This article describes the purpose of Secondary DNS and outlines how to configure Secondary DNS using Cloudflare.
Secondary DNS
Secondary DNS allows Cloudflare to act as a Secondary DNS provider to another organization's Primary DNS. With Secondary DNS, DNS entries are edited in a system outside of Cloudflare and changes are transferred to Cloudflare's infrastructure. If the current DNS provider does not support Zone Transfer, Cloudflare cannot become a Secondary DNS provider.
Prerequisites
1. Contact your Cloudflare Account team to request Secondary DNS.
2. Update configuration parameters at the primary DNS provider:
- Allow traffic to the Primary DNS servers from port 53
- Update your Access Control Lists (ACLs)
3. In the Cloudflare Overview app for the domain requiring Secondary DNS:
- Identify the Cloudflare Account ID.
- Identify the Cloudflare Zone ID.
- Note the two Cloudflare Nameservers.
4. Determine the configuration parameters from the Primary zone:
- Primary IP Address - The IP address that Cloudflare should accept Zone Transfers from.
- Zone transfer type - Will zone transfers be full (AXFR) or incremental (IXFR)?
- (Optional) TSIG Secret - The secret string used to authenticate zone transfers.
- (Optional) TSIG Algorithm - The algorithm used to authenticate zone transfers.
5. If you want DNSSEC available for your secondary zone, you will need one of the following setups (reach out to your account team for more details):
- Hidden primary: Since Cloudflare secondary nameservers are the only nameservers listed at your registrar, Cloudflare can sign records as needed.
- Pre-signed zones: If your primary DNS provider signs records and transfers them, Cloudflare serves records and does not do any signing. Cloudflare only supports NSEC records (and not NSEC3 records) and this setup does not support Secondary Overrides.
- Multi-signer DNSSEC: Both Cloudflare and your primary DNS provider know the signing keys of the other provider and perform their own online signing.
Once the list of prerequisites have been completed, configure the Secondary Zone at Cloudflare.
Configure a Secondary Zone through the Cloudflare API
Configure Secondary DNS via the Cloudflare API using a command-line utility like cURL or a browser plugin such as Postman. Refer to the Cloudflare API documentation for full examples on the supported API methods available:
For each POST example provided in the steps below, replace :account_tag with the Account ID identified from the Prerequisites section of this article:
Create a secondary zone through the Create Zone API by setting type to secondary:
curl -X POST "https://api.cloudflare.com/client/v4/zones" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: yourapikeyhere" -H "Content-Type: application/json" --data '{"name":"examplesecondaryzone.fyi","account":{"id":"accountidhere"},"jump_start":true,"type":"secondary"}'
In the example request below, name and secret must be provided by the primary DNS provider and algo must reflect the correct TSIG algorithm from the Primary DNS server. The TSIG name must be lowercase to prevent zone transfer failures.
#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/tsigs/ {"name": ":tsig_secret_name", "secret": ":tsig_secret_string", "algo": "hmac-sha512"}
A successful POST request will respond with an id. Include this id when adding a Primary server.
Multiple Primary nameservers can be added via the Cloudflare API.
#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/primaries/ {"ip": ":primary_ip", "port": 53, "ixfr_enable": true, "tsig_id": ":tsig_tag"}
- :primary_ip is the IPv4/IPv6 address of the Primary nameserver.
- ixfr_enable set to true enables IXFR transfer protocol. The default is AXFR.
- :tsig_tag (optional) is the id provided in the previous step if configured
A successful POST request will respond with an id for the Primary DNS server and must be included when creating a Secondary Zone via the Cloudflare API.
#POST https://api.cloudflare.com/client/v4/zones/:zone_tag/secondary_dns/ {"id": ":zone_tag", "name": ":zone_name", "primaries": [ ":zone_primary_tag" ], "auto_refresh_seconds": 86400 }
- :zone_tag is the Zone ID of the domain configured for Secondary DNS.
- :zone_name is the domain name configured for Secondary DNS.
- :zone_primary_tag is the list of Primary IDs created in the previous step.
curl -X POST "https://api.cloudflare.com/client/v4/zones/:zone_tag/secondary_dns?force_axfr=true" \ -H "X-Auth-Email: [email protected]" \ -H "X-Auth-Key: yourapikeyhere" \ -H "Content-Type: application/json"
:zone_tag is the Zone ID of the domain configured for Secondary DNS.
See full zone transfer details in the API documentation.
Add Cloudflare's Secondary DNS Nameservers to the existing nameservers specified at your registrar. Review the instructions in the Prerequisites section above to locate the names of your Secondary Nameservers.
Add a TXT record to the primary DNS provider to test transfer to Cloudflare's Secondary DNS servers. Then, verify the TXT record is visible when querying Cloudflare's nameservers. Replace nsNNNN with the correct name of a Cloudflare Secondary DNS servers for the domain:
dig @nsNNN.secondary.cloudflare.com :zone_name txt +short
Configure a Secondary Zone through the Cloudflare Dashboard
1. Log into your Cloudflare account and click Add site in the Cloudflare dashboard.
2. Enter a site name, choose Secondary DNS, and click Add site.
3. Select the plan type.
4. Add a DNS primary server via the Cloudflare dashboard:
- Click your profile in the top right and select Account Home.
- Select Configurations from the top navigation.
- Select Secondary DNS from the navigation bar on the left.
- Click Create.
- In the Create DNS primary server settings, enter the IP address and Port.
- (Recommended) Configure TSIG by clicking Link a new TSIG and entering the Name, Secret, and Algorithm provided by your primary DNS provider. To prevent zone transfer failures, enter the TSIG name in lowercase.
- Click Continue.
- Confirm the linked DNS primary servers and add a refresh value in seconds.
- Click Continue.
5. Review the list of transferred records and click Continue.
If a warning message appears, the transfer was unsuccessful. Common reasons for transfer failures include:
- The Access Control List was improperly configured on the primary server,
- The TSIG was misconfigured, or
- The IP address of the primary DNS server was mistyped.
Click Initiate zone transfer after making the necessary changes.
6. Add secondary nameservers to your registrar and click Done, check nameservers.
Set up notifications for Secondary DNS transfers
To increase the reliability of your Secondary DNS, create transfer notifications to let you know when you need to fix potential issues.
To create transfer notifications:
1. Log into your account.
2. Navigate to Notifications.
3. Click Add.
4. On a specific notification, choose Select:
- Secondary DNS all Primaries Failing: None of your primaries are completing a zone transfer
- Secondary DNS Primaries Failing: Your primaries are partially failing to complete a zone transfer
- Secondary DNS Successfully Updated: Your secondary zone transfer has succeeded
5. Add a name, description, and other contact information.
6. Click Create.
Access Control List (ACL) configuration
Before setting up Secondary DNS, you need to update your Access Control Lists (ACLs) to include the following Cloudflare IPs.
Allow Ranges
Cloudflare's AXFR/IXFR requests originate from the following IP prefixes:
- 198.41.144.240/28
- 198.41.150.240/28
- 2a06:98c0:3601::/48
- 2a06:98c0:1401::/48
Notify IPs
Notify IPs are the IP addresses where you notify Cloudflare's Secondary DNS to initiate a pull of new zone information from your Primary DNS servers:
- 172.65.30.82
- 172.65.50.145
- 2606:4700:60:0:317:26ee:3bdf:5774
- 2606:4700:60:0:35a:4be3:4144:c5ee
BIND server configuration
To run a BIND server as a primary, add the following statements to your zone file:
allow-transfer {198.41.144.240/28;198.41.150.240/28;2a06:98c0:3601::/48;2a06:98c0:1401::/48;}
also-notify { 172.65.30.82;172.65.50.145;2606:4700:60:0:317:26ee:3bdf:5774;2606:4700:60:0:35a:4be3:4144:c5ee;}