Web Security: DNS Explained

knownhosttransThe domain name server (DNS) is the first point of contact between potential web clients and the sites they connect to, in order to find specific services. DNS is an Internet protocol whose job is to turn domain names into IP addresses that are used by servers to identify each other on the network.

A DNS is a vital point of your website’s presence and accessibility. Anyone trying to reach your website over the Internet will not be able to do so if your DNS is not working properly. That is the reason you must ensure the DNS servers pointing to your website are up and running at all times. If not, then any clients trying to reach your web address will not be able to access it, which will in turn lead to downtime. And we all know that today we need to take any measure possible to reduce the downtime of our websites, because downtime leads to a loss of potential income.

So, it is necessary to design the system in a way that will be able to cope with infrastructure failures, which can be expected. In order to mitigate the effects of possible failure of the primary DNS system, multiple redundant systems can be installed. The Three most popular methods of ensuring DNS is working for you properly are the use of secondary DNS server, failover system and external DNS.

Secondary DNS is just what the name suggests; it’s a secondary, independent server, usually located on a separate network than your primary DNS. It is setup to provide the redundancy for your primary nameservers. If something goes wrong with your primary nameserver, the secondary nameserver should be able to answer all the requests for your website. Servers that serve as primary nameservers for some domains are at the same time secondary for others, and are usually located in different geographical locations.


DNS failover is a method in which the DNS hosting company implements a system that supervises the servers in a way that independent nodes periodically check nameserver responsiveness. If during such monitoring process a server is found to be non-responsive, it is removed from the set of servers, and new DNS records are propagated throughout the system.  To ensure that local network conditions do not influence the monitoring process, it is usually carried out by multiple nodes in diverse geographical locations.


While not to be seen strictly as a method of ensuring permanent DNS accessibility, use of separate external and internal DNS servers is a very important aspect of DNS security. DNS servers can provide a wealth of information about your network, which is extraordinarily helpful to the internal systems management personnel. For security reasons, that information should not be made accessible to any outsiders. The best way to do that is to design a dual server implementation, with internal DNS clients serving the requests from within the system, while offering a limited version of the information to the outside world through the separate, external DNS servers. When designing such system, the most important thing to remember is that internal and external DNS clients take different paths in resolving DNS queries. If the client is local, the requests will be resolved locally; if the client is remote, the requests will be resolved according to the root name servers.


You should consider very carefully which of those redundancy systems and methods you should implement on your websites, what your needs are and how they would be best served with the options available.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.