How do I setup and manage Secondary DNS?

What is Secondary DNS?

Secondary DNS is an Enterprise offering that allows Cloudflare to act as a Secondary DNS provider to another organizations Master DNS using DNS zone transfers. This means you can edit your DNS entries in a system outside of Cloudflare and have these changes replicated in Cloudflare's infrastructure. This is useful if you want to use multiple DNS providers or you want to continue to manage your DNS in another system while utilizing Cloudflare's DNS infrastructure to serve your records to the world.

Note: you will need a Master DNS provider that supports Zone Transfers. If your current provider or software does not support Zone Transfer, you will not be able to utilize Cloudflare as a Secondary DNS provider.

Before you get started

Configuration of Secondary DNS is currently all done via Cloudflare API. You must be comfortable with configuring Cloudflare products via the API in order to use Secondary DNS.

Some items will need to be configured at your Master DNS provider and you must enable Secondary DNS. Please see the Master DNS provider's documentation for how to best enable and configure the Master zone. Contact your Cloudflare Account team for the configuration parameters to be set at your primary provider.

Important note: currently DNSSEC is unsupported when you use Cloudflare as a Secondary DNS provider.

Prerequisites

First, you'll need an Enterprise account and your zone added and enabled to be a Secondary zone. Please contact your Cloudflare account team for this portion of setup.

Second, you will need your Account ID tag. This is most easily gathered by using the User's Organizations API. The Organization identifier tag returned through this API will be what you use in the API calls below. If you have issues with your Account ID, please contact Cloudflare Support.

Third, you will need your Secondary DNS nameservers. Once you have your Enterprise Account setup and enabled to be a Secondary Zone by your Cloudflare account team, you can see these two nameservers either via your Cloudflare web UI in the DNS app under "Cloudflare Nameservers." Alternatively, you may look this up via the List Zones API

Lastly, you will need to know the configuration parameters from your Master. These will vary based upon provider, but you will likely need the following items:

  • Master IP Address - the IP address that Cloudflare should accept Zone Transfers from.
  • Zone transfer type - whether Cloudflare should expect full (AXFR) or incremental (IXFR) zone transfers.
  • (Optional) TSIG Secret - The secret string used to authenticate your zone transfers.
  • (Optional) TSIG Algorithm - The algorithm used to authenticate your zone transfers.

 

Configuring your Secondary Zone through the CloudFlare API

Configure TSIG (Optional)

#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/tsigs/ 
{"name": ":tsig_secret_name<e.g.zone-cf>", 
"secret": ":tsig_secret_string",
"algo": "hmac-sha512"}

Your response will include an id/tag for your tsig that you will need for the next step. You can GET the same API endpoint to receive a list of your TSIGs and ids. To update a TSIG, utilize the PUT command and include the id.

Add a Master

 #POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/masters/
{"ip": ":master_ip",
"port": 53,
"ixfr_enable": true,
"tsig_id": ":tsig_tag"}

You can create multiple Masters if required.

Your response will include an id/tag for your master that you will need for the next step. You can GET the same API endpoint to receive a list of your Masters and ids. To update a Master, utilize the PUT command and include the id.

Create Secondary Zone

#POST https://api.cloudflare.com/client/v4/zones/:zone_tag/secondary_dns/
{"id": ":zone_tag", 
"name": ":zone_name",
"masters": [ ":zone_master_tag" ],
"auto_refresh_seconds": 30 }

"id" is the zone tag of the zone you are setting up as Secondary.
"name" is the domain name of the zone you are setting up as Secondary.
"masters" is the list of master IDs for the masters you would like this zone to use.

To update a Secondary Zone, utilize a PUT command to the same API.

Testing

To test, add a record (such as a TXT) into your Primary DNS provider and verify you can see the record via your Cloudflare nameservers:

dig @nsNNN.secondary.cloudflare.com :zone_name txt +short

Analytics and UI

You can use Cloudflare DNS Analytics and our analytics plug-ins for all DNS requests that Cloudflare sees. 

The Cloudflare DNS UI will be disabled for Secondary Zones as you are managing your records through your DNS Master.

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk