DNS Static Entries for Emergencies

My users need access to several 3rd-party Internet sites, even when DNS fails.  Some of these domains have very low DNS TTL's (<60 seconds), generally to facilitate a redundancy scheme.  

Let's use Amazon for a test-case (15 second TTL).  Normally, I would like to use whatever IP Amazon gives me, but when upstream DNS fails and cache expires 15 seconds latter, I cannot get to Amazon so I would like to go to a known IP for Amazon that I have previously looked-up.  We forward DNS requests through an upstream hierarchy for security purposes so I have little control of that architecture or maintenance outages.  I've had 2 this week.

For sites with TTL's of one day (standard), DNS caching protects against most DNS outages. I would like to be able to configure static address mappings to sites that only get used ONLY if upstream DNS fails (i.e. server failure response).  I would prefer to manage this centrally on the DNS Server rather than having to use local hosts files and change the resolution order (host file AFTER DNS lookup).   Overriding the TTL's would could make cache persistent long enough to weather most outages, but seems pretty complicated to me.

Here is a concise scenario:
100 Clients use my DNS Server
My W2008 DNS Server forwards Amazon requests upstream
When DNS stops successfully returning an IP for amazon.com,  I want "" to be used.
I don't want to maintain 100 host files and chain the resolution order on 100 hosts if there is a more centrally managed way.  Obviously automation (GPO etc) could ease the process if I have to do it.

Any ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Generally, if you want redundancy in case of forwarders, you should define multiple public DNS servers IP on forwarders tab if you have
If 1st server in the forwarders list get failed / timed out, DNS will forward it query to next forwarders IP

The order of the IP addresses listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.
Natty GregIn Theory (IT)Commented:
build a cache server easy to to do with pf-sense, they will have access to these websites all the. the cache server will update these sites periodically

If you have only somes sites on this list you can use hosts file (c:\windows\system32\drivers\etc\hosts). You can modify that file by script.
here how http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23790188.html

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

RandomCoolGuyAuthor Commented:
I'm evaluate the answers so far.  

The forwarder information while useful, doesn't really address the point of a static stand-in although it does address the use of the first forwarder preferentially when it is responsive.  

The pfsense caching is not useful if it honors TTL and setting up a network firewall has downsides.  The project site is pretty vague on detailing features.  

The scripting options for the host-file work around are under-developed.  They would essentially put the same entries in over and over (>>hosts).  I am planning on scripting changes to local host files if I can't put the static "stand-in" addresses on the server in a relatively straight-forward manner.  

Thank you for the submissions.
i assume you're not allowed to use other dns servers.

one idea could be to stick a small dns caching server that can ignore dns ttls. for example maradns has a min_ttl setting that will force all entries in the cache to be cached for at least so long. this is not perfect, as when the dns works, some queries will not be resolved (answered from cache) while they should. this should not be much of a problem, though unless you use a really long setting.

one idea could be to stick a small cache and allow it to failover to some known-to-work dns server (, opendns, google...) only when your "normal" dns is out of order. this might be acceptable to your hierarchy. if not, you can forward queries to a secondary server that has that set of addresses hardcoded (dnsmasq is a good choice for such uses as it can read a hosts table which should be reasonably easy to maintain)

you can also use dnsmasq alone, and rewrite the hosts file periodically with a small script that will pull the proper addresses from the dns. if multiple addresses are found in the hosts file for the same ip, dnsmasq will present them in round robin fashion. this approach will be easy to setup and should not be too intrusive either

there are many other ways to achieve your exact goal or something similar, but unfortunately i do not know of a more simple one. it would definitely be a nice feature to have in a dns cache the capability to keep in cache entries for longer than the ttl and answer with the cached value when the upstream server is dead

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RandomCoolGuyAuthor Commented:
skullnobrains has the answer that best addresses the questions.  The key is the minimum TLL override setting.  I have found that SimpleDNS is probably the easiest to set up for this purpose in a Windows environment and also has the option of reading from a hosts file.  It costs < $100.  AnalogX has a neat client side DNS proxy that makes simultaneous requests to multiple DNS's and uses the first successful response back.  It also has a minimum TTL override and is free.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.