How many DNS servers do I need? (2024)

Nutter helps a user who’s moving DNS functions in-house.

My company’s use of the Internet is changing. We’re moving from having just a mail server and a Web site to having several systems that need a public IP address and “ad hoc” systems that need a public address for short- or long-term needs depending on the project. Our ISP is handling our DNS needs at this point, but we’d like to take over that function as this would make it easier to change ISPs as well as make changes when we need them. What should we use for a DNS server – Linux or Windows? What’s the best way to move forward on this?

– Via the Internet

The answer is – it depends. If you’re mostly a Windows shop, then working with Microsoft’s DNS server would be an easier way for you to implement handling your own DNS server functionality. Another option is to get a port of BIND that runs under Windows. These are two options that run on the Windows platform. One school of thought is to run one of your DNS servers on one OS such as Windows and the other on Linux or NetWare. The reason behind this is that if someone hacks or compromises one of the DNS servers, having the other on another platform makes it harder for both to be attacked. Regardless of which way you go, look for information that is readily available from sources such as O’Reilly about hardening your DNS servers to further reduce the chances of attack. Configure the servers to only accept zone updates from the other DNS server(s) you have. Putting the servers in a DMZ on your firewall is one further step you can take to minimize the possibility of being hacked.

At a minimum, you’ll need two DNS servers for each Internet domain you have. You can have more than two for a domain but usually three is tops unless you have multiple server farms where you would want to distribute the DNS lookup load. It’s a good idea to have at least one of your DNS servers at a separate location. This can be helpful in the event one location goes down. You can make DNS record changes on the fly and allow your customers/employees/vendors to access a server at a different location but using the same fully distinguished server name without having to contact everyone with a new IP address.