Set up incoming zone transfers (Cloudflare as Secondary)
, you can keep your primary DNS provider and use Cloudflare as a secondary DNS provider. incoming zone transfers
Normal incoming zone transfers only provide DNS resolution. If you also want your traffic to benefit from Cloudflare’s performance and security features, you need to
. set up Secondary DNS Override
Before you begin You should already have a registered domain, set up with your primary DNS provider. Make sure you have completed the following tasks at your primary DNS provider and at Cloudflare.
At your primary DNS provider
Your primary DNS provider should allow traffic from the IP address and port specified in your
. peer server configuration
It should also have updated
to prevent zone transfers from being blocked. Access Control Lists (ACLs)
We strongly recommend configuring
at your primary DNS provider to ensure your secondary zone on Cloudflare is updated with the most recent changes as quickly as possible. In order to do so, set up DNS NOTIFY at your primary DNS provider. Cloudflare NOTIFY IPs
You will also need the following information from your Primary DNS provider:
Primary IP address: The IP address that Cloudflare sends zone transfer requests to (via AXFR or IXFR). Zone transfer type: Will zone transfers be full (AXFR) or incremental (IXFR)? TSIG name (optional): A descriptive name of the TSIG following domain name syntax (
). RFC 8945 section 4.2 The TSIG names configured at your primary and secondary DNS providers have to be exactly the same. Any differences in TSIG names will cause zone transfers to fail. TSIG secret (optional): The secret string used to authenticate zone transfers. TSIG algorithm (optional): The algorithm used to authenticate zone transfers.
Make sure your account team has enabled your zone for Secondary DNS.
Get the following values from your Cloudflare account:
1. Create TSIG (optional)
A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server.
The TSIG names configured at your primary and secondary DNS providers have to be exactly the same. Any differences in TSIG names will cause zone transfers to fail.
While optional, this step is highly recommended.
To create a TSIG using the dashboard:
Log in to the and select your account. Cloudflare dashboard Go to Manage Account > Configurations. Click DNS Zone Transfers. For TSIG, click Create. Enter the following information: TSIG name: The name of the TSIG object using domain name syntax (more details in ). RFC 8945 section 4.2 Secret (optional): Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret. Algorithm: Choose a TSIG signing algorithm. Click Create.
To create a TSIG using the API, send a
2. Create Peer Server
To create a peer server using the dashboard:
Log in to the and select your account. Cloudflare dashboard Go to Manage Account > Configurations. Click DNS Zone Transfers. For Peer DNS servers, click Create. Enter the following information, paying particular attention to: IP: Specifies where Cloudflare sends transfer requests to. Port: Specifies the IP Port for the transfer IP. Enable incremental (IXFR) zone transfers: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests. Link a an existing TSIG: If desired, link the TSIG you . previously created Click Create.
To create a peer DNS server using the API, send a
. POST request
3. Create the Secondary Zone
To create a secondary zone using the dashboard:
Log in to the
and select your account. Cloudflare dashboard
In the top navigation bar, click
Enter your zone name and choose
Secondary DNS (if this option is not available, contact your account team).
Select your plan type.
Choose a value for
Zone refresh, which controls the number of seconds between zone updates from your primary DNS server. Cloudflare will not use the REFRESH value inside the SOA record that is served by your primary provider. Instead the value of zone refresh configured for your secondary zone on Cloudflare will be used to determine the interval after which the SOA serial of the primary zone will be checked for changes.
Select the peer server you
. If needed, you can link more than one peer server to a zone. previously created
Review the list of transferred records and click
Continue. If no records appear, you may have misconfigured the TSIG or the IP address of the peer server or the was improperly configured at your primary DNS provider. Access Control List
Initiate zone transfer.
To create a secondary zone using the API, send a
request with the POST
type parameter set to
4. Update registrar
At your registrar, add the secondary nameservers
. specified in the Cloudflare dashboard
When you have added them, go into your new secondary zone and click
Done, check nameservers.
5. Create notifications (optional)
To increase the reliability of your incoming zone transfers,
to be notified when your primaries are failing, when records are updated, set up notifications . and more
Normal incoming zone transfers only provide DNS resolution. If you also want your traffic to benefit from Cloudflare’s performance and security features, you need to 6. Proxy traffic through Cloudflare (optional) . set up Secondary DNS Override