Cloudflare Docs
DNS
Cloudflare Docs
DNS
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. DNS
  3. ...
  4. ...
  5. Cloudflare as Primary
  6. Setup

Set up outgoing zone transfers (Cloudflare as Primary)

With outgoing zone transfers, you can keep Cloudflare as your primary DNS provider and use one or more secondary providers for increased availability and fault tolerance.

​​ Aspects to consider

​​ DNS-only CNAME records

As explained in DNS record types, Cloudflare uses a process called CNAME flattening to return the final IP address instead of the CNAME target. CNAME flattening improves performance and is also what allows you to set a CNAME record on the zone apex.

Depending on the settings you have, when you use DNS-only CNAME records with outgoing zone transfers, you can expect the following:

  • For DNS-only CNAME records on the zone apex, Cloudflare will always transfer out the flattened IP addresses.
  • For DNS-only CNAME records on subdomains, Cloudflare will only transfer out flattened IP addresses if the setting Flatten all CNAMEs is enabled.

​​ Proxied records

For each proxied DNS record in your zone, Cloudflare will transfer out two A and two AAAA records.

These records correspond to the Cloudflare IP addresses used for proxying traffic.

​​ Before you begin

Make sure your account team has enabled your zone for outgoing zone transfers.

Review your existing DNS records to make sure all of them have the desired Proxy status.

If using the API, you may also want to locate your Zone and Account IDs.

​​ Step 1 - Create TSIG (optional)

A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server.

While optional, this step is highly recommended.

To create a TSIG using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Manage Account > Configurations.
  3. Click DNS Zone Transfers.
  4. For TSIG, click Create.
  5. Enter the following information:
    • TSIG name: The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2).
    • Secret (optional): Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret.
    • Algorithm: Choose a TSIG signing algorithm.
  6. Click Create.
To create a TSIG using the API, send a POST request.

​​ Step 2 - Create Peer DNS Server (optional)

You only need to create a peer DNS server if you want:

  • Your secondary nameservers to receive NOTIFYs for changes to your Cloudflare DNS records.
  • A TSIG to sign zone transfer requests and NOTIFYs.

To create a peer using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Manage Account > Configurations.
  3. Select DNS Zone Transfers.
  4. For Peer DNS servers, select Create.
  5. Enter the following information, paying particular attention to:
    • IP: If configured, specifies where Cloudflare sends NOTIFY requests to.
    • Port: Specifies the IP Port for the NOTIFY IP.
    • Enable incremental (IXFR) zone transfers: Does not apply when you are using Cloudflare as your primary DNS provider (Cloudflare zones always accept IXFR requests).
    • Link an existing TSIG: If desired, link the TSIG you previously created.
  6. Select Create.
To create a peer DNS server using the API, send a POST request.

​​ Step 3 - Link peer to primary zone (optional)

If you previously created a peer DNS server, you should link it to your primary zone.

To create a secondary zone using the dashboard:

  1. Log in to the Cloudflare dashboard.
  2. Select your account and zone.
  3. Go to DNS > Settings.
  4. For DNS Zone Transfers, select Manage linked peers.
  5. Select a peer.
  6. Select Save.
To link a primary zone to a peer using the API, send a POST request with the ID of the peer you previously created.

​​ Step 4 - Create an ACL

When you create an Access Control List (ACL), that list contains the source IP addresses that are allowed to send zone transfer requests. If you do not configure an ACL, your zone transfers will fail from IP addresses other than the one specified in the peer DNS server linked to your primary zone on Cloudflare.

For more details, refer to create an ACL.

​​ Step 5 - Update your secondary DNS provider

Your secondary DNS provider should send zone transfer requests (via AXFR or IXFR) to this IP on port 53 and from the IP address specified in your peer configuration.

It should also have updated Access Control Lists (ACLs) to prevent NOTIFY messages sent from Cloudflare IP ranges from being blocked.

​​ Step 6 - Add secondary nameservers within Cloudflare

Using the information from your secondary DNS provider, create NS records on your zone apex listing your secondary nameservers.

By default, Cloudflare ignores NS records that are added to the zone apex. By sending the following API call, you can enable the usage of apex NS records and Cloudflare nameservers will respond with them alongside the assigned Cloudflare nameservers of the zone.

curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_settings/use_apex_ns' \

-H 'X-Auth-Email: <EMAIL>' \

-H 'X-Auth-Key: <API_KEY>' \

-H 'Content-Type: application/json' \

--data '{
  "id": "use_apex_ns",
  "value": true
}'

​​ Step 7 - Enable outgoing zone transfers

When you enable outgoing zone transfers, this will send a DNS NOTIFY message to your secondary DNS provider.

  1. Log in to the Cloudflare dashboard.
  2. Select your account and zone.
  3. Go to DNS > Settings.
  4. For Outgoing Zone Transfers, switch the toggle to On.
To enable outgoing zone transfers using the API, send a POST request.

​​ Step 8 - Add secondary nameservers to registrar

At your registrar, add the nameservers of your secondary DNS provider.