What is primary DNS?
Explore our DNS solutions Subscribe for AI updates
Photo of a server room

Published: 1 March 2024
Contributors: Chrystal R. China, Michael Goodwin

What is primary DNS?

A primary DNS server is the authoritative name server of a domain name system (DNS). It is the first point of contact in query resolution and serves as the definitive source for information about a domain, storing original copies of all the domain's DNS records.

If a primary DNS server is unavailable, the browser, application, or device that initiated the query contacts a secondary DNS server, which contains a copy of the same DNS records.

In a DNS infrastructure, domain names drive traffic to IP addresses that hold the correct resources to address user requests. When users enter a domain name, the primary DNS server is the first stop on the path to query resolution. However, human-friendly hostnames and computer-friendly IP addresses need an intermediary to communicate. That’s where primary DNS servers enter the process.

Primary servers translate domain names into corresponding IP addresses, which then send the queried information back to the user. As such, primary DNS serves a vital function in routing internet traffic.

Guide to AI and IT Automation

The Enterprise Guide to AI and IT Automation offers an in-depth look at AI-powered IT automation, including why and how to use it, the issues blocking your efforts and how to get started.

Related content

Subscribe to the IBM newsletter

The role of primary DNS

Broadly speaking, DNS is akin to a phonebook for the internet. It converts domain names (such as www.example.com) into IP addresses (such as that computers use to identify each other on the network. Without DNS, users would need to remember complex numerical IP addresses to access websites, which is impractical even before considering the volume of unique searches and data requests users make in a single day.

DNS frameworks have a tree-like structure with the root domain at the top, followed by top-level domains (TLDs), such as .com, .org, .net, .uk, and so on. Below the TLDs are second-level domains that typically comprise the recognizable part of a domain name (such as “ibm.com”) and any available secondary zones. Each TLD has its own set of name servers, but the primary name server comes into play at the second level.

When a domain is registered, its name server (NS) records are created and stored on a primary DNS server, typically provided by a hosting company or a DNS service provider. The primary DNS server holds various types of NS records, including A records, MX records and CNAME records (among other types), that route the appropriate data and information back to the user.

It's worth noting that server administrators can designate DNS servers as either primary or secondary. In fact, servers can have a primary designation in one zone and a secondary designation in another. However, each DNS zone can only have a single primary server. 

Domain modifications also occur in the primary DNS. When an administrator wants to adjust DNS records, they must do so within the primary DNS servers; the changes then propagate to down the hierarchy to the remaining servers.  

What is a secondary DNS?

DNS servers are categorized as “primary” and “secondary” based on their roles in the DNS hierarchy. Whereas the primary DNS server holds the original read/write version of the zone file, secondary DNS servers hold read-only replicas of the zone file for the purposes of load balancing and redundancy management.

Secondary DNS services are nonessential; DNS systems can function when only a primary server is available. But it is standard, and often required by domain registrars, to maintain at least one secondary server to facilitate round-robin DNS (which distributes traffic evenly across each server) and prevent denial-of-service.

Benefits of secondary DNS servers

The conventional primary/secondary DNS architecture is becoming obsolete among modern, managed DNS providers. Today, most providers offer name server IPs to use, and behind each of those IPs is a pool of DNS servers that route requests by using anycast (a one-to-many transport protocol). This approach tends to provide better redundancy and higher availability than the classic model.

However, even in advanced DNS deployments, secondary DNS can help businesses:

  • Migrate to a new DNS infrastructure, with dependencies on old DNS servers. Secondary DNS allows teams to access tools, code, and legacy systems that point to an old DNS server hosted in their organization. During architecture migration, secondary servers let administrators define the secondary DNS provider without breaking dependencies. This keeps all existing processes in sync but enables the new DNS server to respond if in-house servers slow down or fail.
  • Avoid single points of failure. High-traffic sites and mission-critical web apps can’t tolerate outages. Using secondary name servers helps administrators avoid any single point of failure if primary DNS servers encounter latency issues.
  • Set up redundant DNS with one managed service. An intelligent managed DNS can enable a dedicated DNS deployment, which runs on a separate network and servers from its regular managed DNS service. This helps facilitate redundancy between two separate DNS servers while allowing organizations to work with just one provider. Furthermore, the dedicated deployment isn’t shared with other organizations, so it’s insulated from attacks targeting other customers on the service.
Primary DNS servers vs. secondary DNS servers

Both primary and secondary servers maintain the efficiency and functionality of DNS systems, but there are key differences that dictate how they behave and interact in the computing environment.


In addition to storing the primary zone file, the primary DNS server responds to update requests from the domain administrator and processes dynamic updates. Secondary zone servers are backup servers that handle requests during primary server downtime or when the primary server is overloaded.

Zone file management and synchronization

The primary zone file in the primary DNS contains all the A records (address records for IPv4); AAAA records (address records for IPv6); MX records (which direct to mail servers); CNAME records (which map aliases to their true, or “canonical,” domain names); SOA records (which contain all the administrative information for a domain); and TXT records (which indicate the sender policy framework record for email authentication) for a given domain. The administrator directly manages this file, and any updates or changes to DNS records are made here first.

Secondary DNS servers are exact copies of the zone file, transferred from the primary server. They cannot accommodate direct revision or edits to the zone file. Instead, they periodically check with the primary server for updates in a process called zone transfer.


Configuring a primary DNS involves setting up the zone file, resource records and access controls, and might include arranging authoritative (AXFR) and incremental (IXFR) zone transfers to designated secondary servers. Secondary DNS configurations, however, require administrators to set up communication protocols between the primary and secondary servers for zone data transfers, and to specify the frequency of check-ins with the primary server for updates.

Redundancy and failover

Though the primary DNS server is essential, it also represents a single point of failure. If it crashes, and administrators have not designated secondary servers to take over the workload, the entire DNS resolution process suffers. Secondary servers cannot exist without a primary DNS server, but if there is a server outage, they can keep the DNS operational until the primary server is restored.

How does primary DNS work?

To better understand primary DNS, it’s important to understand how user queries flow through a system to resolution.

Query initiation

A user enters a domain name into a browser or app and the request is sent to a recursive DNS resolver. Typically, the user's device has predefined DNS settings, provided by the internet service provider (ISP), that determine which recursive resolver is deployed.

Recursive resolver

The recursive resolver checks its cache (that is, the temporary storage within a web browser or operating system) for the domain's corresponding IP address. If the DNS lookup data is not cached, the resolver initiates the process of retrieving it from the authoritative DNS servers, starting at the root server. The recursive resolver queries different DNS servers until it finds the final IP address.

Root name server

The recursive resolver queries a root name server, which responds with a referral to the appropriate TLD server for the domain in question (the server responsible for all ".com" domains, for instance).

TLD name server

The resolver queries the TLD name server, which responds with the address of the domain's primary DNS server.

Primary DNS server

The resolver queries the primary server, which looks up the DNS zone file and responds with the correct record for the provided URL.

Query resolution

The recursive resolver caches the DNS record—for a time that is specified by the record's time-to-live (TTL)—and returns the IP address to the user's device. The browser or app can then initiate a connection to the host server at that IP address to access the requested website or service.

Primary DNS best practices

Primary DNS is central to query routing, so maintaining and optimizing primary DNS servers can accelerate the entire DNS system. Businesses can get the most out of their DNS by incorporating the following best practices.

Choose a reputable primary provider

Select a DNS provider with high uptime, comprehensive redundancy protocols and accessible customer support. IBM NS1, for instance, can help ensure that DNS queries are answered quickly and reliably.

Consider both free and premium DNS

Primary DNS providers range in their offerings, from public DNS services to premium, managed DNS servers. Determining the best DNS server for your business depends on organizational needs1, budgets, and complexity. While, for instance, using public DNS provides clients open, free DNS access, a migration to premium DNS can offer more fine-grained control.

Stay informed about DNS threats

Make sure that teams are informed about the latest DNS vulnerabilities and threats (such as malware, distributed DDoS attacks and cache spoofing), and use firewalls, domain name system security extensions (DNSSEC) and other security measures to secure DNS servers2 and mitigate risk.

Keep DNS records up to date

Update DNS records to reflect changes to IP addresses, infrastructure, and services as quickly and as often as possible. Doing so enables consistent, accurate domain resolution. 

Related solutions
IBM NS1 Connect Managed DNS

IBM® NS1 Connect Managed DNS service delivers resilient, fast, authoritative DNS connections to prevent network outages and keep your business online, all the time.

Explore IBM NS1 Connect Managed DNS

IBM DNS network resilience and uptime

Improve application resilience and uptime with a global network and advanced DNS traffic steering capabilities.

Explore IBM DNS network resilience and uptime

IBM Cloud DNS services

IBM Cloud® DNS services offer public and private authoritative DNS services with fast response time, unparalleled redundancy and advanced security—managed through the IBM Cloud web interface or by API.

Explore IBM Cloud DNS services
Resources What is the Domain Name System (DNS)?

The DNS makes it possible for users to connect to websites using URLs rather than numerical Internet protocol addresses.

What is a DNS server?

DNS servers translate the website domain names users search in web browsers into corresponding numerical IP addresses. This process is known as DNS resolution.

What are DNS records?

A Domain Name System (DNS) record is a set of instructions used to connect domain names with internet protocol (IP) addresses within DNS servers.

What is DNS propagation?

DNS propagation refers to the amount of time that it takes for DNS servers to propagate changes to a DNS record across the internet.

What is a CNAME record?

A CNAME record, or canonical name record, serves as an alias within the Domain Name System (DNS), redirecting one domain name to another.

What is networking?

Learn about how computer networks operate, the architecture used to design networks, and how to keep networks secure.

Take the next step

IBM NS1 Connect provides fast, secure connections to users anywhere in the world with premium DNS and advanced, customizable traffic steering. NS1 Connect’s always-on, API-first architecture enables your IT teams to more efficiently monitor networks, deploy changes and conduct routine maintenance.

Explore NS1 Connect Book a live demo

1 "Should large enterprises self-host their authoritative DNS?," IBM.com, 1 February 2024

2 "Why DNS protection should be the first step in hybrid cloud security," (link resides outside ibm.com) TechRadar, 1 February 2024