Secondary DNS

The Domain Name System, known in short as DNS, is a globally distributed system for translating Internet domains into IP addresses. The DNS delivers an IP address corresponding to a domain name and therefore acts as a kind of “address book” for the Internet. Using this analogy, an IP address is equivalent to a postal address, and this is where “packages” of information are sent to. Here are a few examples of DNS queries:

Due to the central importance of the DNS, it makes sense to keep DNS information distributed redundantly across different systems. In this way, the information remains accessible even if individual components of the DNS fail. Furthermore, the geographical proximity of a server is crucial for the speed of the responses. In a redundant system, a distinction is made between one source and possibly several copies. In practice, this kind of setup requires a mechanism to adjust the redundant copies when the source changes.

A basic mechanism for distributing DNS information for a DNS zone to several servers originates from a specification published by the Internet Engineering Task Force (IETF) in 1996. This specifies how a primary DNS server – previously called a “master” – notifies a group of secondary DNS servers – previously called “slaves” – of a change to the DNS zone. The secondary DNS servers are told to make a request to the primary DNS server to obtain the changes.

There is only one primary DNS server for a DNS zone. This server holds the DNS source information for the zone and serves as the entry point for the zone administrator. If changes need to be made to a DNS zone, they are made on the primary DNS server. In contrast, several secondary DNS servers distributed around the world may be used to mirror the DNS information. A separate DNS provider is often used to host the secondary DNS.

Note that the terms “primary” and “secondary” are used twice in the context of DNS. You may be aware that you can specify the DNS server change in the system settings of your network connection. These are often also referred to as “primary” and “secondary”. However, this is an overlap of the term. In terms of a DNS zone, both servers you specify can be secondary DNS servers. Furthermore, you can configure more than two DNS servers at will.

First, both primary and secondary DNS servers are “authoritative name servers” for the respective zone. This means that the information stored for the DNS zone can be trusted entirely. Authoritative name servers are therefore different to caching name servers, which merely cache DNS information from DNS queries that have already been made.

The difference between primary and secondary DNS servers is mainly administrative. The primary DNS server contains the DNS information of a DNS zone in the zone file. Any changes to the zone file are made directly by the zone administrator. By contrast, the zone file of a secondary DNS server cannot be written directly. Instead, any changes to the zone file are obtained from the primary DNS.

When changes are made to the zone file, the secondary DNS servers will be informed of the change and query the changed data. The transfer of DNS information between DNS servers is known as zone transfer. In zone transfer, a secondary DNS server is the destination, while the primary DNS server acts as the source. Note that the same physical server can be the primary DNS server for one DNS zone and a secondary DNS server for another zone at the same time.

The key feature of secondary DNS is that the zone file is transferred to the servers from an external source. Various mechanisms are used for the zone transfer. Fundamentally regulating the zone transfer is the DNS entry called “Start of Authority”(SOA). This includes several fields:

• The “MNAME” field contains the IP address of the primary DNS server.
• Furthermore, the SOA record contains several fields that define the intervals at which secondary DNS servers automatically request changes from the primary.

We’ll now look at three commonly used DNS configurations below.

In a way, this is the “classic” configuration for distributing the DNS information of a zone to several authoritative DNS servers. A primary DNS server is used, which is specified in the MNAME field of the SOA record. The secondary DNS servers check at regular intervals whether a change has been made to the DNS information for their zone and initiate a transfer of the changed data if necessary. In addition, the primary server can notify the secondary DNS servers of changes via a notify statement (see above).

The approach known as “hidden primary” is an interesting variant of the classic primary/secondary configuration. However, here the primary server works secretly – as a hidden primary. The server specified in the MNAME field of the SOA record is not the actual primary server. Therefore, the secondary DNS servers cannot request changes to the DNS zone on their own but must be explicitly requested to do so by the hidden primary via a notify statement.

A popular approach is to configure a computer in the local network as a DNS server and use it as the hidden primary. This has two immediate advantages:

• Changes to the zone file can be made locally.
• All incoming DNS traffic is handled by the secondary DNS servers.

For this approach, it is suitable to encrypt the communication between the secondary DNS servers and the hidden primary with the encryption technology DNSSEC.

This configuration is a more recent development. Several DNS servers that are authoritative for a DNS zone are used, all of which contain the source data. There is no zone transfer between them, and therefore there is no secondary DNS in the true sense of the concept. Every change to the DNS zone requires a coordinated alignment of the primary DNS servers. Proprietary systems are used for this purpose. For example, imagine an external system with GUI and API that is used to change the DNS information and distribute the changes.

The benefits of using secondary DNS are many. To understand them better, let’s imagine that there was only one DNS server for a DNS zone. This configuration would have the following negative effects, among others:

• Users further away from the primary DNS server would experience a delay in responses compared to users closer by.
• Secondary DNS ensures performance when answering DNS queries.
• A failure of the primary DNS server would mean that the authoritative information for the DNS zone would suddenly no longer be available.
• Secondary DNS provides redundancy and high availability of the DNS information.
• An increase in the number of DNS queries received would overload the primary DNS server after a certain point.

In this case, the secondary DNS leads to the distribution of the load and to the high availability of the DNS information.

As you can tell, a configuration without secondary DNS would be highly vulnerable to technical errors and cyber-attacks.

The distinction between primary and secondary DNS is mainly administrative. An external observer cannot conclusively determine whether an authoritative DNS server is a primary or secondary server. Furthermore, the same server can be primary DNS for one zone and secondary DNS for another zone. Even the MNAME field of the SOA record does not help in determining this, because the actual primary DNS server can be operated as a hidden primary.