DNS is a network of name servers with a tree-like structure that makes them work together to resolve domain names to their IP addresses. They do it, so billions of users can enjoy the Internet the way it is right now. One of the key elements that allows it is the DNS delegation. One higher-level server can delegate a part of the namespace to a lower DNS name server, and that way, it became the Primary DNS server for the zone it got delegated.
Primary DNS server
Each DNS zone of the DNS namespace has a DNS server that is the main holder of the DNS data for it – the Primary DNS name server. A Primary DNS server will have all the DNS records, their latest changes in a file called DNS zone file. That include:
- A record – showing IPv4 address for the domain.
- AAAA record – showing IPv6 addresses.
- MX record – for incoming mail servers.
- TXT records – for different verification processes.
- And more, depending on the needs.
Each zone has just 1 Primary name server, which is the authoritative name server for the zone. But the same server can be a Secondary for another zone. It depends on the needs and what the DNS administrator has configured. A Secondary server can also be authoritative for the zone. It can answer clients’ queries.
The other important function that a Primary DNS server has is to create and delete DNS records for the zone. You can only do it through the Primary server. Depending on the configuration, it can use NOTIFY, and send a signal to the Secondary DNS servers. They will check the serial number of the SOA record, and if they have lower, they will update.
If the Primary server is down, it can’t directly answer queries. But if you have set up Secondary DNS servers, they will have the DNS records in their cache memory. They will still be able to respond to the queries until the TTL values of the DNS records allow.
Is just a single Primary DNS server enough?
Yes, but there is a huge risk. One server can be authoritative for the domain name, but you will have a single point of failure. If something happens to it, it gets broken, it is down for maintenance or update, the infrastructure experience any problem like lack of electricity, etc., there won’t be anybody to respond. It is a good idea to have a network of at least a few Secondary DNS servers, which can handle the traffic. They will reduce the stress on the Primary DNS server and serve for redundancy.
How to protect the Primary DNS server?
A good action that you could take is to hide the Primary DNS server. You can make it unreachable for anybody except the DNS administrator. If nobody can reach it, there is a lot less chance of hacking it and modifying the zone file. You can still create a mechanism for syncing with the Secondary DNS servers, and they can be authoritative for the zone. The clients will get answers from them, and your domain will be available.
The Primary DNS server is important because it holds the zone file, and it is the only place where you can delete or add DNS records.