Secondary DNS

The Domain Name System, known in short as DNS, is a globally dis­trib­uted system for trans­lat­ing Internet domains into IP addresses. The DNS delivers an IP address cor­res­pond­ing to a domain name and therefore acts as a kind of ‘address book’ for the Internet. Using this analogy, an IP address is equi­val­ent to a postal address, and this is where ‘packages’ of in­form­a­tion are sent to. Here are a few examples of DNS queries:

Due to the central im­port­ance of the DNS, it makes sense to keep DNS in­form­a­tion dis­trib­uted re­dund­antly across different systems. In this way, the in­form­a­tion remains ac­cess­ible even if in­di­vidu­al com­pon­ents of the DNS fail. Fur­ther­more, the geo­graph­ic­al proximity of a server is crucial for the speed of the responses. In a redundant system, a dis­tinc­tion is made between one source and possibly several copies. In practice, this kind of setup requires a mechanism to adjust the redundant copies when the source changes.

A basic mechanism for dis­trib­ut­ing DNS in­form­a­tion for a DNS zone to several servers ori­gin­ates from a spe­cific­a­tion published by the Internet En­gin­eer­ing Task Force (IETF) in 1996. This specifies how a primary DNS server – pre­vi­ously called a ‘master’ – notifies a group of secondary DNS servers – pre­vi­ously called ‘slaves’ – of a change to the DNS zone. The secondary DNS servers are told to make a request to the primary DNS server to obtain the changes.

There is only one primary DNS server for a DNS zone. This server holds the DNS source in­form­a­tion for the zone and serves as the entry point for the zone ad­min­is­trat­or. If changes need to be made to a DNS zone, they are made on the primary DNS server. In contrast, several secondary DNS servers dis­trib­uted around the world may be used to mirror the DNS in­form­a­tion. A separate DNS provider is often used to host the secondary DNS.

Note that the terms ‘primary’ and ‘secondary’ are used twice in the context of DNS. You may be aware that you can specify the DNS server change in the system settings of your network con­nec­tion. These are often also referred to as ‘primary’ and ‘secondary’. However, this is an overlap of the term. In terms of a DNS zone, both servers you specify can be secondary DNS servers. Fur­ther­more, you can configure more than two DNS servers at will.

First, both primary and secondary DNS servers are ‘au­thor­it­at­ive name servers’ for the re­spect­ive zone. This means that the in­form­a­tion stored for the DNS zone can be trusted entirely. Au­thor­it­at­ive name servers are therefore different to caching name servers, which merely cache DNS in­form­a­tion from DNS queries that have already been made.

The dif­fer­ence between primary and secondary DNS servers is mainly ad­min­is­trat­ive. The primary DNS server contains the DNS in­form­a­tion of a DNS zone in the zone file. Any changes to the zone file are made directly by the zone ad­min­is­trat­or. By contrast, the zone file of a secondary DNS server cannot be written directly. Instead, any changes to the zone file are obtained from the primary DNS.

When changes are made to the zone file, the secondary DNS servers will be informed of the change and query the changed data. The transfer of DNS in­form­a­tion between DNS servers is known as zone transfer. In zone transfer, a secondary DNS server is the des­tin­a­tion, while the primary DNS server acts as the source. Note that the same physical server can be the primary DNS server for one DNS zone and a secondary DNS server for another zone at the same time.

The key feature of secondary DNS is that the zone file is trans­ferred to the servers from an external source. Various mech­an­isms are used for the zone transfer. Fun­da­ment­ally reg­u­lat­ing the zone transfer is the DNS entry called ‘Start of Authority’ (SOA). This includes several fields:

• The ‘MNAME’ field contains the IP address of the primary DNS server.
• Fur­ther­more, the SOA record contains several fields that define the intervals at which secondary DNS servers auto­mat­ic­ally request changes from the primary.

We’ll now look at three commonly used DNS con­fig­ur­a­tions below.

In a way, this is the ‘classic’ con­fig­ur­a­tion for dis­trib­ut­ing the DNS in­form­a­tion of a zone to several au­thor­it­at­ive DNS servers. A primary DNS server is used, which is specified in the MNAME field of the SOA record. The secondary DNS servers check at regular intervals whether a change has been made to the DNS in­form­a­tion for their zone and initiate a transfer of the changed data if necessary. In addition, the primary server can notify the secondary DNS servers of changes via a notify statement (see above).

The approach known as ‘hidden primary’ is an in­ter­est­ing variant of the classic primary/secondary con­fig­ur­a­tion. However, here the primary server works secretly – as a hidden primary. The server specified in the MNAME field of the SOA record is not the actual primary server. Therefore, the secondary DNS servers cannot request changes to the DNS zone on their own but must be ex­pli­citly requested to do so by the hidden primary via a notify statement.

A popular approach is to configure a computer in the local network as a DNS server and use it as the hidden primary. This has two immediate ad­vant­ages:

• Changes to the zone file can be made locally.
• All incoming DNS traffic is handled by the secondary DNS servers.

For this approach, it is suitable to encrypt the com­mu­nic­a­tion between the secondary DNS servers and the hidden primary with the en­cryp­tion tech­no­logy DNSSEC.

This con­fig­ur­a­tion is a more recent de­vel­op­ment. Several DNS servers that are au­thor­it­at­ive for a DNS zone are used, all of which contain the source data. There is no zone transfer between them, and therefore there is no secondary DNS in the true sense of the concept. Every change to the DNS zone requires a co­ordin­ated alignment of the primary DNS servers. Pro­pri­et­ary systems are used for this purpose. For example, imagine an external system with GUI and API that is used to change the DNS in­form­a­tion and dis­trib­ute the changes.

The benefits of using secondary DNS are many. To un­der­stand them better, let’s imagine that there was only one DNS server for a DNS zone. This con­fig­ur­a­tion would have the following negative effects, among others:

• Users further away from the primary DNS server would ex­per­i­ence a delay in responses compared to users closer by.
• Secondary DNS ensures per­form­ance when answering DNS queries.
• A failure of the primary DNS server would mean that the au­thor­it­at­ive in­form­a­tion for the DNS zone would suddenly no longer be available.
• Secondary DNS provides re­dund­ancy and high avail­ab­il­ity of the DNS in­form­a­tion.
• An increase in the number of DNS queries received would overload the primary DNS server after a certain point.

In this case, the secondary DNS leads to the dis­tri­bu­tion of the load and to the high avail­ab­il­ity of the DNS in­form­a­tion.

As you can tell, a con­fig­ur­a­tion without secondary DNS would be highly vul­ner­able to technical errors and cyber-attacks.

The dis­tinc­tion between primary and secondary DNS is mainly ad­min­is­trat­ive. An external observer cannot con­clus­ively determine whether an au­thor­it­at­ive DNS server is a primary or secondary server. Fur­ther­more, the same server can be primary DNS for one zone and secondary DNS for another zone. Even the MNAME field of the SOA record does not help in de­term­in­ing this, because the actual primary DNS server can be operated as a hidden primary.