Using DNScale as Your Secondary DNS Provider

Your DNS is the front door to every service you run. If your DNS provider goes down, your domains go dark — websites, APIs, email, everything. Adding a secondary DNS provider ensures your domains keep resolving even when your primary provider has an outage.

DNScale works as both a primary and secondary DNS provider. This guide covers how to add DNScale alongside your existing DNS provider for redundancy, and why its architecture makes it a strong choice for multi-provider setups.

Why You Need a Secondary DNS Provider

A single DNS provider is a single point of failure. Provider outages happen more often than most teams expect:

• DDoS attacks can overwhelm even large providers, making your zones unreachable
• Software bugs or misconfigured deployments can take an entire provider offline
• Network issues at a single provider can leave entire regions unable to resolve your domains

With a secondary DNS provider, resolvers worldwide have an alternative set of nameservers to query. If one provider is down, the other continues answering — your users never notice. For a deeper look at the threat landscape, see DNS Attacks and Threats.

Adding a secondary DNS provider is the single most impactful resilience measure for any production domain. It's also one of the simplest.

How DNScale Works as Secondary DNS

Traditional secondary DNS relies on zone transfers — the secondary server pulls zone data from the primary using AXFR or IXFR protocols, authenticated with TSIG keys. This approach works but has limitations: both providers must support zone transfers, firewall rules must allow the transfer traffic, and synchronization is pull-based with inherent delays.

DNScale takes a different approach: API-based synchronization using infrastructure-as-code tools like Terraform or DNSControl. You define your DNS records once in a declarative configuration file and push them to both providers simultaneously.

This has several advantages over traditional zone transfers:

• Works with any provider — no need for AXFR/IXFR support or TSIG key negotiation
• Push-based, not pull-based — changes propagate immediately when you deploy
• CI/CD native — fits into existing deployment pipelines with drift detection
• Version controlled — your DNS records live in Git alongside your infrastructure code
• Provider-agnostic — switch or add providers by changing a config file, not reconfiguring zone transfers

For background on how traditional secondary DNS works, see What Is Secondary DNS and Primary DNS vs Secondary DNS.

DNScale's Anycast Architecture

When you add DNScale as a secondary provider, your domains benefit from its globally distributed anycast network:

• Multiple Points of Presence across Europe, North America, Asia-Pacific, Latin America, and Africa
• Dual autonomous systems — separate EU and Global networks with independent BGP routing, so a failure in one network doesn't affect the other
• Sub-second failover — BGP route withdrawal automatically redirects queries away from any failed node, unlike DNS-based failover which depends on TTL expiry
• DDoS dilution — attack traffic is absorbed across all anycast nodes rather than concentrated on a single server

DNScale's Global DNS Resolution Balancing ensures queries are answered by the closest available node. You can see real-time performance data from RIPE Atlas probes on the network performance page.

This means adding DNScale as a secondary provider doesn't just add redundancy — it adds global performance. Your users in regions where your primary provider has limited coverage will get faster DNS resolution through DNScale's nearest point of presence.

Setting Up DNScale as Your Secondary Provider

There are three ways to keep DNScale in sync with your primary provider:

Option 1: Terraform

Define your zones and records in Terraform, targeting both your primary provider and DNScale:

# DNScale provider
resource "dnscale_record" "www" {
  zone_id = dnscale_zone.example.id
  name    = "www"
  type    = "A"
  content = "203.0.113.10"
  ttl     = 300
}
 
# Your primary provider (e.g., Cloudflare, AWS Route 53, Hetzner)
resource "cloudflare_record" "www" {
  zone_id = var.cloudflare_zone_id
  name    = "www"
  type    = "A"
  content = "203.0.113.10"
  ttl     = 300
}

Run terraform apply and both providers are updated simultaneously. See the full walkthrough in Multi-Provider DNS with Terraform & DNSControl.

Option 2: DNSControl

DNSControl is purpose-built for multi-provider DNS. Define records once and push to multiple providers:

D("example.com", REG_NONE,
  DnsProvider(DSP_DNSCALE),
  DnsProvider(DSP_CLOUDFLARE),
 
  A("www", "203.0.113.10", TTL(300)),
  AAAA("www", "2001:db8::10", TTL(300)),
  MX("@", 10, "mail.example.com."),
);

One dnscontrol push updates both providers. See the DNSControl Guide for setup instructions.

Option 3: REST API

For custom integrations, use the DNScale API directly. Export records from your primary provider and push them to DNScale via the REST API. This works well for organizations with existing automation that can't easily adopt Terraform or DNSControl.

Configuring NS Delegation

After setting up records in both providers, update the NS records at your domain registrar to include nameservers from both providers:

example.com.  86400  IN  NS  ns1.primary-provider.com.
example.com.  86400  IN  NS  ns2.primary-provider.com.
example.com.  86400  IN  NS  ns1.dnscale.eu.
example.com.  86400  IN  NS  ns2.dnscale.eu.
example.com.  86400  IN  NS  ns3.dnscale.com.

Resolvers will query whichever nameserver responds fastest. If your primary provider goes down, resolvers automatically fall back to DNScale's nameservers — no manual intervention needed.

For region-specific delegation strategies, see DNS Delegation by Region.

DNSSEC with Multiple Providers

Running DNSSEC across two providers adds complexity. Each provider signs records with its own keys, and both sets of DS records must be published at the registrar.

Key considerations:

• Both providers must support DNSSEC independently
• DS records from both providers must be added to the parent zone
• Key rollovers must be coordinated — or each provider can manage its own keys independently (multi-signer model, RFC 8901)
• If one provider doesn't support DNSSEC, you can still run DNSSEC on DNScale alone — unsigned responses from the other provider won't cause validation failures as long as the zone is only signed by one provider

DNScale as Your Primary DNS

If you don't have an existing DNS provider — or want to switch — DNScale works as a standalone primary DNS provider too:

• Web dashboard for managing zones and records
• Full API for automation and integration
• 20+ record types including A, AAAA, CNAME, MX, TXT, SRV, CAA, TLSA, SVCB, HTTPS, and more
• Zone import to migrate from your current provider — see Zone Import Methods
• DNSSEC with automated key management
• Query analytics with per-zone and per-edge traffic breakdowns

Whether you use DNScale as your primary, your secondary, or both — the same anycast infrastructure, API, and management tools apply.

Comparison: Traditional Secondary vs DNScale

Getting Started

1. Create a DNScale account (free tier available)
2. Create your zone and add records via the dashboard or API
3. Set up Terraform or DNSControl for automated sync
4. Add DNScale nameservers to your registrar's NS delegation
5. Verify resolution with dig @ns1.dnscale.eu example.com

For a complete walkthrough with code examples, see Multi-Provider DNS with Terraform & DNSControl.