagation of changes made on the primary to the secondary.

Things to be aware of:

A primary DNS can be used solely for providing zone files to the secondary and not answer DNS queries. This is called a hidden primary.

When primary and secondary DNS servers are both answering queries, there is no preference as to which receive the queries. The primary DNS may in fact receive fewer queries.

Secondary DNS is one way, but not the only way of achieving DNS redundancy.

Secondary DNS only provides redundancy when it is deployed on separate infrastructure from the primary.

You cannot have a secondary DNS in "standby mode" to be activated only if the primary goes down as a way of achieving redundant DNS.

Three DNS Topologies for Redundancy

There are three common topologies for implementing redundant DNS with two providers:

Primary / Secondary

In a primary/ secondary configuration, Provider 1 is the primary and all updates to the zone files are first made on that system. Provider 2 is set up as secondary to Provider 1, and receives automatic updates whenever a zone change is made on the primary. The nameservers of both systems are registered as authoritative for the zones, and both answer queries.

Hidden Primary, Two Secondary DNS Providers

In the Hidden Primary using two secondary DNS providers configuration, the primary DNS server is deployed behind the corporate firewall, and is the source of the DNS records. There are two DNS providers, each defined as secondary DNS servers to the hidden primary

Primary / Primary

Two DNS providers can also be set up as primary, which is called primary/ primary. No zone information passes from one to the other. Updates to the zone files must be made independently on each system. This can be done manually or automated via API's or DNS management tools.

Considerations With Dual Provider DNS Redundancy

Using two different DNS companies to achieve redundancy has drawbacks because doing so requires you to reduce capabilities down to a "lowest common denominator," so you are likely to lose valuable traffic routing and security capabilities.

While many DNS service providers support DNSSEC, the security protocol that protects you and your users from DNS hijacking and phishing, there are limitations when you deploy it using two different DNS providers. Some providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. So if security is important to you and / or if you are required to comply with DNSSEC, dual provider configurations aren't for you.

Over the years, DNS has become more sophisticated and many DNS providers offer advanced features that help you route users to the resource that provides the best experience; such as geo-routing, active failover, GSLB and performance-based routing.

These features are implemented using meta data that is associated with the DNS records. This metadata is not part of standard DNS and is different from platform to platform. As a result:

Each DNS provider uses proprietary DNS configuration data used for routing decisions.

This meta data is incompatible across providers, and cannot be transferred by the DNS zone transfer mechanism, AXFR. If for example you want both systems to use geo-routing, you won’t able to synchronize records using a zone transfer.

The options for dealing with this constraint are:

1. Use a Primary/Primary setup and maintain both systems independently.

This entails twice the management overhead.

2. Revert to standard DNS without using the meta data that make traffic routing work.

This results in losing traffic management capabilities.

3. Write scripts or use API's to translate these special DNS records to a format acceptable by the other network.

This essentially automates a primary/primary configuration but can be complex to set up and maintain.

Creating Secondary Zones

Learn more about Secondary DNS Zones at the Help Center

Primary DNS vs. Secondary DNS and Advanced Use Cases

Learn the difference between Primary and Secondary DNS

Setting NS1 as a Secondary

If you have multiple DNS providers, you have the option to configure NS1 to be your secondary provider—acting as a "child" to your primary DNS server.

Using NS1 as the Primary DNS Provider

Customers with multiple DNS providers can use NS1 as the primary provider—configuring other DNS servers as secondaries that update regularly with zone data from NS1.


A Unique DNS Redundancy Solution

NS1 Dedicated DNS

NS1 has developed Dedicated DNS, a new way to achieve DNS redundancy, without any of the complexities and limitations of dual provider set-ups. It lets you run two physically separate DNS networks, but which are fully synchronized and are managed from one pane of glass.

Using NS1 with Secondary DNS

NS1 supports a secondary DNS setup, with NS1 running alongside another, separate DNS provider (while this can limit your ability to leverage advanced traffic management features).

NS1 is experienced in working with customers to ensure there are no record synchronization issues, and can help you establish dual provider redundancy. We support toolkits like OctoDNS and Terraform that can make it easier to manage multiple DNS providers.

Dedicated DNS Product

Explore what NS1's Dedicated DNS can offer.

Dedicated DNS Data Sheet

Harness the power and flexibility of NS1’s industry leading Intelligent DNS and Traffic Management platform on your own infrastructure.

Dedicated DNS Demo

NS1's Intelligent DNS & Traffic Management Platform in Dedicated, Fully Managed Deployments On-Prem or in the Cloud.

​How NS1's Dedicated DNS Works

Dedicated DNS is an independent anycasted DNS network, deployed for your organization and not shared with other NS1 customers. NS1 designs, deploys and manages the Dedicated DNS network to meet the traffic needs of your organization.

The Dedicated DNS network is physically separate from the NS1 Managed DNS network. Dedicated DNS is deployed on different servers, with separate network connectivity and in different data centers.

The DNS nameservers comprising your Dedicated DNS network are added to your Managed DNS portal page. Activation is simple. You delegate your zones and records to those additional servers and notify your registrar of those additional delegations. Your Dedicated DNS network will start answering queries along with your Managed DNS and the two together provides a fully redundant DNS system.

Next-Generation DNS on Both Networks

You can leverage NS1’s next-generation DNS features across both networks:

Anycasted network for reliability and high performance

Instant global DNS propagation

Routing based on precise geo-IP

Routing based on network and server parameters such as bandwidth, latency, availability, capacity and load

Routing based on Real User Monitoring

Implement DNSSEC on both networks and protect your brand and your users from DNS hijacking and phishing attacks

Transparent Synchronization

Both the NS1 Managed DNS and Dedicated DNS (the second, separate network) are managed via the same administration portal. When you update a DNS record, it is immediately updated on both networks.

There is no primary-secondary relationship—all DNS servers are defined as primary. Updates are transferred in real time via NS1’s management systems.

Both systems are “live” and answer queries. In the event of outage on one system, DNS queries are answered by the other with little or no user impact.

Single Provider

Step 1: NS1 deploys your Dedicated DNS network

Step 2: NS1 enables the network in your Managed DNS portal account

Step 3: You enable Dedicated DNS servers on your existing zones with one click

Step 4: You update your registrar with the additional Dedicated DNS nameservers

Dual Provider

Step 1: You sign up with an additional DNS provider

Step 2: You design and implement a process for transferring and synchronizing records based on your traffic management requirements

Step 3: You test to make sure the process is error free

Step 4: You update your registrar

Step 5: You monitor and manage both systems