Secondary (or "slave") DNS is a backup nameserver that mirrors a primary nameserver's zones. If the primary becomes unreachable, the secondary keeps answering DNS queries — meaning your sites stay reachable even when something is wrong with the main server.
ns27.canspace.ca + ns28.canspace.ca for accounts on eos). DNS-only clients get dns1.canspace.ca and dns2.canspace.ca. You don't need to do anything — redundancy is built in.This article is mostly relevant if you have a VPS or dedicated server and want to add an extra layer of DNS redundancy beyond the default setup.
How secondary DNS works
The primary nameserver holds the authoritative copy of your DNS zone. The secondary periodically pulls a copy via a process called AXFR (zone transfer), and answers the same queries from its own copy.
Both nameservers' addresses are listed in your domain's NS records at the registrar. Resolvers around the internet pick one at random, so even if the primary is offline, queries still resolve via the secondary.
Two important things to understand:
- Secondary DNS is read-only. All edits happen on the primary; the secondary just mirrors them. You can't edit a zone on the secondary directly.
- Propagation isn't instant. When you change a record on the primary, the secondary picks it up either on the next refresh interval (typically 15-60 minutes, set in the SOA record) or immediately if the primary sends a NOTIFY message — which most do, including cPanel.
The default setup on every CanSpace server
| Server type | Primary NS | Secondary NS |
|---|---|---|
| Shared hosting (per server) | e.g. ns27.canspace.ca | e.g. ns28.canspace.ca |
| DNS-only / domain forwarding | dns1.canspace.ca (triton) | dns2.canspace.ca (triton2) |
| VPS / dedicated | your-server.canspace.ca | your-server-2.canspace.ca |
The secondary mirrors the primary automatically. If you only need basic redundancy, this is all you'll ever need.
Adding a third-party secondary (advanced)
For VPS and dedicated server owners who want more redundancy — for example, geographic diversity (a secondary on another continent) or a paid commercial DNS provider — you can add an external secondary on top of CanSpace's pair.
Step 1: enable AXFR on your server
The external secondary needs permission to pull your zones. SSH into your server as root and edit /etc/nameserverips (cPanel's preferred file), or configure your DNS daemon (BIND or PowerDNS) to allow the external IP. For most setups this means adding the secondary's IP to:
/etc/named.conf (BIND)
allow-transfer { existing_ips; new_secondary_ip; };
Then reload: rndc reload.
Step 2: tell the external secondary about your zones
The exact process depends on the provider. Most paid DNS providers (Cloudflare's secondary DNS, NS1, ClouDNS, Hurricane Electric's free service, etc.) have a wizard where you list your zones and your master server's IP. They'll then start pulling.
Step 3: add the new NS records to your domain at the registrar
Go to your domain's registrar control panel and add the new nameserver entries to the NS list. For example, if your domain is currently:
ns1.yourcompany.ca
ns2.yourcompany.caYou'd add:
ns3.external-provider.com
ns4.external-provider.comResolvers will distribute queries across all four NS records.
Step 4: verify
Use dig from a terminal:
dig +short SOA yourdomain.com @ns3.external-provider.com
dig +short SOA yourdomain.com @ns1.yourcompany.caThe serial numbers should match (same zone, same source). If they differ, the external secondary hasn't pulled the latest changes yet.
Common gotchas
- Forgot to update SOA after a change. AXFR triggers when the SOA serial number changes. cPanel handles this automatically; manual edits to zone files don't. After a manual zone change, bump the serial.
- Firewall blocking port 53 TCP. AXFR uses TCP/53 (regular queries use UDP/53). If your firewall only opens UDP, the secondary can't pull. Open both.
- Mixed NS records at the registrar. If you list four NS records but two of them aren't actually serving your zone (e.g. you removed them but never updated the registrar), about half of all queries will fail. Keep the registrar's NS list and the actual serving nameservers in sync.
When you might NOT want secondary DNS
If you're using a managed DNS service (Cloudflare in proxy mode, AWS Route 53) as your primary, you usually don't need to add a secondary. Those services already operate from many points of presence around the world, so they don't have a single point of failure to back up.
Related articles
Need help setting up secondary DNS for your VPS or dedicated server? Open a support ticket
