The domain name system (DNS) plays a critical role in keeping internet facing services and applications always available. If the DNS can’t resolve queries, your service or application is effectively down in the eyes of the internet. Having only a single DNS provider in the delegation for your zones is potentially a large risk in maintaining availability if that single authoritative DNS suffers an outage or comes under distributed denial-of-service (DDOS) attack impacting its ability to respond to queries.

To help mitigate the single point of failure scenario, we have seen many companies adopt a multi-authoritative DNS strategy. By having your zones delegated across two independent DNS infrastructures or providers, you greatly increase the likelihood that one of the DNS providers in delegation is always available to answer queries, ensuring maximum availability. A few configurations can accomplish this goal, with pros and cons to each type of configuration. However, for this exercise, we focus on one of the more common and easier ways to accomplish a multi-authoritative DNS strategy: A primary-secondary DNS configuration.

Primary-secondary DNS format

For a high-level explanation, the primary DNS is where all the management of the zone and resource records are performed. The secondary DNS obtains a read-only copy of the zone file from the primary, meaning that the zone can’t be modified on the secondary side. The primary and secondary DNS servers stay in sync with one another through well-established DNS processes known as DNS NOTIFY and zone transfers (IXFR and AXFR).

 

A graphic depicting the communication between primary and secondary DNS when a change on the primary occurs.

Figure 1: The communication process between a primary and secondary DNS server when a change on the primary occurs.

Operating a multivendor DNS strategy using a primary-secondary configuration offers the following benefits:

  • Eliminates the DNS single point of failure: Having your DNS across more than one independent infrastructure provides resilience and redundancy to your DNS implementation. If one of the DNS providers are unavailable because of failure or DDOS, the other provider can continue to respond to DNS queries, allowing your service to continue to maintain availability.
  • Single control plane: With the relationship established in a primary-secondary configuration, you only need to make changes on the primary side, and those changes propagate out to the secondary with NOTIFY and zone transfer.
  • Ease of setup: Configuring a secondary zone is simple and takes little time to complete. All you need is the zone name, the primary server IP, and a transaction signature (TSIG) if you’re using one.

Primary DNS using downstream servers

When managing primary zones, Oracle Cloud Infrastructure (OCI) DNS allows users to define downstream servers, to be used by their Secondary DNS proivder. The defined downstream servers are notified of changes by DNS NOTIFY and are authorized to contact OCI DNS and perform zone transfers to get updates on the zone. 

 

A screenshot of the Details page in the Oracle Cloud Console showing the Zone information and downstream servers.

Figure 2: Manage downstream servers in the Oracle Cloud Console. The addresses defined here are the only addresses that receive DNS NOTIFY and allowed to perform zone transfers.

Secondary DNS

OCI DNS supports configuring zones as secondary off your primary DNS provider. Create the zone as a secondary zone and define the IP addresses of upstream servers of your primary DNS. OCI uses these addresses to perform zone transfers from your primary DNS. OCI also supports TSIG keys, which are optional to enable.

A screenshot of the Details page showing the upstream servers in the zone.

Figure 3: You define the upstream servers. The addresses defined in the upstream servers section are the addresses OCI attempts to perform zone transfers from. OCI supports both IXFR and AXFR.

OCI supports you!

OCI is flexible when it comes to how you configure your DNS. We recognize the importance of a multivendor DNS strategy and want to enable our clients in any DNS configuration. OCI DNS supports both secondary DNS and the downstream functionality to support zone transfers off OCI DNS. Whether you use OCI DNS as a primary and have another DNS provider as a secondary or OCI as a secondary off your primary provider, we support both use cases.

For a step-by-step guide on configuring both primary and secondary, as well as more details, definitions, and additional features, such as notifications on secondary zone failures, take a look at Secondary DNS. To learn more about OCI and the DNS offering, see Domain Name System (DNS). To get started implementing your DNS on Oracle Cloud Infrastructure, see Public DNS.