A secondary authoritative DNS (sometimes called “slave DNS”) service provider is a DNS name server that clones and hosts your primary DNS server over the DNS Zone Transfer Protocol (AXFR). There are a number of managed DNS service providers that offer this service, and I’ve put together a little feature comparison.
A secondary DNS server is often referred to as a “backup name server” or “backup DNS”. However, in reality every authoritative name server can be expect to receive an equal distribution of DNS query traffic. DNS was designed to be decentralized and you can increases your domain zone’s availability and resilience to service outages by replicating it onto multiple name servers.
I’ll start off with a feature comparison matrix for a few hosted secondary DNS name server providers. The matrix also outlines the feature requirements I think are important. I’ll go into more details on each of these later in the article.
Service | AXFR | DNSSEC | TSIG | IPv6 | Route | POP |
---|---|---|---|---|---|---|
Akamai Edge DNS | Yes | Yes | Yes | Yes | Anycast | 1000 |
Alibaba Cloud DNS | Yes | No | Yes | Yes | Anycast | 19 |
Amazon Route 53 | No | No | No | Yes | Anycast | 53 |
Microsoft Azure DNS | No | No | No | Partial | Anycast | 15 |
BuddyNS | Yes | No | No | Yes | Unicast | 11 |
CloudNS | Yes | No | No | Partial | Anycast | 23 |
CloufloorDNS | Yes | Yes | No | Partial | Anycast | 25 |
DNSMadeEasy | Yes | Yes | No | Yes | Anycast | 15 |
DNSUnlimited | Yes | Yes | Yes | Yes | Unicast | 5 |
Dyn Secondary | Yes | No | Yes | Yes | Anycast | 18 |
GoDaddy Premium DNS | Yes | No | Yes | Yes | Anycast | 60 |
Hurricane Electric DNS | Yes | Partial | Yes | Yes | Anycast | 24 |
NameCheap Premium DNS | No | No | No | Yes | Anycast | 17 |
No IP Squared | Yes | No | No | Partial | Anycast | 100 |
NS1 | Yes | Partial | Yes | No | Anycast | 25 |
RcodeZero | Yes | Yes | Yes | Yes | Anycast | 21 |
Update (): Added Akamai Edge DNS to the comparison table.
Update (): Added RcodeZero to the comparison table.
Pricing can’t be directly compared as the pricing models seems to be designed to defy direct comparisons with any competitor. However, services range from 14 to 1500 USD per year for at least two zones and a million requests per month. The above services were selected for this comparison primarily because they or at least two of their direct competitors provide price examples and sufficient technical information.
The lack of DNSSEC support was surprising to me. A secondary authoritative DNS server is only responsible for cloning the already DNSSEC signed zone from the primary DNS server. DNSSEC would ensure that the secondary DNS provider doesn’t maliciously or unintentionally modifies the DNS zone you entrust it to store. This may suggest that the secondary DNS providers reserve the right to modify or perhaps normalize your DNS records. Whatever their reason, this is an absolute requirement for me that they stick with just doing the one thing I ask them to do and DNSSEC is a good way to ensure that.
Secret Key Transaction Authentication for DNS (TSIG) is a certificate based authentication system that prevents untrusted DNS clients from cloning your DNS zone. In some situation, it’s undesirable that the zone is cloned as it may leak information about your network and infrastructure. This isn’t especially important to me, but my primary DNS service provider requires that secondary DNS server authenticate with TSIG. In legacy systems, you would allow-list the IP addresses of your secondary DNS servers in your primary server, and enforce access controls using IP addresses alone.
I found it interesting to note that many DNS service providers require TSIG authentication to copy zones from their primary DNS service, but also don’t support authenticating other DNS servers from their own secondary DNS service using TSIG.
IPv6 in the above feature matrix means that the provider’s name servers at all their locations are reachable over IPv6. Every provider supports AAAA records.
Every name server is considered to be equal to any other name server. There’s no way to influence which name server a DNS client will send its queries to. A name server that’s available over an anycast IP address addresses this issue by having all their geographic regions respond to the same IP address. Assuming optimized traffic routing and good partner agreements, their name servers should be physically near the resolving client and thus respond fast. A unicast IP address would direct queries to one specific geographic region. Your users in the United States could send their DNS queries to a server in Taiwan instead of a server located in the same state and performance could suffer greatly.
Conclusions
Update (): Hurricane Electric have implemented TSIG authorization. The above table have been updated to reflect this.
No one secondary DNS service currently support the relevant standards required by my primary DNS server to transfer my zone files to a secondary domain server, and also support the security features I need in place to be comfortable delegating DNS for my domain to them. That’s quite discouraging.
Many of the DNS service providers I’ve included here also impose arbitrary restrictions on the zone, such as minimum time-to-live (TTL) times or prohibit the use of wildcard domains. This makes sense for Hurricane Electric, who provide some of the best DNS services on the internet and also doesn’t charge a dime for them. However, all the other providers charge for their services. As long as my DNS zone file meets current industry standards, they shouldn’t be opinionated about its exact configuration, keep my account ledger open, and just host it as is.
DNSUnlimited and Alibaba Cloud DNS are the service closest to meeting my requirements. I’ll not use DNSUnlimited as they’re one of the most expensive providers yet their name servers still use unicast. As for Alibaba Cloud DNS, … well let us just say it’s entirely out of the question to drop DNSSEC.
The best option seems to be to set up my own primary master DNS name server as a “hidden master” (meaning it would host the zone yet wouldn’t be set as a name server) so I can drop the TSIG authorization requirement. I could then have a look at Hurricane Electric DNS, which I already use as the primary name server for some domains, and figure out exactly what their limitations on DNSSEC support is. I could then also use DNSMadeEasy. Operating and maintaining my own authoritative name server isn’t a big deal, but I don’t want to deal with DNSSEC for a self-hosted domain zone.
In summary: there’s definitely room for competition in the secondary DNS service provider space, as there doesn’t appear to be any good options available.