Configuring Secondary DNS

Cloudflare Support
()
Follow

This article describes the purpose of Secondary DNS and outlines how to configure Secondary DNS at Cloudflare.

What is Secondary DNS?

Secondary DNS is available for domains on Enterprise plans.

Secondary DNS allows Cloudflare to act as a Secondary DNS provider to another organization's Master DNS. With Secondary DNS, DNS entries are edited in a system outside of Cloudflare and changes are transferred to Cloudflare's infrastructure.  If the current DNS provider does not support Zone Transfer, Cloudflare cannot become a Secondary DNS provider.

Secondary DNS domains cannot use the Cloudflare proxy or any Cloudflare features.

Prerequisites

1. Contact your Cloudflare Account team to request Secondary DNS.

Before configuring Cloudflare as your Secondary DNS provider, allow traffic to the Master DNS servers from port 53 and update your Access Control Lists. The Allow Ranges are where Cloudflare's AXFR requests originate and Notify IPs are the IP addresses where you notify Cloudflare's Secondary DNS to initiate a pull of new zone information from your Master DNS servers.

Allow Range: 

  • 162.158.64.0/21
  • 198.41.150.0/23
  • 198.41.152.0/22
  • 198.41.246.0/23
  • 198.41.250.0/24
  • 198.41.252.0/24
  • 2a06:98c0:1400::/48
  • 2a06:98c0:1401::/48
  • 2a06:98c0:3600::/48
  • 2400:cb00:36::/48
  • 2606:4700:1101::/64

Notify IPs: 

  • 198.41.246.49
  • 2a06:98c0:3600::53

Consult your DNS provider's documentation for instructions on configuring the Master zone.

When configuring your Master DNS settings, choose TCP notify over UDP to minimize the chances of packet loss.

2. In the Cloudflare Overview app for the domain requiring Secondary DNS:

  • Identify the Cloudflare Account ID.
  • Identify the Cloudflare Zone ID.
  • Note the two Cloudflare Nameservers.

If the Cloudflare Nameservers don't contain secondary in the name, confirm the Cloudflare Account team has enabled Secondary DNS.

3. Determine the configuration parameters from the Master zone:

  • Master IP Address - The IP address that Cloudflare should accept Zone Transfers from.
  • Zone transfer type - Will zone transfers be full (AXFR) or incremental (IXFR)?
  • (Optional) TSIG Secret - The secret string used to authenticate zone transfers.
  • (Optional) TSIG Algorithm - The algorithm used to authenticate zone transfers.

Once the list of prerequisites have been completed, configure the Secondary Zone at Cloudflare.

Configuring a Secondary Zone through the CloudFlare API

DNSSEC is currently unsupported when Cloudflare is configured as a Secondary DNS provider

Secondary DNS can only be configured via the Cloudflare API. Requests can be sent to the API via a command-line utility like cURL or a browser plugin such as Postman.  

Refer to the Cloudflare API documentation for full examples on the supported API methods available:

For each POST example provided in the steps below, replace :account_tag with the Account ID identified from the Prerequisites section of this article:

Create a secondary zone through the Create Zone API by setting type to secondary:

curl -X POST "https://api.cloudflare.com/client/v4/zones"      
-H "X-Auth-Email: yourname@youremailhere.fyi"      
-H "X-Auth-Key: yourapikeyhere"      
-H "Content-Type: application/json"      
--data '{"name":"examplesecondaryzone.fyi","account":{"id":"accountidhere"},"jump_start":true,"type":"secondary"}'

In the example request below, name and secret must be provided by the primary DNS provider and algo must reflect the correct TSIG algorithm from the Master DNS server.

#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/tsigs/ 
{"name": ":tsig_secret_name", 
"secret": ":tsig_secret_string", 
"algo": "hmac-sha512"}

A successful POST request will respond with an id.  Include this id when adding a Master.

Multiple Masters can be added via the Cloudflare API.

#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/masters/
{"ip": ":master_ip",
"port": 53, 
"ixfr_enable": true, 
"tsig_id": ":tsig_tag"}

  • :master_ip is the IPv4/IPv6 address of Master nameserver.
  • ixfr_enable set to true enables IXFR transfer protocol. The default is AXFR.
  • :tsig_tag (optional) is the id provided in the previous step, if configured

A successful POST request will respond with an id for the Master DNS server and must be included when creating a Secondary Zone via the Cloudflare API

#POST https://api.cloudflare.com/client/v4/zones/:zone_tag/secondary_dns/
{"id": ":zone_tag", 
"name": ":zone_name", 
"masters": [ ":zone_master_tag" ], 
"auto_refresh_seconds": 86400 }

  • :zone_tag is the Zone ID of the domain configured for Secondary DNS.
  • :zone_name is the domain name configured for Secondary DNS.
  • :zone_master_tag is the list of Master IDs created in the previous step.

The Cloudflare DNS UI will be disabled for secondary zones since records are managed through the primary DNS provider's master server.

Add Cloudflare's Secondary DNS Nameservers to the existing nameservers specified at your registrar. Review the instructions in the Prerequisites section above to locate the names of your Secondary Nameservers.

Add a TXT record to the primary DNS provider to test transfer to Cloudflare's Secondary DNS servers.  Then, verify the TXT record is visible when querying Cloudflare's nameservers.  Replace nsNNNN with the correct name of a Cloudflare Secondary DNS servers for the domain: 

dig @nsNNN.secondary.cloudflare.com :zone_name txt +short

The Cloudflare Analytics app will continue to provide DNS data but only for DNS requests that Cloudflare's nameservers answer.

Related resources

Was this article helpful?
4 out of 6 found this helpful
Not finding what you need?
Ask the Community   Submit a request

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Popular questions: Why is my site slow, 522 errors, I'm expecting a spike in traffic

Powered by Zendesk