In our previous blog, we discussed the basics of a DNS. In this blog, we’ll explain some advanced techniques for DNS redundancy.
The primary DNS server hosting a zone or multiple zones acts as an authoritative DNS through which DNS administrators manage zone files and perform DNS changes like adding, deleting, and updating DNS records.
Zones and zone files
The domain hosted in the DNS server is called a zone. The zone file is a human-readable text file that contains different types of DNS records.
SOA record: represents the start of authority
A records: IPv4 addresses mapped to a domain or sub-domain
AAAA records: IPv6 addresses mapped to a domain or sub-domain
CNAME records: canonical record pointed to canonical name
MX records: mail exchange records pointed to mail servers
TXT records: used for various verification
PTR records: reverse DNS lookup record
The zone file hosted and managed by the primary DNS server is called the primary DNS zone. The DNS is a core infrastructure component and it requires 100% availability. For greater scalability, security, and availability, secondary DNS servers are used.
The secondary DNS is provisioned in the same network as the primary DNS; it can also be a third-party DNS provider. The secondary DNS hosts an identical copy of the zones hosted in the primary DNS in read-only format. The zone files from the primary DNS are synced to the secondary DNS through a zone transfer.
A zone transfer is a mechanism used to synchronize up-to-date information of the primary DNS servers hosting the zones to the secondary DNS. Zone transfer consists of two types:
- Full zone transfer (AXFR): The primary DNS server notifies the secondary DNS servers that changes have been made to a particular zone, and the secondary DNS contacts the primary DNS to check the serial number in the SOA record of the zone in which changes took place. If the serial number on the primary DNS is greater than the serial number of the secondary DNS server of that zone, the entire zone file is copied to the secondary DNS servers from the primary DNS server.
- Incremental zone transfer (IXFR): The primary DNS server notifies the secondary DNS servers that changes have been made to a particular zone, and the secondary DNS contacts the primary DNS to check the serial number in the SOA record of the zone in which changes took place. If the serial number on the primary DNS is greater than the serial number of the secondary DNS servers of that zone, the secondary DNS servers compare the last changes with the existing version and copies only the changed records from the primary DNS.
The secondary servers periodically check the primary DNS servers for any changes and copy the up-to-date zone files. The periodic checks from secondary DNS servers are based on the refresh intervals set in the zone SOA record.
Securing zone transfers
The zones enabled with zone transfer can be downloaded by attackers using AXFR requests to the primary DNS servers. The following methods help to make secure zone transfers between primary and secondary DNS servers:
IP address restriction: Allow zone transfer request to the primary DNS servers only from the IP’s of secondary DNS servers.
DNS transfer signature (TSIG): Enable DNS TSIG for zone-transfer-enabled zones. TSIGs are pre-shared symmetric encryption keys between primary and secondary DNS servers. Whenever zone transfers (AXFR/IXFR) are initiated between primary and secondary DNS servers enabled with TSIG, communication between two servers participating in zone transfer is validated using TSIG keys and the zone transfer is done securely.
ManageEngine CloudDNS is an authoritative DNS service with advanced features and support for both primary DNS and secondary DNS functionality. Sign up for a 30-day, free trial of ManageEngine CloudDNS, and experience easy DNS infrastructure management for yourself.