Home/ Glossary/ DNS Failover

DNS Failover (DNS Failover)

Security Glossary - DNS

Definition: DNS failover is a technique that automatically redirects traffic away from a failed server by changing DNS records when a health check detects the primary server is down. A monitoring system checks server health at regular intervals and updates DNS records to point to a backup server if the primary becomes unresponsive.

The Importance of DNS Failover

DNS failover provides basic high availability without requiring a dedicated load balancer. When your primary server goes down, the monitoring system updates the DNS record to point to a backup server, and new visitors are directed to the working server. This is simpler and cheaper than load balancer setups for smaller sites.

However, DNS failover has limitations. The failover time depends on the TTL of the DNS record. With a 300-second TTL, it can take up to 5 minutes for all visitors to reach the backup server after the primary fails. Some DNS resolvers cache aggressively beyond the TTL, extending the failover time further.

DNS failover works best as one layer in a reliability strategy. For fast failover (under 30 seconds), an application-level load balancer or anycast routing is needed. DNS failover is best suited for less time-sensitive services or as a secondary failover mechanism behind other HA systems.

How to Verify

If you use DNS failover, verify that health checks are running against the correct endpoints and that the backup server is actually available. Test failover by temporarily taking down the primary and verifying traffic redirects within the expected time based on your TTL settings.

See how your site handles DNS Failover

Check DNS Health

DNS Failover FAQ

How fast is DNS failover?
Failover time is bounded by the DNS record's TTL. With a 60-second TTL, most traffic redirects within 1-2 minutes. With a 3600-second TTL, it can take up to an hour. Set low TTLs (60-300 seconds) on records used for failover.
What are the alternatives to DNS failover?
For faster failover: use a load balancer (AWS ALB, Cloudflare, Nginx) that detects failures in seconds. For global distribution: use anycast routing or a CDN. DNS failover is best for simple setups where a few minutes of failover time is acceptable.
The Most Important Thing: DNS failover works best with low TTL values (30-60 seconds) so resolvers pick up changes quickly. Combine DNS-based failover with health checks for automatic detection, but be aware that cached DNS records mean some users will still hit the failed server until their cache expires.

Related Concepts

Domain Name System Time to Live A Record (Address Record) Nameserver DNS Propagation
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.