Docs / DNS & Domains / Secondary DNS Server for Redundancy

Secondary DNS Server for Redundancy

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 245 views · 2 min read

A secondary (slave) DNS server provides redundancy for your authoritative DNS, ensuring domain resolution continues if the primary server goes down. DNS best practices and most TLD requirements mandate at least two geographically separated nameservers. This guide covers setting up secondary DNS with BIND, NSD, and cloud DNS providers.

Why Secondary DNS?

  • Redundancy — domain remains resolvable if primary fails
  • Performance — distribute queries across servers geographically
  • Requirement — most registrars require at least 2 nameservers
  • DDoS resilience — distributed DNS is harder to take offline

BIND Secondary Setup

# On the PRIMARY server (/etc/bind/named.conf)
zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.zone";
    allow-transfer { 10.0.0.2; };     # Secondary server IP
    also-notify { 10.0.0.2; };         # Notify on changes
};

# On the SECONDARY server (/etc/bind/named.conf)
zone "example.com" {
    type slave;
    file "/var/cache/bind/example.com.zone";
    masters { 10.0.0.1; };             # Primary server IP
    allow-transfer { none; };
};
# Start and verify
sudo systemctl restart bind9

# Check zone was transferred
ls -la /var/cache/bind/example.com.zone
dig @secondary-ip example.com SOA

NSD Secondary Setup

# /etc/nsd/nsd.conf on SECONDARY
zone:
    name: "example.com"
    zonefile: "example.com.zone"
    allow-notify: 10.0.0.1 NOKEY
    request-xfr: 10.0.0.1 NOKEY

Using Cloud DNS as Secondary

# Cloudflare Secondary DNS
# 1. Add domain in Cloudflare dashboard as "Secondary DNS"
# 2. Configure primary to allow transfer to Cloudflare IPs
allow-transfer {
    173.245.58.0/24; 103.21.244.0/22; 103.22.200.0/22;
    # ... (full list in Cloudflare docs)
};
also-notify { 173.245.58.51; };

# AWS Route 53 as Secondary
# Use hosted zone with "zone transfer" from primary
# Configure AXFR from your primary to Route 53

Testing

# Verify both servers respond correctly
dig @primary-ip example.com A +short
dig @secondary-ip example.com A +short

# Check SOA serial matches
dig @primary-ip example.com SOA +short
dig @secondary-ip example.com SOA +short

# Verify zone transfer works
dig @primary-ip example.com AXFR

Registrar Configuration

# Add both nameservers at your registrar:
# ns1.example.com → primary IP
# ns2.example.com → secondary IP

# Add glue records if nameservers are under the same domain
# At registrar: set ns1.example.com = 203.0.113.1
#               set ns2.example.com = 203.0.113.2

Best Practices

  • Place primary and secondary in different data centers or providers for geographic redundancy
  • Use NOTIFY to push zone updates to secondaries immediately
  • Monitor SOA serial synchronization between primary and secondary
  • Consider using a cloud DNS provider as secondary for global Anycast distribution
  • Use TSIG authentication for zone transfers in production
  • Set appropriate SOA refresh/retry values (3600/600 recommended)

Was this article helpful?

Related Articles