Internet Performance Delivered right to your inbox

(NOT JUST) Secondary DNS

Secondary DNS is a powerful mechanism to integrate systems and increase your redundancy. Unfortunately, there are some myths about how it works and what the benefits are, preventing some from taking advantage of the option. Today we will dive into the nuts and bolts of secondary DNS technology.

So, Why Use Secondary DNS?

Secondary, or “slave” DNS is a method of providing a DNS service or nameserver with a read-only version of the zonefile, which is updated from the primary “master” DNS provider. This is useful because you now only need to edit changes on the master and it will pass along the changes to the secondary provider(s). You now have answers on both networks for query resolution.

Multi Vendor, Not Just Primary/Secondary

Many users mistake the zonefile management function of secondary with how much traffic is assigned in delegation. Secondary is just the act of setting up a network to receive DNS changes from the master. Once you enter that nameserver into the delegation, recursives check the speed it takes to resolve a query to every nameserver and gains affinity for the fastest. This is what controls how much traffic each nameserver will get.

This has nothing to do with which nameserver might be primary or secondary, after all, the recursive has no way of knowing from the delegation. It’s even possible to have either a primary or secondary nameserver which isn’t in the delegation at all. These are called “hidden master” or “hidden secondary” and are great ways to achieve balance between on-premises and cloud environments.

Takeaway—don’t just think disaster recovery, think about the benefits of a multi-vendor approach to performance and reliability.

When to Use Secondary DNS

Multi Cloud Vendor Setup

trustnooneIf you rely on an internet presence, it makes a lot of sense to invest in your infrastructure to stay that way. The more you rely on it, the more you look to reduce the possible single points of failure. While Dyn is rock solid, eventually it may make sense to add another vendor into your delegation. Maybe you’re even looking at Dyn to be that secondary provider.

When that happens, you have to keep both versions of your zone identical such that a user hitting either provider (see Multi Vendor section above) receives the same answer. You could do it manually, but that’s a lot of effort. You could integrate the APIs to make changes, but that’s a lot of engineering. Secondary allows those zonefiles to stay in sync, while only managing on one provider. Score!

One small downside of doing this, is that most modern DNS companies can do cool tricks like monitoring and load balancing on the DNS layer. Because they are proprietary to the provider and not based purely in the DNS technology, these will not get transferred with the AXFR/IXFR. There are workarounds to this though, so chat with your Sales Engineer on what solution will work best with you.

For Those With Control Issues

incontrolThe other reason most folks go with secondary is that they wish to keep the control of the zone within their own on-premises network stack. Much like with the multi-cloud example, having a DNS machine as a primary is much easier to set up than to integrate with an API. As long as your primary is out of the delegation, you won’t have any concern of it being DDoSed and can take advantage of our cloud network while keeping your same in-house workflows.

Often, enterprise companies will be using an IP Address Management system (IPAM) to manage their infrastructure. The end result of this management is a DNS zonefile which by default is managed by the IPAM itself. While you could put this in delegation, you’d have to worry about DDoS and poor global performance. Alternatively, if you add a cloud provider as a secondary, you can use the IPAM for what it is good at, while taking advantage of a global DNS provider.

Time to Upgrade

Businesses are always looking to improve their reliability and performance. Whether you’re an in-house shop looking for an easy way to utilize the cloud, or a cloud adopter looking to diversify your vendors, Secondary DNS can be a great technology to help you get there.

Share Now

Matt Torrisi
Whois: Matt Torrisi

Matt Torrisi is a Senior Solutions Engineer at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.