Can I run both a primary and secondary DNS server using the same public IP?

Question

I need to set up a DNS server to manage the DNS for my domain name.

According to the guide I am following, I need to have both a Primary and Secondary DNS server. I easily created two VMs on my machine to accomplish this. Everything was going well when I came up with a realization in my head.

If I am running two servers, each serving DNS on port 53, how can I forward both servers to my single public IP address, while keeping everything on port 53?

It is my understanding that I must use port 53 for both servers, and also that you cannot "overlap" ports, or merge the traffic of the two ports into one.

I am not in the market to buy another IP from an ISP, so if this is not possible to do without getting another IP, I will just deal with it.

Important info on my network + situation:

I am doing this on my home network, and do not have access to ipv6. I have one physical server, but can create as many VMs as I want. High Availability is not a concern for me, as I have basically zero clients (save for myself) and can easily recover from an outage.

You don't need to have two DNS servers for your domain. As pointed out in the answer below, this is typically done for redundancy. — Anaksunaman, Commented Mar 3, 2022 at 1:55
@Anaksunaman Actually you do to register many domains and point them to your nameservers. — davidgo, Commented Mar 3, 2022 at 4:52
@davidgo True and annoying for hobbyists, but should one really host all authoritative nameservers for a domain on the same host and ip? DNS has replication built in so I would suggest hosting a secondary nameserver on one of the hosted services that offer this (some are even free though I don't know the quality). That way you'll have actual redundancy while still being able to experiment at home. — Martijn Heemels, Commented Mar 3, 2022 at 11:20
Is there a particular reason you need to run your own servers? Asking simply because any number of DNS providers exist that trivially meet this requirement and get things right without you needing to do much of anything. — Austin Hemmelgarn, Commented Mar 3, 2022 at 13:02
Granted it lacks redundancy, but the simplest method might be to register two nameservers ns1.example.com and ns2.example.com and have them point to the same IP. — Jim L., Commented Mar 3, 2022 at 16:13

VL-80 · Accepted Answer · 2022-03-03 02:13:21Z

14

When it comes to primary and secondary DNS servers, from the viewpoint of any external entity it is actually irrelevant whether they run on a single machine, in separate VMs or on separate physical machines.

What is important - is that they need to run on separate IP addresses and even better - on separate independent networks, so that they have independent infrastructure.

This requirement helps to ensure that at least one DNS server will remain on-line even if an entire subnet of one of the servers goes down for any reason.

How to get a secondary DNS server if you only have one IP address:

You do not have to run both DNS servers yourself, or any DNS servers, actually, because many domain name registrar companies offer the DNS service for their customers.

By subscribing to this service you will have access to a Web based interface where you will be able to manage your DNS zones.

If you still prefer to run your own primary DNS server, then often you can subscribe to the "Secondary DNS server" service where the registrar will provide you with a secondary DNS server and you won't need to buy a separate IP address.

Ask your domain name registrar whether they provide this service.

answered Mar 3, 2022 at 2:13

VL-80

4,6832 gold badges29 silver badges40 bronze badges

1

You even have those who offer secondary DNS for free to everyone, such as domainname.shop. I'm not affiliated with them in any way, but I do use their services.
– vidarlo
Commented Mar 3, 2022 at 20:31
1

Keep in mind that the web based control panels for DNS are all utterly awful - klunky to use, difficult to make any sort of bulk/pattern changes to, and usually don't even support any but a few common record types. And either they don't do DNSSEC at all, or they require that they hold the keys.
– R.. GitHub STOP HELPING ICE
Commented Mar 5, 2022 at 23:50
Could I point two subdomains (say, ns1.example.com, and ns2.example.com) at the same IP and then tell my registrar to use those? Would it work properly? I added my DNS server to my domain name in my registrar, but it wanted at least two DNS servers, so I kept my hosted DNS on the list. I deleted my records from the hosted DNS, and now none of the things on my domain work. I’m hoping I can just remove the hosted DNS servers and that will fix the problems, but I need to have at least two DNS servers.
– Foxler2010
Commented Mar 6, 2022 at 23:05
@Foxler2010 It depends on the rules adopted by the registrar. "I deleted my records from the hosted DNS" - if that was your primary DNS server and you deleted your DNS records from it, then it makes sense why things stopped working. The bottom line is that if your registrar requires two DNS servers on different IP addresses - you can't get away by only running one server on your own IP address. I recommend you to discuss this matter with the registrar's tech support, because we can only guess what will and what will not work, while they HAVE TO know this for sure.
– VL-80
Commented Mar 7, 2022 at 0:10

Add a comment |

wanwandrew · Accepted Answer · 2022-03-03 01:02:56Z

The primary objective of having two separate DNS servers is so that if one goes down the other will remain up for those who are using it, not because (as one might be-- albeit potentially while half-asleep!-- falsely led to believe) there are two boxes to type DNS servers in, as is often the case, or for "verification", "confidentiality", some other strange concept forced by those who blindly believe in the Internet.

Given that you are running both daemons on one machine, this purpose is effectively NaN'd. However, you could still theoretically prevent your whole DNS system from going down by, say, a DoS attack by using both virtual machines. To completely implement this, you would most likely need to set up port forwarding from your router to both virtual IPs, but, as you speculate, this may get confusing for machines that are located outside of your local network.

madacoda · Accepted Answer · 2022-03-03 05:38:14Z

Purely from a protocol perspective, you don't need 2 NS records at all for any delegation, including one from a TLD or GTLD like .com.

In practice, the majority of registration sites will require 2 DNS servers and IPs. They will each have their own 'error checking' to prevent you from entering the same name or IP twice.

If they do allow you to enter the same IP twice, I can see just one problem there.

You probably can't and shouldn't have two NS records that are exactly the same. This might cause actual issues in DNS error checking.
However, you can very easily just have 2 different NS records but both pointing to the same IP (glue records). That should be perfectly valid

Toby Speight · Accepted Answer · 2022-03-03 17:29:00Z

2

It is highly unwise to run 2 nameservers from a single machine (and outside if spec for DNS) and it is likely not possible to do if you only have a single IP address and a registrar that requires it.

Its likely not worth the difficulty, but DNS supports the idea if slave servers, and has mechanisms for you to have the primary on your computer and secondary elsewhere (e.g. swap services with someone else).

Also - and again technically inadvisable - you could run a VPN with a static IP, do some source routing and address the technical requirements that way, or simply lie about the second server (i.e. point it at something you know will not answer). That will slow down some queries, but would work.

edited Mar 3, 2022 at 17:29

Toby Speight

5,0071 gold badge28 silver badges38 bronze badges

answered Mar 3, 2022 at 5:00

davidgo

71.4k14 gold badges111 silver badges169 bronze badges

There is really no good reason not to have only one nameserver if you only have one server for services on the domain to begin with. It does not do any good for DNS to continue resolving if your webserver (or whatever the single server is) is being hammered by DoS or experiencing a power failure or whatever and unreachable anyway. The "you must have 2 nameservers" thing is just historical BOFH nonsense. Have as many or as few makes sense for your domain and desired service level properties.
– R.. GitHub STOP HELPING ICE
Commented Mar 5, 2022 at 23:53

Add a comment |

eckes · Accepted Answer · 2022-03-03 17:46:36Z

You can’t make two DNS servers reachable over a single IP since they both would use the same port (which is not configurable for the global DNS). But even if you could most registrars won’t accept two times the same ip (and some even don’t like two times the same network).

But what you can do is p, most registrars/Hosters provide you with a DNS, either fully hosted with a web front end or the option to have one or three of the provider servers as your secondaries (or even fake primary where you run a single-ip hidden primary).

Stack Exchange Network

Can I run both a primary and secondary DNS server using the same public IP?

5 Answers 5

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
dns
ip
port-forwarding
.

Hot Network Questions

Can I run both a primary and secondary DNS server using the same public IP?

5 Answers 5

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networkingdnsipport-forwarding.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
dns
ip
port-forwarding
.