Learning Library

← Back to Library

Primary vs Secondary DNS Explained

15mUnknown ChanneldevopstutorialintermediateWatch on YouTube ↗

Key Points

  • DNS translates human‑readable domain names (e.g., ibm.com) into IP addresses by routing queries from a resolver to authoritative name servers, which return the correct IP to the user’s computer.
  • As an administrator, you configure an authoritative zone on a primary name server (ns1.ibm.com) with records such as A, NS, and MX to define the domain’s services.
  • To ensure resilience, a secondary name server (ns2.ibm.com) must hold an exact copy of the primary zone so traffic can still be resolved if the primary server fails.
  • Manually replicating zone data across multiple servers is error‑prone and creates synchronization delays, highlighting the need for automated zone transfer mechanisms.
  • Primary and secondary DNS servers address this need: the primary hosts the master copy, while secondary servers automatically pull updates, providing reliable, consistent DNS service.

Sections

Full Transcript

# Primary vs Secondary DNS Explained **Source:** [https://www.youtube.com/watch?v=qhiyTH5B21A](https://www.youtube.com/watch?v=qhiyTH5B21A) **Duration:** 00:15:15 ## Summary - DNS translates human‑readable domain names (e.g., ibm.com) into IP addresses by routing queries from a resolver to authoritative name servers, which return the correct IP to the user’s computer. - As an administrator, you configure an authoritative zone on a primary name server (ns1.ibm.com) with records such as A, NS, and MX to define the domain’s services. - To ensure resilience, a secondary name server (ns2.ibm.com) must hold an exact copy of the primary zone so traffic can still be resolved if the primary server fails. - Manually replicating zone data across multiple servers is error‑prone and creates synchronization delays, highlighting the need for automated zone transfer mechanisms. - Primary and secondary DNS servers address this need: the primary hosts the master copy, while secondary servers automatically pull updates, providing reliable, consistent DNS service. ## Sections - [00:00:00](https://www.youtube.com/watch?v=qhiyTH5B21A&t=0s) **Primary vs Secondary DNS Overview** - The speaker explains DNS fundamentals, the lookup process, and how administrators configure primary and secondary name servers for resilient domain resolution. - [00:11:45](https://www.youtube.com/watch?v=qhiyTH5B21A&t=705s) **DNS Redundancy vs Advanced Load Balancing** - The speaker explains that while configuring multiple name servers (primary/secondary) ensures reliable DNS redundancy, this setup cannot support advanced features such as global server load balancing or traffic steering, which are proprietary and not transferable via zone transfers. ## Full Transcript
0:00today we're going to be talking about 0:02secondary vers 0:04primary 0:06DNS we'll be covering what they are why 0:10they're different and how you would use 0:11one or the other so to start I'm going 0:14to do a brief review of DNS what it is 0:18and how it works so if you recall if I'm 0:21a user if I have a user on the internet 0:23and he wants to access 0:28ibm.com uh his computer is going to use 0:31the DNS system to look up the IP address 0:33what'll happen is his computer will talk 0:37to a DNS resolver out on the internet 0:40the resolver will know how to navigate 0:42the DNS system it will make its way to 0:45an authoritative name server which will 0:47have the IP address for dubdub du. 0:50ibm.com it will send it back send that 0:53IP address back to the user and now my 0:56user uh can actually make his way to the 1:00IBM website and he can browse and see 1:03all of our products and services life is 1:06good but now you're the administrator 1:08and your job is to set up the DNS so 1:12that this user can make it to ibm.com 1:14and you want to do it in such a way that 1:17it's resilient and uh ensures that if if 1:20a server is down the user can still make 1:22it to ibm.com so what I'm going to do as 1:26an administrator is I'm going to go to 1:29my name server 1:31uh we'll say uh this name server is 1:35ns1 1:37ibm.com common name for a name server 1:41and I'm going to this is for the zone 1:45ibm.com and I'm going to set up the 1:47records in my zone so I might have the 1:49record for dub dub dub it's going to be 1:53an a record and the IP address is 1:579.9.9 do1 2:00and then it's going to have a uh name 2:03server record for ibm.com which is going 2:07to point at ns. 2:12ibm.com and then I might also have a 2:15mail record uh for the name mail it'll 2:19be an MX record and it'll be mail. 2:22ibm.com and so on and so forth I'll fill 2:25out my zone so now that I have this set 2:28when I first set this up when my user 2:30goes to the internet he'll uh use the 2:34DNS service he'll get to my server ns1 2:37ibm.com it will do a lookup find that 2:40the IP address is 2:429991 return it to the user they'll make 2:44it to the ibm.com website everything's 2:47great right well now I want to build in 2:50some resiliency so what happens uh so 2:53that if ns1 ibm.com ever goes down I'll 2:56of a backup and to do that I'm going to 2:59to set up a second server with an 3:02complete copy of this same zone I'm 3:04going to call that 3:06server oops I'm going to call that 3:08server 3:10ns2 3:13ibm.com and I'm going to make a full 3:15copy of everything that's in there so 3:17I'm going to create I'm just not going 3:18to create the dubdub duub record uh the 3:20a record I'm going to create the NS 3:22record and I'm going to create the MX 3:24record so it's a full copy of everything 3:29that I I originally configured on the 3:31ns1 ibm.com Zone we'll make a copy in 3:34the ns2 ibm.com zone now you could 3:38imagine um now I want to make a third 3:41copy and I could go and make a third 3:42copy of this if I do it manually that's 3:44a pain in the butt and there's going to 3:46be a delay between me going in and 3:47configuring the first server to the 3:49second server to the third server and so 3:51I need a way to do this automatically 3:53and that's where primary ver secondary 3:55DNS comes in so if I imagine um here my 4:01server 4:02ns1 4:05ibm.com and I've got my user here um put 4:09my user down here and my user is 4:12interacting with this server and filling 4:14in all the details so I figure and fill 4:15in my dubdub duub record and so on and 4:17so forth I'm interacting with this 4:19server now I want to set up my second 4:22server 4:29and I want to set I want to make it so 4:31that ns2 ibm.com automatically gets a 4:34copy of whatever I do in ns1 4:37ibm.com um so I want to be able to copy 4:40the records over this one is known as 4:44the 4:46primary because that's where I'm doing 4:48the configuration and this one is known 4:51as the secondary because that's getting 4:55the copy it's a second copy and I'll dig 4:58into the details of how this interaction 4:59Works in a second but just to bring it 5:01back to users on the internet now on the 5:04internet I've got two name servers here 5:07I've got ns1 and ns2 and when a user on 5:11the internet does his DNS lookup for 5:13www.ibm.com he can come the DNS can 5:17either get the answer from ns1 or ns2 5:20and they're both exact copies of each 5:22other uh because we've Ed this protocol 5:24that I'm going to describe in a second 5:26to make a copy of ns1 to the ns2 server 5:30and so we have redundancy so if either 5:32of these servers breaks then the other 5:35ver the other server is still available 5:37and I can replicate this multiple times 5:38so I could have five such servers 10 5:40such servers on the internet all of them 5:43copies of ns1 because there's only one 5:46primary the primary is where I interact 5:48as an administrator where I make all the 5:50changes and all the other servers are 5:52copies of the primary so now let's talk 5:55a minute about how does the copying 5:58actually work 6:00the copying starts from the secondary 6:03server uh and there's another record 6:05type which which I haven't drawn in yet 6:07which I'm going to draw on now it's 6:08something called the SOA record which 6:10stands for start of authority it has a 6:12number of parameters in it related to 6:14The Zone but the most important one for 6:16this purpose is known as the serial 6:19number and the so so a serial number can 6:22be any number a lot of people use dates 6:25some people use just uh integers that 6:28are increasing for for the purpose of 6:30this talk I'm just going to use an 6:31integer so I'm going to say it starts at 6:34soa1 um the copy that I make is also 6:37going to be 6:38so1 uh and so what now let's say I make 6:42a change to uh the primary name server 6:45and I want to make have it transfer over 6:48to the secondary so what's going to 6:49happen let's say I add another a record 6:52in here so I add 6:55n9101 I've added another server for my 6:57application and I want to make get that 6:59to copy over to the secondary what's 7:01going to happen when I made that change 7:03is the so is going to change to two um 7:06so this name server ns2 periodically 7:09maybe every 10 minutes every 30 minutes 7:11or so forth is going to make a 7:14request over here and say what's your 7:18SOA what's your startup Authority number 7:21um name server one is going to say oh 7:23it's two now name server two is going to 7:27go oh I still had so a one one so you 7:30must have done some kind of an update so 7:33now um name server 2 is going to make a 7:36request and it's called an 7:39axfr 7:42orfr request and then name server one is 7:45going to send back the information so 7:47that name server two gets properly 7:50updated and so this will go to two and 7:53I'll get the second a record in here 7:55with the right information and now 7:57they're in 7:58sync so now periodically as I said um 8:02the name server 2 will do this so a 8:04check if it comes back the same it's 8:06going to keep coming back too because I 8:07haven't made any changes to name server 8:09one and nothing will happen as soon as I 8:12go and make a change to name server one 8:14and I update this to three now uh then 8:17I've got to do this transfer the axfr 8:20isfr transfer which I'll describe in 8:22just a second and that way uh these two 8:24stay in sync and my user is happy 8:27because every time he um goes to find 8:30ibm.com he can talk to either server and 8:33get the right answer so there's a 8:35problem with this approach uh which is 8:38that uh when I make a change on the 8:40primary I have to wait till the 8:42secondary all the secondaries get around 8:44to talking to the primary and pulling 8:46back the change so there was an addition 8:49to the protocol made a few years after 8:51was originated called notify what'll 8:54happen here is the um when you make a 8:57change on the primary server it will 8:59actually send via UDP a 9:03notify message to the 9:06secondary and that will kick off all 9:08this stuff up above so the notify I make 9:11the change I send the notify to the 9:14secondary the secondary does a so a 9:16check finds out yeah you really did make 9:17a change and then it will institute the 9:20axfr transfer and get a new copy of the 9:23zone and that way the two servers say 9:25very closely in sync so that all my 9:27users when they're on the internet can 9:29go to either server and they'll get 9:31completely updated information wherever 9:33they are and I have the benefit that if 9:35one of these servers crashes and dies 9:37you know ns2 goes offline ns1 server is 9:41still operational and working and again 9:43in the real world you wouldn't just have 9:44two servers you probably have 10 servers 9:47or 20 servers or 30 servers and you 9:49would use this method to copy the zone 9:52to all of those 9:54servers one misconception I often hear 9:57about DNS is that when thinking about 10:00primary versus secondary that it is 10:02visible to the users on the Internet 10:04it's not is you saw in this example the 10:07primary and secondary servers have 10:09exactly the same copy of the zone and so 10:11to the users on the internet they looked 10:13identical they have the same information 10:15there's no way to know which is primary 10:16and which is 10:18secondary the only meaning of primary 10:20vers secondary is to me the 10:23administrator the primary server is the 10:25one where I make all the changes and the 10:28secondary server R are where all those 10:31cop are the servers that get copies from 10:33the primary so again primary is what I 10:36interact with as an administrator either 10:37through a portal or an API secondary 10:40gets copies automatically from the 10:42primary totally invisible to everyone on 10:44the internet and it's active active all 10:46the time once you set this up and you um 10:50you you delegate your name servers uh 10:53such that they're available and visible 10:54on the internet then then this just 10:56works so it brings up another topic I 10:59mention which is delegation once I've 11:01set up these copies I have to tell the 11:03world that all these copies exist and so 11:07I go to my registar and this is an act 11:09called uh it's usually called 11:12delegation I go to my registar where I 11:15bought the domain name and I configure 11:17the name servers and I'll set up a 11:19record and I'll say um I have to change 11:22my Pro my zone file and I'll say I added 11:25another uh name server I added ns2 do 11:30ibm.com um I have to go up to my 11:32registar through the delegation process 11:34and tell it that um ibm.com is now 11:37served by not just one name server but 11:39two name servers NS one. ibm.com n2. 11:43ibm.com and so on and so forth so if I 11:45add 10 name servers I have to put all 10 11:48name servers in the zone file and go 11:50tell my registar that I want to delegate 11:52my zone to all 10 of those name servers 11:55and in that way users on the internet 11:58can find all all 10 of these things all 12:0010 of these name servers uh or however 12:03many I have so that's how I this is 12:06probably the most common way to achieve 12:08reliability through redundancy on the 12:12internet but there are some drawbacks to 12:14primary versus secondary the big primary 12:17and secondary the biggest drawback is 12:19that advanced uh features are not 12:22supported and probably the biggest 12:24Advanced feature you'll run into is 12:26global server load balancing or traffic 12:28steering as you may recall Global server 12:31load balancing is where you can direct 12:33users to the server located closest to 12:36them so if I've got um the internet out 12:40here and I've got my application servers 12:42in say New York City in London and San 12:47Francisco and I want to direct my users 12:49to the location closest to them so my 12:51users in the east coast of the US go to 12:54New York users in Europe you go to 12:56London and so on and so forth I need to 12:58use this feature called Global server 13:00load balancing or traffic steering uh 13:02which we have another video on uh but 13:04the Crux of it is that it's a special 13:06feature of DNS that directs the user to 13:08the right server based on their location 13:11that feature uh is proprietary to most 13:14vendors and to most systems and it can't 13:17be transferred over xfr so if I go to my 13:22primary server and I set up the these uh 13:24great features to enable global server 13:26load balancing to really supercharge my 13:28application 13:29that all works great but I can't uh use 13:33the X axfr orfr to now transfer that 13:36configuration to my secondary servers so 13:38I can't use gslb plus secondary together 13:41it just doesn't 13:43work so a couple techniques people use 13:46to fix that one is you can use a DNS 13:49vendor that has a proprietary system to 13:53uh support multiple servers around the 13:55world that's one common technique the 13:57other technique we've seen uh is people 14:00when they want to use multiple vendors 14:02they'll set up multiple primary servers 14:04so instead of making this a secondary 14:06they'll make this a primary and then 14:08their user will sit in the middle and 14:11they'll use an API to configure both of 14:14these 14:16directly and so none of this none of 14:19this is working anymore the user uh like 14:22you the administrator would either use 14:24an API or just go into the Council of 14:26each of these independently and set them 14:28up but an API is usually the way you 14:30would do it and you would set up a front 14:32end uh where you would type in your 14:34configuration and it would automatically 14:36make the updates on each of those 14:38systems that gets pretty complex uh but 14:40we've seen it done successfully and it's 14:42another technique to get that redundancy 14:44you want while also getting the 14:46capability of global server load 14:48balancing or traffic 14:50steering so hopefully you've learned a 14:52little bit about secondary versus 14:54primary DNS what are its pros and cons 14:56and how you can use it to ensure that 14:58your your services and your DNS is 15:00highly available on the internet if you 15:03like this video and want to see more 15:05like it please like And subscribe if you 15:08have any questions or want to share your 15:09thoughts about this topic please leave a 15:11comment below