Secondary DNS: Zone Redundancy and High Availability

Secondary DNS servers provide redundancy and geographic distribution for your DNS zones.

Secondary DNS servers (also called slave servers) maintain copies of your DNS zones synchronized from the primary (master) server. This redundancy is fundamental to DNS reliability: if your primary nameserver becomes unavailable, secondaries continue serving your domain without interruption.

Beyond simple redundancy, secondary DNS enables geographic distribution (servers closer to users), DDoS resilience (attack one provider, others survive), and load distribution (queries spread across multiple nameservers). Many organizations use multiple DNS providers as secondaries for ultimate resilience.

Zone transfers (AXFR for full, IXFR for incremental) keep secondaries synchronized with the primary. Understanding these protocols, their security implications, and monitoring requirements is essential for robust DNS infrastructure.

How Secondary DNS Works

Understanding the primary-secondary relationship:

  • Primary (Master): The authoritative source of zone data. All changes are made here. Primary pushes or allows secondaries to pull zone data.
  • Secondary (Slave): Read-only copies of the zone. Secondaries request transfers from primary and serve the same authoritative data.
  • AXFR (Full transfer): Transfers the entire zone from primary to secondary. Used for initial sync and when incremental transfer fails.
  • IXFR (Incremental transfer): Transfers only changes since last sync. More efficient but requires primary to maintain change history.

Why Secondary DNS Matters

Secondary DNS is critical for reliability:

  • High availability: If primary fails, secondaries continue serving. No single point of failure in your DNS infrastructure.
  • DDoS resilience: Using multiple DNS providers as secondaries means an attack on one provider doesn't take down your domain entirely.
  • Geographic performance: Place secondaries in different regions. Users query the nearest nameserver for lower latency.
  • Query load distribution: DNS queries naturally distribute across all authoritative nameservers. More secondaries = better load distribution.

Configure Secondary DNS

Setting up secondary DNS servers:

  1. Allow zone transfers on primary: Configure your primary to allow AXFR/IXFR from secondary IPs. Never allow transfers to any IP (security risk).
  2. Configure secondary server: Set up the secondary to slave the zone from your primary's IP address. Initial AXFR will pull the full zone.
  3. Add NS records: Add NS records for secondary nameservers in your zone file. Update registrar with all nameserver addresses.
  4. Enable NOTIFY: Configure primary to send NOTIFY messages when zone changes. Secondaries immediately request transfer instead of waiting for refresh.

Secondary DNS Configuration Examples

BIND and zone transfer commands:

# Primary (BIND named.conf) - Allow transfers to secondaries
zone "example.com" {
    type master;
    file "/var/named/example.com.zone";
    allow-transfer { 198.51.100.10; 198.51.100.20; };
    also-notify { 198.51.100.10; 198.51.100.20; };
};

# Secondary (BIND named.conf) - Slave from primary
zone "example.com" {
    type slave;
    file "/var/named/slave/example.com.zone";
    masters { 203.0.113.53; };
};

# Zone file NS records (on primary)
example.com.    IN NS   ns1.example.com.
example.com.    IN NS   ns2.example.com.
example.com.    IN NS   ns3.example.com.
ns1.example.com. IN A   203.0.113.53    ; Primary
ns2.example.com. IN A   198.51.100.10   ; Secondary 1
ns3.example.com. IN A   198.51.100.20   ; Secondary 2

# Test zone transfer manually
$ dig AXFR example.com @ns1.example.com

# Check SOA serial across all nameservers
$ for ns in ns1 ns2 ns3; do
    echo -n "$ns: "
    dig +short SOA example.com @$ns.example.com | awk '{print $3}'
  done

# TSIG key for secure transfers (generate with dnssec-keygen)
key "transfer-key" {
    algorithm hmac-sha256;
    secret "base64-encoded-secret==";
};

Secure zone transfers with TSIG (Transaction Signature) to prevent unauthorized servers from obtaining your zone data. Always restrict allow-transfer to known secondary IPs.

Secondary DNS Best Practices

Build robust secondary DNS infrastructure:

  • Multiple providers: Use secondaries at different DNS providers (Route53, Cloudflare, NS1). Provider-level outages won't affect your domain.
  • Secure transfers: Use TSIG authentication for zone transfers. Restrict allow-transfer to known IPs. Prevent zone data leakage.
  • Monitor sync status: Check SOA serials match across all nameservers. Mismatched serials indicate transfer failures needing investigation.
  • Test failover regularly: Periodically disable primary and verify secondaries continue serving. Don't wait for a real outage to discover problems.

Secondary DNS Checklist

  • Primary allows transfers only to known secondary IPs
  • TSIG authentication configured for zone transfers
  • Secondaries successfully performing initial AXFR
  • NS records include all authoritative nameservers
  • Registrar configured with all nameserver addresses
  • SOA serial monitoring across all nameservers

FAQ - Secondary DNS

How many secondaries should I have?

Minimum two nameservers required (RFC 1034). For critical domains, 3-5 across multiple providers and regions is recommended.

Can I edit zone data on a secondary?

No, secondaries are read-only. All changes must be made on the primary. Secondaries overwrite local data on each transfer.

What if primary is down during zone update?

You can't update. Options: promote a secondary to primary, use hidden primary architecture, or use managed DNS with automatic failover.

What is hidden primary architecture?

The actual primary is internal/not in NS records. All public nameservers are "secondaries" that sync from the hidden primary. Better security.

How fast do changes propagate to secondaries?

With NOTIFY enabled, nearly instant (seconds). Without NOTIFY, secondaries wait for SOA refresh interval (potentially hours).

Does MoniTao monitor secondary DNS?

Yes, MoniTao can monitor SOA serial consistency across all your nameservers and alert you if secondaries fall out of sync.

Build Resilient DNS Infrastructure

Secondary DNS is not optional for production domains. Without redundant nameservers, a single server failure takes your entire domain offline. The investment in secondary DNS pays for itself the first time your primary experiences issues.

Configure multiple secondaries across different providers and regions. Secure zone transfers with TSIG, monitor serial consistency with MoniTao, and test failover regularly. Robust DNS infrastructure is the foundation of reliable services.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing