What is secondary DNS?

Find out how a secondary DNS server works, how it is different to a primary DNS server and why a good secondary DNS service is so important for your business.

Every Internet user and organisation with an online presence is dependent on the Domain Name System (DNS). The DNS is used by every Internet application to transform human-readable names (such as www.netnod.se) into the numeric string (known as the IP address) for that domain. While the DNS should largely be transparent to users, organisations with an online presence need to ensure their DNS setup is robust.

All domains need a primary DNS server which holds the resource records for that domain and can answer DNS queries for it. But to ensure faster load times, better load balancing and redundancy in case of outage or attack, many domains also use secondary DNS.

How does secondary DNS work?

Secondary DNS servers contain copies of the relevant information held in the primary DNS server. This data is regularly copied across from the primary to the secondary DNS servers through what are called zone transfers. This means there are more DNS servers able to handle user queries for your domain. If the primary DNS server is unavailable (or far from the user), a secondary DNS server can answer their query.  

With the correct secondary DNS setup, you can guarantee 100% uptime for your online presence. Whatever happens with the primary DNS service, your secondary DNS will ensure user queries for your domain are answered. 

Moreover, in addition to providing this essential redundancy, a secondary DNS service with a global footprint will make sure that users are always directed to the closest available server so that their queries are answered as fast as possible.

What is the difference between primary and secondary DNS servers?

Primary DNS servers contain all the authoritative data for a specific domain. This includes the domain’s IP address (IPv4 and IPv6) and resource records relevant to that domain (for example: who is the administrator, where is the mail server, and how long the records should be cached for). The domain owner, or whoever is running the primary DNS service for the domain holder, is responsible for keeping the data in the primary DNS servers up to date.

The secondary DNS servers contain copies of the relevant information held in the primary DNS server. This data is regularly copied across from the primary to the secondary DNS servers in a process known as zone transfers. Secondary DNS servers are read-only. 

Both primary and secondary DNS servers can answer user queries for your domain.

What are the benefits of using a secondary DNS service?

The key benefits of using a secondary DNS service are that you can ensure redundancy, reliability and a faster end-user experience. 

If you only use a primary DNS service, you are exposed to a lot of risk. You might suffer an outage or a DDoS attack. If that happens, your online presence will not be available until the problem is fixed or the attack is over. That means downtime for websites, apps, online services, mail servers – anything that relies on a DNS query being completed. So it makes good business sense to ensure you have redundancy by having a secondary DNS service.

In addition, a secondary DNS service from a well-established provider will give you a much better global footprint so that user requests from all over the world will be answered using the closest available server. This means that on a day-to-day basis, you will see faster load times, better load balancing and an overall improvement in end-user experience.  

When you have a good secondary DNS service, you won’t notice any extra admin on your side. All the relevant data held in your primary DNS server is seamlessly copied across to all secondary servers. This process (known as zone transfers) happens automatically. You get essential redundancy and an improved user experience with no extra work needed from you. 

Who uses secondary DNS?

For many years, it has been common practise for Top-level domains (TLDs) to use secondary DNS. These include country-code TLDs (such as .se for Sweden) and Generic TLDs (such as .com). As the TLDs are an essential part of the DNS system, they have to ensure DNS queries can always be answered and answered fast. If a TLD was to suffer an outage or attack on their primary DNS service, it would knock millions of domains offline until the problem was resolved. 

More and more enterprises today use secondary DNS in order to ensure a robust, reliable and global web presence. 

Secondary DNS and DNS security

The DNS protocol has been around since the 1980s and wasn’t designed to protect users and companies against the range of security threats we see today. One of the most significant of these threats is a Distributed Denial of Service (DDoS) attack. These come in a variety of forms but, generally, involve flooding a targeted server with bad traffic to bring it down. Once the server is down, all the legitimate traffic with valid DNS queries can no longer get through. This means that any domain relying on that server is effectively knocked off the Internet for the duration of that attack. 

The single best thing you can do to protect your web presence against DDoS attack is to have a secondary DNS service from a provider running a DNS anycast network.  Anycast is a network addressing technique enabling servers around the world to share the same IP address. When used for DNS, anycast ensures that your customers have a quicker, more reliable experience and that your web services are more resilient, secure and easier to manage. When you use an anycast network with a global footprint, your services are more immediately available to users all over the world.

More recommendations on DNS security, including how to protect yourself from DNS hijacking and how to protect against man-in-the-middle (MITM) attacks, can be found in our DNS best practice guide

Netnod’s secondary DNS service

Netnod’s secondary DNS service uses one of the largest and most advanced DNS anycast networks in the world and is easy to integrate into your DNS infrastructure. The service is designed to complement your existing setup and provides the most effective way to ensure world-class DNS service to your users and customers.

The benefits include:

  • Guaranteed 100% uptime across one of the most robust and advanced anycast networks in the world (80+ locations around the world and growing)
  • 24/7 support
  • intelligent connections that optimise routing, reduce latency and improve end user experience
  • industry-leading security and resilience against DDoS attack
  • the latest security and standards compliance together with expertise in fulfilling DNS requirements
  • DNS statistics according to ICANN regulations
  • web portal and API making deployment and monitoring quick and simple