When some domain have primary NS, and several secondary NSes, will clients ask them randomly to reduce the load, or they will hit primary NS only, and proceed to secondary only when primary fails?

  • 644
  • 3
  • 11
  • 24

8 Answers8


I will reuse the example from here https://serverfault.com/questions/130608/when-is-a-secondary-nameserver-hit/130625#130625

Basicly it depends on resolver implementation. Some resolvers hits the first server, other resolves will randomly pick a server from those availible. To get around this most DNS servers randomize the order of the replies.

If you ask for google.com you get the following answer:

#dig NS google.com 
;google.com.            IN  NS

google.com.     297286  IN  NS  ns3.google.com.
google.com.     297286  IN  NS  ns2.google.com.
google.com.     297286  IN  NS  ns4.google.com.
google.com.     297286  IN  NS  ns1.google.com.

ns1.google.com.     297067  IN  A
ns2.google.com.     297074  IN  A
ns3.google.com.     297074  IN  A
ns4.google.com.     297067  IN  A

And then we do it again:

#dig NS google.com
;google.com.            IN  NS

google.com.     297249  IN  NS  ns3.google.com.
google.com.     297249  IN  NS  ns2.google.com.
google.com.     297249  IN  NS  ns1.google.com.
google.com.     297249  IN  NS  ns4.google.com.

ns1.google.com.     297030  IN  A
ns2.google.com.     297037  IN  A
ns3.google.com.     297037  IN  A
ns4.google.com.     297030  IN  A

Notice here how they change the order of the nameservers in the reply to spread out the load.

  • 8,749
  • 29
  • 46

IPv4 resolvers will typically use the servers in the order they get them in the packet, with the first one most often succeeding. The order is typically randomized by the DNS server to spread the load. IPv6 will change this, as it requires the IP with the most common topmost bits to be the one contacted first. This will make randomization of the DNS replies meaningless.

  • 5,134
  • 1
  • 22
  • 27

As far as DNS recursive servers are concerned, there's no difference between "primary" and "secondary" name servers - technically they're both just "authoritative" servers.

The only things that make any difference to the effectiveness of the load balancing are:

  1. the order that the list of NS records is returned by the servers themselves
  2. whether the client then picks one at random anyway
  3. whether the client uses other heuristics (i.e. round-trip time - RTT) to pick the "fastest" server

Of those factors, the first is the least important. Picking at random and using RTTs is much more common.

  • 20,901
  • 3
  • 48
  • 81

They will hit the primary one first then proceed to the secondary NS, so having multiple nameservers will only increase redundancy.

In order to increase performance you would need anycasted nameservers, though implementing this on your own will cost a lot of cash, and won't offer a substantial enough improvement to warrant the cost.

  • 4,219
  • 2
  • 20
  • 19
  • Is there any specific reason why they don't do that randomly? This just looks silly to me :-S – BarsMonster Apr 09 '10 at 13:12
  • 1
    This is client specific. Anycast is certainly not needed in most cases. – pehrs Apr 09 '10 at 15:16
  • Why was this voted down? – chris Apr 09 '10 at 15:18
  • @pehrs -- I agree that it is client specific. I disagree that anycast "isn't needed". The question was "how do I make dns faster, and will more DNS servers get end users faster DNS resolution?" And the answer is "no" unless you have the "more dns servers" be at the same anycast address. – chris Apr 09 '10 at 15:23
  • @chris The question, as it's written in the text, is about which server the client will use, and implies that the one asking is more interested in balancing server load than network latency. Anycast has its uses in DNS, but it's an exotic solution that is rarely needed. – pehrs Apr 09 '10 at 15:51

If you're talking about dns servers, rather than dns caches then it will ask a server at random. The master server is merely the source of the dns records for other servers that are authoritative for the domain. It's also probably true that this is only relevant if you're using axfr as a method of replicating your dns, when consulting a backend such as a database or ldap directory with other forms of replication it's even less meaningful as to which record goes in the SOA. There is one exception to this and that is that if you're using dynamic dns updates then dhcp clients will contact this server with updated info on their ips.

Richard Salts
  • 755
  • 3
  • 17
  • Yes, I am talking DNS servers. Well... Then we have 2 answers saying different things... Any links to docs saying it is random? (I really tried to google it myself) I do not care about replication at the moment, I do care about load balancing at this point. Just for info: For some domains I use AXFR for replication, for some domains I have multiple master servers having the same configuration. – BarsMonster Apr 09 '10 at 13:50
  • The DNS server selection at http://cr.yp.to/djbdns/notes.html contains information about dnscache and bind. – Richard Salts Apr 10 '10 at 02:11

Based on empirical data on our DNS servers, it seems that primary and secondary are hit with about the same number or requests, i.e. the resolvers will use both, either by random selection, round robin or other.

Adding more servers may definitely improve performance.

Dan Andreatta
  • 5,384
  • 2
  • 23
  • 14

The only real way to improve DNS performance over the whole internet is to use an anycast address.

If you just add a bunch of addresses, you still have no control over which address some remote user is actually going to use because the OS of the client decides what to do with the list of DNS servers it gets. A clever client would try to figure out which is the fastest, but that's not something the DNS admin has control over.

  • 11,784
  • 6
  • 41
  • 51

Windows clients will use the primary DNS unless the primary cannot be contacted, then it will switch to the secondary. I don't think there's a way to change this behavior.

  • 1,174
  • 2
  • 9
  • 18
  • Well, I am looking at http://technet.microsoft.com/en-us/library/cc779517%28WS.10%29.aspx and it says what you say. But it looks like it is about "Primary" and "Secondary" DNS servers in network connection configuration... – BarsMonster Apr 09 '10 at 14:49
  • I.e. my question is about multiple NS servers listed for some internet domain, like "google.com" – BarsMonster Apr 09 '10 at 14:53
  • Those "DNS servers" are actually "DNS resolvers", which in turn will query the real "DNS servers". I can tell you we see quite a bit of traffic from our Secondary DNS server. – Dan Andreatta Apr 09 '10 at 14:54
  • I see, it is clearer now. Any link to a document saying that "DNS resolvers" are hitting DNS servers randomly? – BarsMonster Apr 09 '10 at 15:10