What is a secondary DNS?

Quick query: Would you rather fly on an airplane that was equipped with one engine or two? Most passengers would probably instinctively pick the aircraft with multiple engines.

And that’s the point of having a secondary DNS. What might happen to an enterprise if a primary server becomes unavailable or otherwise compromised? Can that company (or any) afford to let business grind to a halt during that period of downtime? What negative message would that send to the users of the service? From an economic standpoint, losing the use of an organization’s primary server might prove as catastrophic as engine failure in aviation.

And that’s not even considering the other great advantage offered by adapting a secondary DNS—the masterful way it supports load-balancing efforts within the primary DNS server.

Before proceeding further, we first need to define a more basic question: What is a DNS? A domain name system acts as a translator, taking complex IP addresses and changing them into more understandable domain names.

Let’s say that you’re interested in a topic discussing a product offered by International Business Machines (IBM), but you’re not sure of its title. You type “IBM” into your service provider’s web browser, and it gets you to the company’s main page. Because of the DNS, it’s not necessary for you to type in IBM’s full IP address. The DNS assumes that that’s where you want to go based on the search term entered.

Sometimes a DNS is described as the internet’s “phonebook” because that’s like the functionality being used, although it might be better equated to an old-school telephone operator. In decades long past, the local phone operator served as a type of human DNS, taking your requested number and connecting you to the wanted phone exchange. The DNS automates that entire translation process now.

A domain name system depends on an established hierarchy that’s governed by root servers. Beneath them in the hierarchy are top-level domains (TLDs), such as those addresses ending with “.com” and “.org.” The rest of the hierarchy is made up of individual domain name servers.

A DNS system is considered a distributed database system, with each node representing a “name server,” which is the portion of the system providing the necessary translations for that particular domain name. All domains within that system contain one or more “authoritative name servers,” called that because this server publishes information about that domain, as well as any primary name servers of subordinate domains that are contained within.

A DNS operates simply:

1. You type a domain name into the web browser offered by your Internet Service Provider (ISP).
2. The computing device that you're using sends a search query to a DNS server.
3. The DNS server scans its multitude of resources to find the IP address that matches the domain name from your web search.
4. The DNS server sends the located IP address back to the device that you’re using.
5. Your device calls up the exact IP address that you’re seeking.

Now, if there’s a problem with the primary DNS server—such as it has become technically unavailable or is presently overloaded—the secondary DNS server kicks into action, executing needed searches and performing necessary IP address translations. Because of the immediate operation of the secondary DNS through the failover process, users are able to access the website without experiencing any noticeable dip in functionality.

Similarly, a secondary DNS takes over the duties of the primary DNS server’s mail server (including email routing and the handling of mail exchange (MX) records) so the secondary DNS can help ensure that the ebb and flow of email traffic won’t be stopped. And in this way, the site suffers no downtime due to outages, which is the measure of true resiliency—that is, keeping things running despite adverse conditions.

Should the secondary DNS server be called into service, it is fed information by the primary DNS server. This occurs through a process known as a zone transfer. Zone file copies that are shared with the secondary DNS server through zone transfer are read-only files that can’t be altered in any way.

Zone transfers depend heavily on the use of application programming interfaces (APIs), which enable primary DNS servers to transfer DNS zone data automatically to secondary servers. In this way, both DNS servers can retain the same information. APIs give the primary server a way to contact the secondary server, so they can make sure they’re moving in lockstep with identical DNS records and noted zone transfers.

The zone-transfer process is predicated by the creation of name server (NS) records. NS records help establish which servers are designated as being authoritative for that domain, which defines the domain’s priorities. Provided the secondary DNS server’s IP address is contained within the NS records, the website retains functionality, even if its primary server is down for any reason.

Zone transfers are initiated by the issuance of a Start of Authority (SOA) record, which supplies secondary DNS servers with the data needed for secondary servers to synchronize DNS zone data, working in a type of version control that triggers updates based on the SOA record’s serial number.

This is how it registers new versions. By updating the secondary DNS service with new data from the SOA record, a domain can stay in operation should the primary server fail—keeping downed servers from impacting uptime.

Authoritative Zone Transfer (AXFR) is another protocol that lets DNS servers trade zone files. AXFR synchronizes that data across all connected servers, so they can all operate with the most current information obtainable.

The use of secondary DNS servers offers numerous advantages, including the following considerations.

The primary benefit of implementing a secondary DNS server involves the same type of rationale that prompts us to buy insurance policies and lay in emergency supplies before hazardous weather strikes. By adding a secondary DNS server, we are acknowledging an unfortunate but unavoidable fact: Machines and systems sometimes fail.

A secondary DNS server addresses this fact by providing a stop-gap solution that offers the needed redundancy when a primary DNS server fails for any reason. Having a backup solution in place offers organizations the mental security of knowing that the company’s DNS services are going to remain accessible to users.

Another useful benefit of using a DNS system involves how it enables load distribution. It achieves this by supplying multiple IP addresses for one single domain name. In turn, this lets a DNS server spread out its incoming traffic through different servers, based on the use of various algorithms.

For example, if the DNS server follows a round-robin algorithm configuration, the DNS server runs through its entire list of IP addresses and spread out the load evenly among multiple devices.

A DNS system can also be used to enhance overall security. By installing a firewall in that system, incoming traffic can either be allowed as is, filtered as needed, or disallowed entirely. Further, firewalls can be established that will only allow authorized DNS requests to reach secondary DNS servers.

Another way a DNS can support security efforts is through the development of a “hidden primary,” which is a primary DNS server that’s kept out of view from the public internet. Its IP address is not recorded among the resource records for that system. Secondary name servers handle query responses instead of the primary server. The idea is to keep the primary server better protected against cyberattacks by concealing its presence as much as possible.

Security can be further strengthened by using Domain Name System Security extensions (DNSSEC), which help screen and validate DNS requests. These extensions help confirm the genuine nature of domain-name lookups. They also assist with the prevention of cyberattacks, such as DNS spoofing, in which a site is flooded with so many counterfeit DNS requests that the system becomes overwhelmed and nonfunctional.

A secondary DNS can even help with performance because it can resolve domain-name issues faster that translates to faster delivery of information. Therefore, by implementing a secondary DNS, latency problems can be reduced.

Although the benefits of using a secondary DNS far outweigh any of its disadvantages, there are a few problems that a secondary DNS can induce. They are minor in nature.

Updates to the secondary server might be impacted slightly. Further, even though secondary servers are designed to begin operation when needed, there could be a slight hiccup in their performance as they start working.

Systems must be synchronized to help ensure optimal operation. The secondary server always requires the latest DNS records, and this can become problematic, depending on the frequency of changes.

There’s a potential that using a secondary DNS adds complexity and might require dedicated labor to manage DNS servers. However, managing multiple DNS servers successfully is key to maintaining the overall health of the domain.

Although there are numerous providers of secondary DNS services, here are a few of the most pre-eminent:

• Google Public DNS: Google Public DNS features quick lookup capabilities to help resolve DNS queries. Further, the service is easy to set up, even for relative novices, and has a complete set of in-place security protocols. Beyond that, Google Public DNS benefits from Google’s wide network of global data centers.

• Cloudflare: Cloudflare’s DNS service relies on its Anycast network routing DNS configuration, in which one IP address can send traffic to multiple data centers in different areas. Users connect to the server nearest to them, enabling faster speeds and protection against distributed denial-of-Service (DDoS) attacks. Cloudflare’s 1.1.1.1. public DNS resolver is purported to be the fastest available.

• Quad9: Quad9 is noted for supplying more security features, such as the ability to filter out malware and block phishing attempts. The company operates as a nonprofit organization and is so dedicated to user privacy that it refuses to retain browsing data or user information.