Secondary Zones

A secondary zone is a type of Domain Name System (DNS) zone that obtains its data through a zone transfer from the primary DNS server. Unlike a primary zone, which is authoritative and can be directly edited, a secondary zone is a read-only replica. It contains the same DNS records as the primary zone but cannot be modified directly and the changes must be made on the primary zone. It serves to provide redundancy, improve DNS resolution performance, and reduce the load on the primary DNS server.

Zone data in a secondary zone is synchronized with the primary zone through the standard AXFR zone transfer protocol. The secondary zone periodically checks the serial number in the zone’s Start of Authority (SOA) record to determine whether updates are available from the primary.

Secondary zones play a critical role in maintaining consistent and reliable DNS infrastructure without exposing the core data source to direct edits or unnecessary operational risk.

Use cases

Scenario 1: High Availability (HA) DNS resolution

Precondition

A web application hosted by an enterprise requires uninterrupted domain name resolution to maintain uptime and service availability for global users.

Solution

When the primary DNS zone is hosted externally, you can configure IONOS Cloud DNS to function as a secondary zone. Next, update your domain registrar’s records to point to the IONOS secondary name servers. With this configuration, DNS resolution remains fully operational through the IONOS secondary servers, even if the primary zone becomes unresponsive. It ensures high availability by using a redundant and fault-tolerant name server infrastructure.

The geographic distribution of IONOS's DNS servers optimizes query performance by directing requests to the nearest location, which reduces latency and enhances the end-user experience. In a disaster recovery scenario, if the primary DNS infrastructure becomes unavailable, the secondary zone hosted on IONOS Cloud DNS continues to provide authoritative responses, ensuring uninterrupted access to DNS records and maintaining service continuity.

Scenario 2: Enhanced security through DNS exposure mitigation

Precondition

An organization with security-sensitive infrastructure wants to minimize the attack surface of its DNS architecture while maintaining public DNS resolution.

Solution

Replacing the primary name server with IONOS secondary zone name servers shields the authoritative primary servers from direct internet exposure. The configuration significantly reduces the likelihood of targeted attacks on the primary infrastructure.

Beyond enhanced security, using geographically distributed secondary servers improves DNS resolution performance globally. For disaster recovery, this setup ensures that DNS data remains accessible even if the primary zone server is compromised or goes offline, supporting operational resilience.

Workflow: Set Up a Secondary Zone in IONOS Cloud DNS

1. Create a Secondary Zone

  • Create a secondary zone via the DCD or via the API.

  • Specify the IP address of the external primary DNS server to enable zone transfers.

2. Copy IONOS name servers

  • IONOS provides dedicated name servers for the secondary zone during its creation.

  • The name servers are different from those used for primary zones.

3. Add your domain name at the registrar

  • Go to your domain registrar’s control panel.

  • Next, do the following based on your use case:

    • Add the IONOS secondary zone name servers to your domain registrar's DNS records. Both primary and secondary name servers are publicly accessible for DNS resolution and can serve as HA endpoints in the event of a primary server failure.

    • Replace the existing primary name server with the IONOS secondary zone name servers. This approach mitigates exposure of your primary name server to potential attacks by ensuring only the secondary name servers are externally resolvable.

Note: Changes to nameservers can take up to 48 hours, but they usually happen much faster.

4. Initiate and verify zone transfer

  • Ensure the external primary server allows AXFR zone transfer protocol to IONOS via the Access Control List (ACL) or Transaction Signature (TSIG).

  • Trigger or wait for the zone transfer to complete.

  • Confirm that the zone data is correctly replicated in IONOS.

This order ensures the domain points to the correct IONOS DNS infrastructure before the actual data transfer, making the transition seamless.

Last updated

Was this helpful?