DNS Static Entries for Emergencies

Posted on 2014-08-01
Last Modified: 2014-08-06
My users need access to several 3rd-party Internet sites, even when DNS fails.  Some of these domains have very low DNS TTL's (<60 seconds), generally to facilitate a redundancy scheme.  

Let's use Amazon for a test-case (15 second TTL).  Normally, I would like to use whatever IP Amazon gives me, but when upstream DNS fails and cache expires 15 seconds latter, I cannot get to Amazon so I would like to go to a known IP for Amazon that I have previously looked-up.  We forward DNS requests through an upstream hierarchy for security purposes so I have little control of that architecture or maintenance outages.  I've had 2 this week.

For sites with TTL's of one day (standard), DNS caching protects against most DNS outages. I would like to be able to configure static address mappings to sites that only get used ONLY if upstream DNS fails (i.e. server failure response).  I would prefer to manage this centrally on the DNS Server rather than having to use local hosts files and change the resolution order (host file AFTER DNS lookup).   Overriding the TTL's would could make cache persistent long enough to weather most outages, but seems pretty complicated to me.

Here is a concise scenario:
100 Clients use my DNS Server
My W2008 DNS Server forwards Amazon requests upstream
When DNS stops successfully returning an IP for,  I want "" to be used.
I don't want to maintain 100 host files and chain the resolution order on 100 hosts if there is a more centrally managed way.  Obviously automation (GPO etc) could ease the process if I have to do it.

Any ideas?
Question by:RandomCoolGuy
    LVL 34

    Assisted Solution

    Generally, if you want redundancy in case of forwarders, you should define multiple public DNS servers IP on forwarders tab if you have
    If 1st server in the forwarders list get failed / timed out, DNS will forward it query to next forwarders IP

    The order of the IP addresses listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.
    LVL 9

    Assisted Solution

    build a cache server easy to to do with pf-sense, they will have access to these websites all the. the cache server will update these sites periodically
    LVL 21

    Assisted Solution


    If you have only somes sites on this list you can use hosts file (c:\windows\system32\drivers\etc\hosts). You can modify that file by script.
    here how


    Author Comment

    I'm evaluate the answers so far.  

    The forwarder information while useful, doesn't really address the point of a static stand-in although it does address the use of the first forwarder preferentially when it is responsive.  

    The pfsense caching is not useful if it honors TTL and setting up a network firewall has downsides.  The project site is pretty vague on detailing features.  

    The scripting options for the host-file work around are under-developed.  They would essentially put the same entries in over and over (>>hosts).  I am planning on scripting changes to local host files if I can't put the static "stand-in" addresses on the server in a relatively straight-forward manner.  

    Thank you for the submissions.
    LVL 25

    Accepted Solution

    i assume you're not allowed to use other dns servers.

    one idea could be to stick a small dns caching server that can ignore dns ttls. for example maradns has a min_ttl setting that will force all entries in the cache to be cached for at least so long. this is not perfect, as when the dns works, some queries will not be resolved (answered from cache) while they should. this should not be much of a problem, though unless you use a really long setting.

    one idea could be to stick a small cache and allow it to failover to some known-to-work dns server (, opendns, google...) only when your "normal" dns is out of order. this might be acceptable to your hierarchy. if not, you can forward queries to a secondary server that has that set of addresses hardcoded (dnsmasq is a good choice for such uses as it can read a hosts table which should be reasonably easy to maintain)

    you can also use dnsmasq alone, and rewrite the hosts file periodically with a small script that will pull the proper addresses from the dns. if multiple addresses are found in the hosts file for the same ip, dnsmasq will present them in round robin fashion. this approach will be easy to setup and should not be too intrusive either

    there are many other ways to achieve your exact goal or something similar, but unfortunately i do not know of a more simple one. it would definitely be a nice feature to have in a dns cache the capability to keep in cache entries for longer than the ttl and answer with the cached value when the upstream server is dead

    Author Comment

    skullnobrains has the answer that best addresses the questions.  The key is the minimum TLL override setting.  I have found that SimpleDNS is probably the easiest to set up for this purpose in a Windows environment and also has the option of reading from a hosts file.  It costs < $100.  AnalogX has a neat client side DNS proxy that makes simultaneous requests to multiple DNS's and uses the first successful response back.  It also has a minimum TTL override and is free.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now