Introducing PostScale -- email API for transactional, inbound, and masked addresses. PostScale

    What Is Secondary DNS

    Learn what secondary DNS is, how primary and secondary nameservers work together, and why redundant DNS is essential for domain reliability.

    Secondary DNS is a redundant copy of your DNS zone hosted on a separate nameserver. It serves the same DNS records as your primary server but provides failover and load distribution β€” if the primary goes down, the secondary continues answering DNS queries for your domain.

    How Primary and Secondary DNS Work

    In a standard DNS setup:

    • The primary (master) server holds the authoritative, editable copy of your zone
    • One or more secondary (slave) servers hold read-only copies synchronized from the primary
    • All servers (primary and secondary) are listed as authoritative NS records for your domain
    • DNS resolvers can query any of them β€” there's no preference order
    example.com.  86400  IN  NS  ns1.dnscale.eu.    ; primary
example.com.  86400  IN  NS  ns2.dnscale.eu.    ; secondary
example.com.  86400  IN  NS  ns3.dnscale.eu.    ; secondary

    From a resolver's perspective, all nameservers are equal. The resolver picks one (often the fastest to respond) and queries it.

    Zone Transfers

    Secondary servers get their data from the primary through zone transfers:

    AXFR (Full Zone Transfer)

    The secondary requests the entire zone from the primary. Used for initial synchronization or when the zone has changed significantly.

    Secondary β†’ Primary: "Send me the full zone for example.com"
Primary β†’ Secondary: [entire zone data]

    IXFR (Incremental Zone Transfer)

    The secondary requests only the changes since its last known serial number. More efficient for large zones with frequent small changes.

    Secondary β†’ Primary: "Send changes since serial 2026030901"
Primary β†’ Secondary: [only the added/removed records]

    Transfer Triggers

    Zone transfers happen when:

    1. The refresh interval in the SOA record expires β€” the secondary checks if the serial has changed
    2. The primary sends a NOTIFY message β€” tells secondaries that the zone has changed
    3. The secondary starts up and has no data or stale data

    Why You Need Secondary DNS

    Redundancy and Uptime

    If your only nameserver goes down, your entire domain becomes unreachable β€” no website, no email, no API. With secondary DNS, other nameservers continue answering queries.

    Faster Query Response

    Multiple nameservers in different geographic locations mean resolvers can query the nearest one, reducing latency for users worldwide.

    DDoS Resilience

    Distributing DNS across multiple servers (especially in an anycast network) makes it much harder for attackers to overwhelm your DNS infrastructure.

    Compliance

    Many domain registrars and TLD registries require at least two nameservers. Some enterprise environments require geographic redundancy.

    Types of Secondary DNS Setups

    Same-Provider Secondary

    All nameservers are operated by the same DNS provider but run on separate infrastructure:

    ns1.dnscale.eu.  β†’  Server in Amsterdam
ns2.dnscale.eu.  β†’  Server in Frankfurt
ns3.dnscale.eu.  β†’  Server in Chicago

    This is the default with DNScale β€” your zone is automatically served from multiple geographically distributed edge nodes.

    Multi-Provider Secondary (Hidden Primary)

    Your primary is a private ("hidden") server that isn't listed in NS records. Secondary servers at one or more providers serve all public queries:

    Hidden primary: internal-dns.yourcompany.com (not public)
Public NS: ns1.dnscale.eu.
Public NS: ns1.anotherprovider.com.

    This gives you full redundancy across providers. If one provider has an outage, the other continues serving.

    Multi-Provider Secondary (Public Primary)

    Similar to above, but the primary is also publicly listed:

    Primary: ns1.yourprovider.com (editable, public)
Secondary: ns1.dnscale.eu. (syncs via AXFR/IXFR)

    Setting Up Secondary DNS

    DNScale as Primary

    DNScale serves as the primary authoritative DNS with automatic replication to all edge nodes. No manual secondary configuration is needed β€” zone data propagates via PostgreSQL logical replication, which is faster than traditional zone transfers.

    DNScale as Secondary

    If you manage your own primary DNS server, you can configure DNScale as a secondary:

    1. Configure your primary to allow zone transfers (AXFR) to DNScale's transfer IPs
    2. Set up the zone in DNScale as a secondary zone
    3. DNScale will pull the zone data and serve it from its anycast network

    Multi-Provider with DNScale

    For maximum redundancy, combine DNScale with another provider:

    1. Use DNScale as your primary
    2. Configure a second provider to pull zone transfers from DNScale
    3. List both providers' nameservers in your NS records

    See Multi-Provider DNS Deployment for a detailed guide.

    TSIG Authentication

    Zone transfers should be authenticated to prevent unauthorized servers from copying your zone data. TSIG (Transaction Signature) uses shared secrets to authenticate transfer requests:

    # On the primary, allow AXFR only with TSIG key
key "transfer-key" {
    algorithm hmac-sha256;
    secret "base64-encoded-secret";
};

    DNScale supports TSIG for zone transfer authentication when used in a multi-provider setup.

    DNScale's Approach to Secondary DNS

    Traditional secondary DNS relies on AXFR/IXFR zone transfers, which can have delays between the primary update and secondary synchronization. DNScale takes a different approach:

    • PostgreSQL logical replication synchronizes zone data to edge nodes in near real-time
    • All edge nodes serve the same data within seconds of a change
    • No AXFR polling delays β€” updates propagate as they happen
    • Anycast routing ensures resolvers reach the nearest edge node

    This means DNScale provides the redundancy benefits of secondary DNS without the synchronization delays.

    Best Practices

    1. Always have at least two nameservers β€” one nameserver is a single point of failure
    2. Use geographically distributed servers β€” protects against regional outages
    3. Consider multi-provider DNS for critical domains β€” no single provider is 100% reliable
    4. Monitor zone transfer status β€” ensure secondaries are in sync by comparing serial numbers
    5. Use TSIG for zone transfer authentication
    6. Keep the SOA refresh/retry values reasonable β€” 1 hour refresh, 15 minute retry is a good default

    Verifying Secondary DNS

    Check that all nameservers return the same serial number:

    # Get the SOA serial from each nameserver
dig +short SOA example.com @ns1.dnscale.eu
dig +short SOA example.com @ns2.dnscale.eu
dig +short SOA example.com @ns3.dnscale.eu

    If serial numbers match, all servers are in sync.

    Conclusion

    Secondary DNS is fundamental to a reliable DNS infrastructure. It provides redundancy, faster global query response, and protection against outages and DDoS attacks. DNScale's anycast network with PostgreSQL replication delivers the benefits of secondary DNS with faster synchronization than traditional zone transfers, ensuring your domains stay online and responsive.