What is the most important best practice when setting up an authoritative primary DNS server for your own domain?

US: +1 888 720 9500

Índice Show

How Does a Primary DNS Server Work?
What is Secondary DNS?
DNS Zone, Primary and Secondary DNS Configuration
Primary and Secondary DNS Management in Modern DNS Infrastructure
Example DNS Record
How to Install and Configure DNS
Preliminary Requirements for DNS Configuration
DNS Installation
DNS Configuration
Setting Up a DNS Forward Lookup Zone
Changing the DNS Server for Network Interfaces
Flush the DNS Resolver Cache
Creating a DNS Entry for the Web Server
Creating a DNS Entry Using cPanel, WHM, or Plesk
Secure Recursive DNS
Linux Servers
Windows Servers
In Closing and Further Reading

US: +1 888 791 1189

Intl: +1 925 924 9500

Aus: +1 800 631 268

UK: 0800 028 6590

CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

A primary DNS server is the first point of contact for a browser, application or device that needs to translate a human-readable hostname into an IP address. The primary DNS server contains a DNS record that has the correct IP address for the hostname. If the primary DNS server is unavailable, the device contacts a secondary DNS server, containing a recent copy of the same DNS records.

How Does a Primary DNS Server Work?

When a computer or device needs to connect to another device on the Internet, it typically uses a human-readable domain name, like “www.example.com”. The browser or application needs to translate the domain name into a numeric Internet Protocol (IP) address like “192.100.100.1”. This translation is done by the Domain Name System (DNS).

The device first contacts the primary DNS server that hosts the controlling zone file. This file contains the authoritative DNS information for the domain or subdomain. “Authoritative” means it is the trusted source for information like the IP address of the domain, administrator contact information, and settings like Time to Live (how long this IP address should be saved in a local cache).

The primary DNS server resolves the query by returning the IP address for the requested hostname. However, if the primary server is slow to respond, or is unavailable, the device is referred to one or more secondary DNS servers.

What is Secondary DNS?

Changes to DNS records—for example, changing the IP for a domain name—can only be done on a primary server, which can then update secondary DNS servers. DNS servers can be primary for one DNS zone and secondary for another DNS zone.

A secondary server holds a secondary DNS zone—a read-only copy of the zone file, which contains the DNS records. It receives an updated version of the copy in an operation called zone transfer. Secondary servers can pass a change request if they wish to update their local copy of the DNS records.

Secondary DNS servers are not mandatory—the DNS system can work even if only a primary server is available. But it is standard, and often required by domain registrars, to have at least one secondary server. Learn more about secondary DNS servers with NS1.

Benefits of having a secondary DNS server for a domain:

Provides redundancy in case the primary DNS server goes down. If there is no secondary server, when the primary fails, the website will become unavailable at its human-readable domain name (although it will still be accessible by its IP).
Distributes the load between primary and secondary servers. Some resolvers use the Smooth Round Trip Time (SRTT) algorithm to prefer the lowest latency name server from the available pool of servers (primary and one or more secondaries).
Part of a secure DNS strategy—DNS servers are exposed to security threats, first and foremost Distributed Denial of Service attacks (DDoS). Setting up an external DNS provider with DDoS protection as a secondary DNS, is a common way to deflect DDoS attacks.

DNS Zone, Primary and Secondary DNS Configuration

In the preceding discussion we referred to DNS zones. A DNS zone is a distinct part of the domain name space, delegated to a specific legal entity that is responsible for managing it.

For example, a root domain such as “acme.com” is a DNS zone, which can be delegated to a company, Acme Corporation Inc. Acme Corporation then assumes responsibility for setting up a primary DNS server, called an Authoritative Name Server, which holds correct DNS records for that domain.

DNS zones exist at higher and lower levels of the DNS hierarchy. For example, the Top Level Domain “.com” is also a DNS zone, which has an Authoritative Name Server providing DNS records for all the domains in the “.com” namespace. A subdomain, such as “support.acme.com” is also a DNS zone, which can be managed by Acme Corporation, or delegated to another entity.

Primary and Secondary DNS Management in Modern DNS Infrastructure

The classic primary/secondary DNS architecture is no longer used by modern, managed DNS providers.

Today, most DNS providers offer customers several name server IPs to use. Behind each of these IPs are pools of DNS servers, with requests routed via anycast (a one-to-many transport protocol). This provides improved redundancy and high availability compared to the primary/secondary model.

However, even in advanced DNS deployments, secondary DNS can help you:

Migrate to new DNS infrastructure, with dependencies on old DNS servers—organizations may have tools, code, or legacy systems that point to an old DNS server hosted in their organizations. There may be scripts automatically creating DNS records (for example, if you provision a new subdomain for each of your customers). In order to migrate to a modern, managed DNS provider, without breaking your dependencies, you can define the DNS provider as a secondary DNS server. This will keep all existing processes in sync, but in case of failure or slow response of in-house DNS servers, the high-performance, managed DNS server will respond.
Avoid single points of failure—high traffic sites and mission-critical web applications cannot tolerate outages. Even if using a managed DNS provider, administrators might prefer to use two providers, to avoid any single point of failure. A simple way to do so is to configure one provider as primary DNS server and the other as secondary. This way, all management and creation of DNS records is done with one provider, and in case of failure or slow response, the secondary takes over.
Set up redundant DNS with one managed service—NS1’s intelligent managed DNS can set up a dedicated DNS deployment for your organization, which runs on a separate network and servers from its regular managed DNS service. This gives you redundancy between two separate DNS servers, but can work with only one provider. The dedicated deployment is not shared with any other organizations, so it isn’t exposed to attacks targeting other customers on the NS1 DNS service.

To learn more about how you can leverage primary and secondary DNS to power state-of-the-art, high-performance and highly available DNS deployments, see NS1’s Secondary DNS solution.

While a round robin DNS setup allows for greater load balancing, it should be noted that if one of the hosts becomes unavailable, the DNS server will not know this. Should this happen, the DNS will continue to alternate giving out the IP of the downed server.

Example DNS Record

The following is an example of what a sample DNS record might look like.

Host Name	IP Address/URL	Record Type
@	123.123.123.12	A-Record
www	domain.com.	CNAME
ftp	123.123.123.12	A-Record
mail	123.123.123.12	A-Record
ns1	123.123.123.12	A-Record
ns2	123.123.123.13	A-Record
subdomain1	domain.com.	CNAME
subdomain2	domain.com.	CNAME

*Note: Don’t forget to put a period after the domain name like in the examples above.

How to Install and Configure DNS

Now you know more about the Domain Name System and what it does, but before you can start using it, you’ll need to know how to install and configure DNS. for the purposes of this guide we’ll be covering the DNS configuration and installation procedure specifically for an older Windows Server 2003. For information on installing DNS onto newer server models, check out our guide on How to Setup DNS Server on Windows Server 2012.

Preliminary Requirements for DNS Configuration

Before you can configure your DNS, you’ll need to gather some basic information. Some of these requirements must be pre-approved by InterNIC for use on the Internet. If you’re configuring your server for internal use only, you can decide which names and IP addresses to use yourself.

To start, you must have the following information:

Your domain name (approved by InterNIC)
The IP address and host name of each server that you want to provide name resolution for

*Note: Your servers may include mail servers, public access servers, FTP servers, WWW servers, and others.

Additionally, before you can configure your computer as a DNS, you’ll need to verify that the following conditions are true:

First, you’ll need to ensure that your operating system is configured correctly. In the Windows Server 2003 family, the DNS service relies on the correct configuration of the operating system and its services, such as TCP/IP. If you have a new installation of a Windows Server 2003 operating system, you can use the default service settings, removing the need to take additional action.
Next, make sure you’ve allocated all the available disk space.
Lastly, check that all existing disk volumes use the NTFS file system. FAT32 volumes are not secure, and do not support file and folder compression, disk quotas, file encryption, or individual file permissions.

DNS Installation

To install DNS, just follow these 4 steps:

First, you’ll need to open the Windows Components Wizard. To locate the Windows Components Wizard:
1. Click Start, -> Control Panel, and then click on Add or Remove Programs.
2. Click Add/Remove Windows Components.
In Components, select the Networking Services check box, and then click Details.
In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
If you are prompted, in Copy files from, type the full path of the distribution files, and then click OK.

Once this process is completed, DNS should begin installing.

DNS Configuration

To configure your DNS server, follow these 5 steps:

First, you’ll need to start the Configure Your Server Wizard. To do so, click Start -> All Programs -> Administrative Tools, and then click Configure Your Server Wizard.
On the Server Role page, click DNS server, and then click Next.
On the Summary of Selections page, view and confirm the options that you have selected. The following items should appear on this page:
• Install DNS
• Run the Configure a DNS Wizard to configure DNS If the Summary of Selections page lists these two items, click Next.
If the Summary of Selections page does not list these two items, click Back to return to the Server Role page, click DNS, and then click Next to load the page again.
When the Configure Your Server Wizard installs the DNS service, it first determines whether the IP address for this server is static or is configured automatically. If your server is currently configured to obtain its IP address automatically, the Configuring Components page of the Windows Components Wizard will prompt you to configure the server with a static IP address. To do so perform the following actions:
1. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
2. Next, click Use the following IP address, and then type the static IP address, subnet mask, and default gateway for this server.
3. In Preferred DNS, type the IP address of this server.
4. In Alternate DNS, either type the IP address of another internal DNS server, or leave this box blank.
5. When you’ve finished setting up the static IP addresses for your DNS, click OK, and then click Close.
After you Close the Windows Components Wizard, the Configure a DNS Server Wizard will start. In the wizard, follow these steps:
1. On the Select Configuration Action page, select the Create a forward lookup zone check box, and then click Next.
2. To specify that this DNS hosts a zone containing DNS resource records for your network resources, on the Primary Server Location page, click This server maintains the zone, and then click Next.
3. On the Zone Name page, in Zone name, specify the name of the DNS zone for your network, and then click Next. The name of the zone is the same as the name of the DNS domain for your small organization or branch office.
4. On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates, and then click Next. This makes sure that the DNS resource records for the resources in your network update automatically.
5. On the Forwarders page, click Yes, it should forward queries to DNS servers with the following IP addresses, and then click Next. When you select this configuration, you forward all DNS queries for DNS names outside your network to a DNS at either your ISP or central office. Type one or more IP addresses that either your ISP or central office DNS servers use.
6. On the Completing the Configure a DNS Wizard page of the Configure a DNS Wizard, you can click Back to change any of your selected settings. Once you’re happy with your selections, click Finish to apply them.

After finishing the Configure a DNS Wizard, the Configure Your Server Wizard displays the This Server is Now a DNS Server page. To review the changes made to your server or to make sure that a new role was installed successfully, click on the Configure Your Server log. The Configure Your Server Wizard log is located at:

%systemroot%\Debug\Configure Your Server.log

To close the Configure Your Server Wizard, just click Finish.

Setting Up a DNS Forward Lookup Zone

Forward lookup zones are the specific zones which resolve domain names into IP addresses. If you’ve followed the configuration instructions above, your forward lookup zone should already be set up. If for some reason you need to set up a forward lookup zone after configuring your DNS, you can follow these instructions:

First, open up DNS by navigating to the Start menu -> Administrative Tools -> DNS.
Expand the server and right click Forward Lookup Zones and click New Zone.
Click Next and select the type of zone you want to create.
Select the method to replicate zone data throughout the network and click Next.
Type in the name of the zone.
Select the type of updates you want to allow and click Next.
Once you’ve completed everything, click on Finish.

Changing the DNS Server for Network Interfaces

If you need to change the DNS server for different network interfaces, you can do so using the following:

In Network Connections, right-click the local area connection, and then click Properties.
In Local Area Connection Properties, select Internet Protocol (TCP/IP), and then click Properties.
Click Use the following DNS server addresses, and in Preferred DNS server and Alternate DNS server, type the IP addresses of the preferred and alternate DNS servers.
To add more DNS servers, click the Advanced button.

Flush the DNS Resolver Cache

A DNS resolver cache is a temporary database created by a server to store data on recent DNS lookups. Keeping a cache helps speed up the lookup process for returning IP addresses. You can use the command ipconfig /displaydns to see what entries are currently stored in your server’s cache.

Sometimes though, a virus will hijack a servers DNS cache and use it to re-route requests. This is sometimes referred to as cache poisoning, and is one of several reasons why you may want to flush the DNS cache.

To do so, enter the following command:

ipconfig /flushdns

When completed successfully, you should receive a message that says “Windows IP configuration successfully flushed the DNS Resolver Cache.”

Creating a DNS Entry for the Web Server

Obviously, one of the most important things about running a website is ensuring that it is accessible to users. Part of this process involves creating alias or CNAME (Canonical Name) records for the DNS server on which you’ve configured IIS (Internet Information Services). This step is important, because it makes sure that external host computers can connect to your Web server by using the “www” host name.

To create a new DNS entry, just follow these steps:

First, you’ll need to open the DNS snap-in. To do this, click Start -> Administrative Tools -> DNS.
Once you’ve opened DNS, expand “Host name” (where “Host name” is the host name of your DNS server).
Expand the option labelled Forward Lookup Zones.
Within the Forward Lookup Zones, right-click the zone you want (for example, domain_name.com) and then click New Alias (CNAME).
In the Alias name box, type “www.”
Lastly, in the Fully qualified name for target host box, type the fully qualified host name of the DNS server on which IIS is installed (for example, dns.domain_name.com).
When you’ve finished, click OK to finalize your changes.

Creating a DNS Entry Using cPanel, WHM, or Plesk

Depending on your server’s setup, you may prefer to create your DNS entries using your server’s GUI control panel. The following is a list of links to articles that deal specifically with making new DNS entries using cPanel, WHM, or Plesk. If you use any of these three control panels, you might want to look over the corresponding article for more information on using DNS alongside your preferred control panel.

Secure Recursive DNS

A recursive look up is when a DNS server gets queried for a domain which it isn’t authoritative. For example, if you queried your nameserver for the domain yahoo.com, that would be a non-authorative or recursive lookup.

Based on this principle, DNS recursion, also known as having an open DNS server, is when your DNS server is available for DNS lookups for the general public. If you have an open DNS server, chances are higher your server will get abused by spammers. In addition, open DNS recursion is very resource consuming.

To lighten the load on your server and reduce potential risk, the following changes can be made to restrict recursive and caching lookups to only the IP blocks listed in the configuration. This can help reduce the risk associated with DNS exploitations used by hackers and malicious actors online.

First, you’ll need to follow the set of instructions specific to your server’s OS. We’ve included instructions for both Linux and Windows server users.

Linux Servers

To secure recursion on Linux servers running Bind, you’ll need to modify the file /etc/named.conf. *Note: before making any changes, please be sure to back up the file to ensure nothing is lost.

If you look at the example below, you’ll notice that the first line of “allow-recursion” is set up for the IP address 127.0.0.1. What this does is allow the local Linux machine to query this specific IP address (127.0.0.1), assuming the server has a nameserver 127.0.0.1 with which to query. Additionally, if you wanted to lock your DNS down even further, you can edit these lines to include only your required or preferred subnets.

options { recursion yes; allow-recursion { 127.0.0.1/32; }; allow-query-cache { 127.0.0.1/32; }; }

After making any changes, you’ll need to restart Bind with the following command:

service named restart

/etc/init.d/named restart

Windows Servers

For Window Servers, if the local DNS server is not used for caching, then recursion needs to be disabled. Luckily, this is an easy change to make, involving a simple check mark in the DNS servers configuration settings.

If you need to turn DNS recursion off for your Bind installation, follow these steps:

First, log in to your Windows server via Remote Desktop.
Open the Windows DNS server console, by navigating to Start -> Administrative Tools -> DNS.
In the console tree, right-click on the name of the DNS server you are making changes on.
Select Properties which will open a new window, and then select the Advanced tab.
Under Server Options select the Disable Recursion checkbox, then click the application’s OK or Apply buttons.

Now, recursion has been turned off for your DNS server. Should you ever wish to change this setting, simply repeat the above process and deselect the Disable Recursion checkbox.

In Closing and Further Reading

Now, you should have a better understanding of what DNS is and what it does, as well as the processes necessary to install and configure it. In addition, we’ve covered several more advanced DNS features including setting recursion and creating CNAMEs.

For further information on DNS, we’ve included a series of links to related articles in the list below. If you are facing issues not covered in this article, feel free to look over these or reach out to our support team for assistance.

DNS Related Links:

Popular Links

Looking for more information on DNS? Search our Knowledge Base!

Interested in more articles about Web Hosting? Navigate to our Categories page using the bar on the left or check out these popular articles:

Popular tags within this category include: DNS, FTP, IIS, MX Records, and more.

Don’t see what you’re looking for? Use the search bar at the top to search our entire Knowledge Base.

The Hivelocity Difference

Seeking a better Dedicated Server solution? In the market for Private Cloud or Colocation services? Check out Hivelocity’s extensive list of products for great deals and offers.

With best-in-class customer service, affordable pricing, a wide-range of fully-customizable options, and a network like no other, Hivelocity is the hosting solution you’ve been waiting for.

Unsure which of our services is best for your particular needs? Call or live chat with one of our sales agents today and see the difference Hivelocity can make for you.