DNS Failover

DNS Failover

The DNS failover feature automatically detects if any of your server's DNS records are unavailable due to internal server or network outages. It does so with proactive monitoring and health checks, and automatically steers your domain traffic toward healthy and reliable servers. It increases the uptime of your digital services or CDN without any instability or downtime.

Prevent service disruptions and increase uptime with enhanced failover monitoring and mapping.

ManageEngine CloudDNS offers failover support for the following records: A, AAAA, ALIAS, and CNAME records. Enabling failover support for records created enables you to choose or specify backup resource records. These backup records are only utilized when the primary records in question become unavailable.

Load balancer

Load Balancer

The load balancer serves as an essential intermediary between end users and DNS servers to improve resource availability and boost application responsiveness by intelligently distributing traffic across geographically dispersed servers. By configuring an appropriate load balancing strategy for your DNS records, you can delight your end users with an outstanding application experience.

Avoid website downtime by efficiently distributing traffic across redundant servers.

While specifically creating A, AAAA, ANAME, CNAME, or ALIAS-type records for a domain, it's mandatory to specify a mode for the record. This mode indicates the type of load balancing strategy applicable for the record. The record mode is set as either standard, failover, or round robin.


The standard record mode specifies no special configurations for a record.


The failover record mode option is available only for A, AAAA, CNAME, or ANAME records. This mode ensures redundancy for these records to boost their availability and resiliency. Choosing this mode will require that you add multiple IPs/hostnames for the failover configuration. To specify priority levels among endpoints, CloudDNS offers two options for specifying priority levels among endpoints: 1) Weight-based failover record mode and 2) Priority-based failover record mode.

Weight based failover option

The weight-based failover option allows you to route traffic to multiple hosts under a single domain in various proportions, based on the weights assigned to each host. Weights assigned to hosts in the range of positive integers between 1 and 255, determine the amount of traffic routed to each resource, with higher weights indicating higher priority.

Each host is assigned a relative weight that decides the amount of traffic that is to be sent to each host compared to the other active hosts in the group. CloudDNS serves the query based on the host's weight as a proportion of the total weight for all the active hosts in the group. With this approach, you can seamlessly scale up or down and balance the distribution of traffic among the group of active hosts.

Priority based failover option

The priority based failover option lets you to assign priority levels to each of your hosts configured under the record. These priority levels are positive integers between 1 and 255, with the highest number indicating the highest priority. No two hosts can share the same priority level. If the active host with the highest priority experiences an outage and becomes unavailable, the host with the next highest priority level will seamlessly take over to serve the queries for the domain.

To ensure only healthy endpoints are associated, it is also mandatory to specify a suitable monitor along with these configurations.



ManageEngine CloudDNS offers essential traffic-steering filters to create a customized online experience for your endusers that's optimized for their location and network. GeoDNScan be set for A, AAAA, ALIAS, CNAME, and ANAME records.

Customize endusers online experience with smart traffic-steering policies.


Geo-filters are location-based traffic-steering filters that serve to return DNS responses that are physically closest to the requester—thereby ensuring 100% uptime and low latency. This is useful for global digital business services with visitors all around the globe.

AS filters

Applying an AS filter for a specific record will cause all end users to receive a response from that specific record if the Autonomous System (AS) number of their IP matches the AS list configured under the filter.

IP filters

IP filters are rules you can apply to your DNS records. If the end user meets the filter's requirements, they'll receive a DNS response with this record. The filter identifies a specific group of IP addresses and steers traffic to a specific domain. This filter becomes more beneficial when you want you want to limit access to specific content based on IP addresses.

Vanity Nameservers

Vanity NameServers

Vanity name servers enable organizations to rebrand CloudDNS name servers by branding them to a personalized domain of their choice, masking CloudDNS as the original host or DNS provider.

Scale your branding deep into your technology stack

Establish your business as a premium brand by wrapping your brand name onto CloudDNS's target name servers while extending services to your clients without the obligation to mention your original host or DNS provider. Customize DNS branded name servers in the answers to WHOIS as well as domain's NS DNS records.

Quick and efficient changes across large number of domains

Efficiently manage domains on a large scale - in hundreds or thousands by deploying vanity nameserver templates with a single action. Vanity nameservers are available under all plans of ManageEngine CloudDNS including the free plan.

DNS Records

DNS Records

DNS records, or zone files, carry vital information about your domains. ManageEngine CloudDNS offers complete DNS management support for A, AAAA, CNAME, ALIAS, ANAME, CAA, DS, MX, NS, PTR, SPF, SRV, and TXT records.

Add any type of new record as your requirements grow.

Domain query reports and statistics

Domain query reports and statistics

ManageEngine CloudDNS offers advanced analytics with detailed stats for essential profiles, like specific zones, record types, response types, and a country-specific query count. For each zone, the platform captures the total number of queries queried and queries per second, along with the maximum, minimum, total, and mean query load of each zone on an hourly basis.

For each zone, segmented analytics are presented across a time slice in the form of query counts for each record type in the zone, query counts for each response code delivered, querying domains under a specific zone, and country-specific query counts for domains under a specific zone. A deeper view into each response code or query type yields stats concerning a specific domain under a zone, including queries per second, total queries, hourly query load, and a country-specific query count. These in-depth analytics offer a complete picture of each domain's DNS performance.

Track advanced DNS query statistics for rapid visibility of DNS delivery and infrastructure.

The captured historical stats are packaged in a list view, as well as presented visually via donut plots for instant insights. These detailed DNS stats are viewable only under the Analytics menu in far left menu bar. They are extremely useful for effective troubleshooting, building business intelligence, intuitive capacity planning, generating ROI reports, and deducing performance metrics—thereby supporting maximum optimization of the DNS server infrastructure for efficient and rapid global app delivery.



The recursive resolvers providing name resolution services for the local end users may cache forged (false) responses due to cache poisoning, which may lead to bad actors spoofing your domain by directing your traffic to a fake domain, or intercepting and flushing your resource records and causing several query failures and denials of service. The Domain Name System Security Extensions (DNSSEC) is a special protocol that serves to preserve the integrity of your domain by using cryptographic signatures.

To avoid such attacks, DNSSEC performs data origin authentication and data integrity verification on the name/address resolution responses the resolvers receive from authoritative sources when requested by end users.

Prevent your users from accessing false DNS records.

Data origin authentication

This enables the resolver to use the cryptographic keys associated with the response to confirm if the origin of the data it received matches with that of the specific zone where it believes the data originated.

Data integrity verification

This enables the resolver to validate that the data hasn't been modified in transit because the data was originally signed by the zone owner with the zone's private secret key.

ANAME Records

ANAME Records

ANAME records serve as an alias to your digital service's apex or root domain. They're just like CNAME records but are configured only to point to a domain at the root level. Unlike CNAME, ANAME automatically resolves into an IP address. When your end users request a domain configured with an ANAME record, their browsers deliver a response with an IP address.

Customize your root domain with ANAME records.



The ManageEngine CloudDNS REST API enables you to interact with your DNS infrastructure and manage core DNS services with your own code. The API serves as a powerful tool when automating DNS queries in bulk over multiple records of a domain at once. In case you have a lot of data to upload, reflect and synchronize the updates made offline with bulk updates to the servers. You can group multiple API calls together into a single HTTP request.

Use developer-friendly REST API to manage your DNS services.

Automate DNS configurations with the necessary endpoints to perform REST operations on your zone files.

CAA Records

CAA Records

CAA records, also known as Certificate Authority Authorization records, enable you to authorize one or multiple Certificate Authorities (CAs) that you find trustworthy for the issuance of your domain's SSL certificates.

Guard your domain against the issuance of fraudulent certificates.

CAs check for the presence of a CAA record. If found, they verify whether they're authorized by the domain owner before issuing certificates for a specific domain. If your domain does not possess any CAA records, any unlisted CA can issue a certificate for the domain, compromising the integrity and identity of your domain. However, if CAA records for other CAs exist, an unlisted CA is prohibited from issuing a certificate for the domain. This ensures your end users can interact and engage in commerce online with your domain safely and confidently.

Zone Transfers

Zone Transfers

Zone transfers are the mechanism through which zone files from primary servers are updated across secondary DNS servers that belong to a particular zone.

ManageEngine CloudDNS supports only full zone transfers by using the AXFR protocol. Zone transfers are generally initiated by secondary servers that frequently poll primary servers. When updates in primary DNS server's zone files are detected, secondary servers work to remain in sync with the updates of the primary zone servers.

Propagate changes within redundant servers with hassle-free zone transfers.

Primary AXFR

You can enable ManageEngine CloudDNS as the primary DNS provider in parallel with other primary DNS providers, or enable it to serve as the master servers to the secondary servers, along with other primary providers. With this zone transfer, only the zone files with basic data are updated in the secondary servers. Secondary zones don't receive advanced configurations like GeoDNS, failover, and monitoring/health checks. Only the zone files that are RFC1035 complaint are updated in the secondary servers.


Enabling ManageEngine CloudDNS as your secondary DNS provider makes it responsible for initiating zone transfers. As the Secondary Zone server, it frequently polls your primary servers with other DNS providers. When updates in primary DNS servers' zone files are detected, the secondary servers work to remain in sync with the updates of the Primary Zone Servers. During this transfer, secondary DNS servers retain a read-only copy of the zone files from the primary DNS service provider. A specific secondary DNS can also act as the primary DNS for other secondary DNS servers.

In addition to redundancy, deploying Mange Engine CloudDNS as your secondary DNS service with a wide global anycast network will ensure that customers are directed to the closest healthy server for the best web experience.

Domain notifications

Domain notifications

Broadcast crucial auto-signals in case of failover and domain changes.

With ManageEngine CloudDNS you can push asynchronous notifications for the following events:

  • When there are changes in your domain
  • Whenever a failover takes place
  • When specific changes or incidents need to be addressed by associated team members

Security audit with tracking

Security audit with tracking

The audit feature enables you to execute regular security audits on the DNS infrastructure to test and continuously evaluate the overall security posture of your domains and the operations performed on them. Using the security audit logs, you can track events in the DNS infrastructure, such as changes to the DNS configurations made per user, per domain, or even per the types of operations made within a specific time window.

Get a timestamped detailed picture of user's activities in each of your domains.

Regularly reviewing your DNS infrastructure's security logs helps you ensure that the access control mechanisms are performing adequately, determine whether employees are sticking to your security practices, and catch new potential security weaknesses.

Monitoring check integrations

Monitoring check integrations

ManageEngine CloudDNS's monitoring check integrations enable you to protect your domain from DDoS, ransomware, malware, and any other DNS attacks that compromise your DNS infrastructure and cause massive service outages. They do so by proactively monitoring for discrepancies in your network. To deliver optimal responses, health monitors check whether the servers are operating at peak performance and quickly reconfigure DNS servers based on the health reports.

Keep your domain ever-ready and attack-resilient with advanced monitoring, automation, and reporting capabilities.

The health monitoring system runs quick monitoring checks over multiple protocols like website protocols (HTTPS and HTTP), TCP, DNS, and ICMP (Ping) to monitor the network for active failover events at frequent check intervals from several vital vantage points. If you want the IPs/hostnames in your network to be monitored for active failover events, you'll need to configure monitoring checks. You can run these monitoring checks for free and keep receiving status feedback at any moment from any of the locations in our network.

If the health monitor discovers any unhealthy resources while monitoring, it automatically troubleshoots networks by updating DNS failover configurations with healthy and high-performing resource records, thereby making the networks flexible enough to adapt quickly. It also automates the delivery of instant alerts and analytic reports to the concerned contact groups via email if failover events are detected in any of the monitors created.

Sub-user permissions

Sub-user permissions

Enable access for multiple users by specifying individual permissions per domain or for specific services, like monitoring checks, filters, and so on. This includes a full security audit to track changes made per user.

Configure permissions that allow multiple users to access specific domains or subdomains.

ManageEngine CloudDNS offers two roles: Admin and Operator. Admins do not have any restrictions for access and configurations, while operators can be given access permissions and control by the Admin over specific domain(s).

Two-factor authentication

Two-factor authentication

With two-factor authentication (2FA), it's possible for every ManageEngine CloudDNS user to secure their account beyond just their traditional usernames and passwords. This feature protects your account by requiring verification for a second authentication factor for secured access to your account. All you need is a mobile device capable of running a compatible mobile authenticator application.

Add an extra layer of security for your accounts by providing another real-time code for authentication.

Coupling your traditional username and password with a time-sensitive code from any TOTP-enabled authenticator mobile app in the market every time you log in adds an extra layer of security to your account. ManageEngine CloudDNS supports a variety of mobile authenticator apps, like Google Authenticator, Zoho's OneAuth, Authy, and more. CloudDNS also provides the option to disable TOTP authentication, during subsequent access to CloudDNS if you have already logged into your Zoho account.