Defaults.Exposed › Fixes › Nameserver setup (diversity & SOA)

How to fix Nameserver setup (diversity & SOA)

Your nameservers are the directory that tells the whole internet where to find your website and email. If they all sit on one network and it goes down, your business vanishes from the internet at the same moment — no site, no email, nothing — and a sloppy clock setting on those servers can leave changes you make stuck for days.

Bottom line for your business: If every nameserver for your domain lives on a single network, one outage or attack on that network takes your website AND your email offline together — you keep paying staff and ads while no customer can reach you. Separately, misconfigured SOA timers can leave your DNS changes (a new server, a switched email provider, an emergency redirect) propagating for days instead of hours.

What this can cost you

• The single network all your nameservers sit on has a bad afternoon — an outage or a DDoS attack — and your website and email both disappear at the same time. Customers get error pages, your sales inbox bounces, and there is nothing your web person can do but wait for someone else's network to recover.
• A big customer's security team runs a vendor check, sees all your nameservers on one provider with no redundancy, and notes your domain as a single point of failure — friction on a contract you'd otherwise have won.
• You move to a new web host or switch email providers, but a wrong 'refresh' timer in your SOA record means other DNS servers keep handing out your old address for days — so some customers land on a dead site and your email splits in two.
• A security incident forces you to redirect traffic urgently, but your SOA timers tell the world to cache your old records for a week, so the change you made an hour ago still hasn't reached half the internet while the problem continues.
• Your two nameservers are technically two names, but they resolve to the same rack on the same network — so the redundancy you think you have is an illusion, and a single failure still takes everything down.

Why it matters. Every visit to your website and every email sent to you starts with a lookup against your nameservers. They are the foundation the rest of your online presence sits on. If that foundation has no redundancy, a single failure knocks out everything at once; if its timing values are wrong, every change you make is slow to take effect — exactly when you can least afford it.

What this is, in plain words

Before anyone can reach your website or send you an email, their computer has to ask a simple question: “where does this domain actually live?” The servers that answer that question are your nameservers. They are the directory entry for your whole online presence — the very first thing every visitor and every email touches, before your site or your inbox is even involved.

This page covers two parts of getting that directory right:

1. Diversity — do you have at least two nameservers, and do they sit on genuinely separate parts of the network, so a single outage can’t silence all of them at once?
2. The SOA record — a small “start of authority” record that holds the timing values controlling how long the rest of the internet trusts and caches your DNS answers. Get the timers wrong and every change you make takes longer to reach the world.

Neither is glamorous. Both are foundations. When they’re right you never think about them; when they’re wrong, you find out at the worst possible moment.

What this can cost you

• Everything offline at once. If all your nameservers live on one network and that network has an outage or is hit by a DDoS attack, your website and your email go dark together. This is not theoretical — a single DNS provider being attacked has knocked major, well-resourced companies off the internet for the better part of a day. With redundancy across networks, one failure is survivable; without it, it’s total.

• A deal lost on a vendor check. A larger customer’s security or procurement team runs a check before signing, sees all your nameservers concentrated on one provider with no fallback, and flags your domain as a single point of failure. It’s the kind of small, avoidable mark that adds friction to a contract you’d otherwise win.

• Changes that won’t take. You switch web hosts, move email providers, or need to redirect traffic in a hurry. A wrong “refresh” or “expire” timer in your SOA record means other DNS servers keep serving your old answer for days. Half your customers land on the new site, half on the dead one; some email flows to the old provider, some to the new. The change you made an hour ago still isn’t done.

• An emergency you can’t end quickly. During a security incident you need to point traffic away from a compromised server now. If your SOA timers told the world to cache your records for a week, your fix crawls out across the internet while the problem keeps biting.

• Redundancy that isn’t real. You have two nameservers, so you assume you’re covered — but both resolve to the same rack on the same network. The first hardware failure takes out the lot, and the safety net you were counting on was never there.

What it actually is

Nameserver diversity. Your domain should list at least two nameservers, and ideally they should sit on genuinely independent network paths — not just two names pointing at the same box. Behind the scenes, each nameserver name resolves to one or more IP addresses, and what really matters is whether those addresses occupy different parts of the internet’s routing. A serious DNS provider spreads its nameservers across many separate network blocks and locations worldwide, so even two nameservers from the same provider give you real, independent redundancy. The failure case is the opposite: a single small host where both “nameservers” are the same machine, so one failure is total.

A note for the technical reader: our check counts your NS records and then looks at how much genuine network diversity sits behind them. The primary signal is the spread of distinct IP network blocks the nameservers resolve into (roughly, /16 ranges for IPv4 and /32 for IPv6), with the number of distinct provider names as a backstop. This deliberately credits Anycast hyperscale providers — Cloudflare, Google, AWS Route 53, Azure DNS — which announce one network identity from many globally separate routing paths and so deliver real diversity even from a single brand. Having fewer than two nameservers scores zero on this check and is treated as high severity, because it’s an unmitigated single point of failure for the entire domain.

The SOA record. Every DNS zone has exactly one Start of Authority record. It names the primary nameserver and the administrative contact, carries a serial number that increments on each change, and — the part that matters for your business — holds four timers:

• Refresh — how often secondary nameservers re-check the primary for changes. Good range: roughly 1 to 24 hours (3,600–86,400 seconds).
• Retry — how soon to try again if a refresh fails. Good range: roughly 5 to 60 minutes (300–3,600 seconds).
• Expire — how long secondaries keep serving your records if they can’t reach the primary at all. Good range: roughly 1 to 4 weeks (604,800–2,419,200 seconds).
• Minimum TTL — the floor for how long answers (including “this name doesn’t exist” answers) get cached. Should be a sensible positive value; 300 seconds is a common choice.

What “good” looks like: an SOA that exists, has a valid administrative contact, and carries timers inside those ranges. Values outside the ranges aren’t fatal — but they either slow your changes down (timers too long) or load your nameservers needlessly (too short). A missing or genuinely broken SOA is the more serious case.

How to fix it (free, ~15 minutes)

This part is for whoever manages your domain or DNS — if that’s not you, hand them this section. The fix is free; we only charge to monitor that it stays fixed.

Step 1 — Make sure you have at least two nameservers on diverse infrastructure.

1. Check what you have today. Run dig NS yourdomain.com (or use any “DNS lookup” web tool) and read off the nameservers. Two or more is the minimum.
2. If you only have one, or both are on a single small host, move your DNS to a provider that gives you redundancy by default. Practically every serious provider does:
   • Cloudflare — assigns two nameservers spread across its global Anycast network automatically when you add a domain.
   • AWS Route 53 — each hosted zone gets four nameservers across separate Route 53 networks.
   • Google Cloud DNS / Microsoft 365 / Azure DNS — similarly provision multiple nameservers across independent infrastructure.
3. To switch, set your domain’s nameservers at your registrar (where you bought the domain — e.g. Blacknight, GoDaddy, Namecheap) to the ones your new DNS provider gives you. This change can take 24–48 hours to fully propagate.
4. For belt-and-braces resilience, larger or higher-risk businesses can run secondary DNS from a second independent provider (e.g. Cloudflare + Route 53, or NS1 + Cloudflare). For most small businesses this is optional — a single reputable provider already gives you real cross-network redundancy.

Step 2 — Check (and if needed, fix) your SOA timers.

1. Run dig SOA yourdomain.com and read off the refresh, retry, expire and minimum-TTL values.
2. Compare them against the ranges above. In the vast majority of cases your DNS provider has already set sensible defaults and there is nothing to do.
3. If a value is out of range, fix it where your DNS is hosted:
   • On managed providers (Cloudflare, Route 53, Google, Azure) the SOA is largely handled for you; you generally adjust it through the provider’s DNS settings or support rather than editing it by hand.
   • On a self-run nameserver (BIND, PowerDNS) edit the SOA line in the zone file directly and reload the zone — remembering to bump the serial number so secondaries pick up the change.
4. After any change, re-run the lookups to confirm both the nameserver list and the SOA timers look right.

Common mistakes

• Treating “two names” as “two networks.” Two nameserver names that resolve to the same box or rack are a single point of failure wearing a disguise. What matters is independent network paths, not the count of names.
• Assuming more is always better, with no diversity. Five nameservers all on one fragile host are no safer than one. Diversity beats quantity.
• Setting timers too aggressively. Cranking SOA refresh or minimum-TTL right down to “make changes instant” just hammers your nameservers and can make outages worse, with little real benefit. Sensible defaults already balance speed against load.
• Setting expire too low. If secondaries stop serving your zone too soon during a primary outage, a recoverable blip becomes a full outage. Keep expire in the weeks range.
• Editing a zone by hand and forgetting the serial number. On self-run nameservers, secondaries only pick up changes when the SOA serial increases. Change records but leave the serial alone and your “fix” never propagates.
• Leaving DNS on the domain registrar’s bare default. Some registrars’ built-in DNS is a single, minimal setup. Moving DNS to a real provider usually gives you redundancy and sane SOA timers in one move.

Bottom line

Your nameservers and their SOA record are the foundation everything else sits on. Two nameservers on genuinely separate networks mean a single failure can’t take your whole business offline at once; sensible SOA timers mean the changes you make actually reach the world promptly. Both are free to get right, both are usually already in good shape the moment you’re on a proper DNS provider, and both are worth a two-minute check — because the day they matter is the day you can least afford them to be wrong.

FAQ