Secondary Authoritative Name Server Options for Self-Hosted Domains
In the past few months, I have moved authoritative name servers (NS) of two of my domains (sahilister.net and sahil.rocks) in house using PowerDNS. Subdomains of sahilister.net see roughly 320,000 hits/day across my IN and DE mirror nodes, so adding secondary name servers with good availability (in addition to my own) servers was one of my first priorities.
I explored the following options for my secondary NS, which also didn’t cost me anything:
1984 Hosting
- 1984 Hosting Company FreeDNS.
- Hosting provider from Iceland.
- AXFR over IPv4 only.
- Following secondaries are offered:
- Not all of NS support IPv6.
- Personally, I use ns1.1984.is which is hosted by Netnod, one of 13 root name servers and .SE ccTLD operator.
- Same infrastructure serves 1984.hosting as well.
Hurriance Electric
- Hurricane Electric Free DNS Hosting.
- One has to delegate NS towards one or more of ns[1-5]he.net to verify ownership. It does lead to a minor lame server period between NS addition and first zone transfer.
- Supports TSIG and DNSSEC pre-signed zones.
- Following secondaries are offered:
- The service went down when he.net domain was put on hold. NANOG thread and Hurricane Electric’s response there. Better not depend on just one external provider.
- Same infrastructure serves he.net as well.
Afraid.org
- FreeDNS at Afraid.org.
- Backup DNS option on left side menu on their website.
- Following secondary offered:
Puck
- PUCK Free Secondary DNS service.
- One person show, been long-standing though there seems to be manual approval of each account, which did take some time.
- Following secondary offered:
NS-Global
- NS-Global DNS Service.
- From FAQ, anycast with 16 POP, including 1 POP in Tokyo.
- Kenneth Finnegan’s blog post carries how this came to be. Same person who also pulled off the Fremont Cabal Internet Exchange and MicroMirror CDN project.
- Following secondary is offered:
- ns-global.kjsl.com uses Afraid.org, Puck and their NS for their own zone.
Asking friends
Two of my friends and fellow mirror hosts have their own authoritative name server setup, Shrirang (ie albony) and Luke. Shirang gave me another POP in IN and through Luke (who does have an insane amount of in-house NS, see dig ns jing.rocks +short
), I added a JP POP.
If we know each other, I would be glad to host a secondary NS for you in (IN and/or DE locations).
Some notes
-
Adding a third-party secondary is putting trust that the third party would serve your zone right.
-
Hurricane Electric and 1984 hosting provide multiple NS. One can use some or all of them. Ideally, you can get away with just using your own with full set from any of these two. Play around with adding and removing secondaries, which gives you the best results. . Using everyone is anyhow overkill, unless you have specific reasons for it.
-
Moving NS in-house isn’t that hard. Though, be prepared to get it wrong a few times (and some more). I have already faced partial outages because:
- Recursive resolvers (RR) in the wild behave in a weird way and cache the wrong NS response for longer time than in TTL.
- NS expiry took more than time. 2 out of 3 of my Netim’s NS (my domain registrar) had stopped serving my domain, while RRs in the wild hadn’t picked up my new in-house NS. I couldn’t really do anything about it, though.
- Dot is pretty important at the end.
- With HE.net, I forgot to delegate my domain on their panel and just added in my NS set, thinking I’ve already done so (which I did but for another domain), leading to a lame server situation.
-
In terms of serving traffic, there’s no distinction between primary and secondary NS. RR don’t really care who they’re asking the query to. So one can have hidden primary too.
-
I initially thought of adding periodic RIPE Atlas measurements from the global set but thought against it as I already host a termux mirror, which brings in thousands of queries from around the world leading to a diverse set of RRs querying my domain already.
-
In most cases, query resolution time would increase with out of zone NS servers (which most likely would be in external secondary). 1 query vs. 2 queries. Pay close attention to ADDITIONAL SECTION Shrirang’s case followed by mine:
$ dig ns albony.in
; <<>> DiG 9.18.36 <<>> ns albony.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60525
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;albony.in. IN NS
;; ANSWER SECTION:
albony.in. 1049 IN NS ns3.albony.in.
albony.in. 1049 IN NS ns4.albony.in.
albony.in. 1049 IN NS ns2.albony.in.
albony.in. 1049 IN NS ns1.albony.in.
;; ADDITIONAL SECTION:
ns3.albony.in. 1049 IN AAAA 2a14:3f87:f002:7::a
ns1.albony.in. 1049 IN A 82.180.145.196
ns2.albony.in. 1049 IN AAAA 2403:44c0:1:4::2
ns4.albony.in. 1049 IN A 45.64.190.62
ns2.albony.in. 1049 IN A 103.77.111.150
ns1.albony.in. 1049 IN AAAA 2400:d321:2191:8363::1
ns3.albony.in. 1049 IN A 45.90.187.14
ns4.albony.in. 1049 IN AAAA 2402:c4c0:1:10::2
;; Query time: 29 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Jul 04 07:57:01 IST 2025
;; MSG SIZE rcvd: 286
vs mine
$ dig ns sahil.rocks
; <<>> DiG 9.18.36 <<>> ns sahil.rocks
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64497
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;sahil.rocks. IN NS
;; ANSWER SECTION:
sahil.rocks. 6385 IN NS ns5.he.net.
sahil.rocks. 6385 IN NS puck.nether.net.
sahil.rocks. 6385 IN NS colin.sahilister.net.
sahil.rocks. 6385 IN NS marvin.sahilister.net.
sahil.rocks. 6385 IN NS ns2.afraid.org.
sahil.rocks. 6385 IN NS ns4.he.net.
sahil.rocks. 6385 IN NS ns2.albony.in.
sahil.rocks. 6385 IN NS ns3.jing.rocks.
sahil.rocks. 6385 IN NS ns0.1984.is.
sahil.rocks. 6385 IN NS ns1.1984.is.
sahil.rocks. 6385 IN NS ns-global.kjsl.com.
;; Query time: 24 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Jul 04 07:57:20 IST 2025
;; MSG SIZE rcvd: 313
- Theoretically speaking, a small increase/decrease in resolution would occur based on the chosen TLD and the popularity of the TLD in query originators area (already cached vs. fresh recursion).
- One can get away with having only 3 NS (or be like Google and have 4 anycast NS or like Amazon and have 8 or like Verisign and make it 13 :P).
- Nowhere it’s written, your NS needs not to be called dns* or ns1, ns2 etc. Get creative with naming NS; be deceptive with the naming :D.
- A good understanding of RR behavior can help engineer a good authoritative NS system.
Further reading
- RFC 2182: Selection and Operation of Secondary DNS Servers is a good read on what to consider while choosing secondaries.
- RFC 1537: Common DNS Operational and Configuration Errors.
- DNS Nameservers by Geoff Huston gives a good overview of how common RRs behave. Another link from the same article is Recursives in the Wild:Engineering Authoritative DNS Servers.
- DNS Nameservers: Service Platforms and Resilience by Geoff Huston.
- Looking at Centrality in the DNS by Geoff Huston.