What is Primary DNS?
A primary DNS server is the first point of contact for a browser, application or device that needs to translate a human-readable hostname into an IP address. The primary DNS server contains a DNS record that has the correct IP address for the hostname. If the primary DNS server is unavailable, the device contacts a secondary DNS server, containing a recent copy of the same DNS records.
How Does a Primary DNS Server Work?
When a computer or device needs to connect to another device on the Internet, it typically uses a human-readable domain name, like “www.example.com”. The browser or application needs to translate the domain name into a numeric Internet Protocol (IP) address like “22.214.171.124”. This translation is done by the Domain Name System (DNS).
The device first contacts the primary DNS server that hosts the controlling zone file. This file contains the authoritative DNS information for the domain or subdomain. “Authoritative” means it is the trusted source for information like the IP address of the domain, administrator contact information, and settings like Time to Live (how long this IP address should be saved in a local cache).
The primary DNS server server resolves the query by returning the IP address for the requested hostname. However, if the primary server is slow to respond, or is unavailable, the device is referred to one or more secondary DNS servers.
What is Secondary DNS?
Changes to DNS records—for example, changing the IP for a domain name—can only be done on a primary server, which can then update secondary DNS servers. DNS servers can be primary for one DNS zone and secondary for another DNS zone.
A secondary server holds a secondary DNS zone—a read-only copy of the zone file, which contains the DNS records. It receives an updated version of the copy in an operation called zone transfer. Secondary servers can pass a change request if they wish to update their local copy of the DNS records.
Secondary DNS servers are not mandatory—the DNS system can work even if only a primary server is available. But it is standard, and often required by domain registrars, to have at least one secondary server.
Benefits of having a secondary DNS server for a domain:
- Provides redundancy in case the primary DNS server goes down. If there is no secondary server, when the primary fails, the website will become unavailable at its human-readable domain name (although it will still be accessible by its IP).
- Distributes the load between primary and secondary servers. Some resolvers use the Smooth Round Trip Time (SRTT) algorithm to prefer the lowest latency name server from the available pool of servers (primary and one or more secondaries).
- Part of a secure DNS strategy—DNS servers are exposed to security threats, first and foremost Distributed Denial of Service attacks (DDoS). Setting up an an external DNS provider with DDoS protection as a secondary DNS, is a common way to deflect DDoS attacks.
DNS Zone, Primary DNS and Secondary DNS Configuration
In the preceding discussion we referred to DNS zones. A DNS zone is a distinct part of the domain name space, delegated to a specific legal entity which is responsible for managing it.
For example, a root domain such as “acme.com” is a DNS zone, which can be delegated to a company, Acme Corporation Inc. Acme Corporation then assumes responsibility for setting up a primary DNS server, called an Authoritative Name Server, which holds correct DNS records for that domain.
DNS zones exist at higher and lower levels of the DNS hierarchy. For example, the Top Level Domain “.com” is also a DNS zone, which has an Authoritative Name Server providing DNS records for all the domains in the “.com” namespace. A subdomain, such as “support.acme.com” is also a DNS zone, which can be managed by Acme Corporation, or delegated to another entity.
Primary and Secondary DNS Management in Modern DNS Infrastructure
The classic primary/secondary DNS architecture is no longer used by modern, managed DNS providers.
Today, most DNS providers offer customers several name server IPs to use. Behind each of these IPs are pools of DNS servers, with requests routed via anycast (a one-to-many transport protocol). This provides improved redundancy and high availability compared to the primary/secondary model.
However, even in advanced DNS deployments, secondary DNS can help you:
- Migrate to new DNS infrastructure, with dependencies on old DNS servers—organizations may have tools, code, or legacy systems which point to an old DNS server hosted in their organizations. There may be scripts automatically creating DNS records (for example, if you provision a new subdomain for each of your customers). In order to migrate to a modern, managed DNS provider, without breaking your dependencies, you can define the DNS provider as a secondary DNS server. This will keep all existing processes in sync, but in case of failure or slow response of in-house DNS servers, the high-performance, managed DNS server will respond.
- Avoid single points of failure—high traffic sites and mission-critical web applications cannot tolerate outages. Even if using a managed DNS provider, administrators might prefer to use two providers, to avoid any single point of failure. A simple way to do so is to configure one provider as primary DNS server and the other as secondary. This way, all management and creation of DNS records is done with one provider, and in case of failure or slow response, the secondary takes over.
- Set up redundant DNS with one managed service—NS1’s intelligent managed DNS can set up a dedicated DNS deployment for your organization, which runs on a separate network and servers from its regular managed DNS service. This gives you redundancy between two separate DNS servers, but can work with only one provider. The dedicated deployment is not shared with any other organizations, so it isn’t exposed to attacks targeting other customers on the NS1 DNS service.
To learn more about how you can leverage primary and secondary DNS to power state-of-the-art, high performance and highly available DNS deployments, see NS1’s Secondary DNS solution.