Skip to content

Setup

With incoming zone transfers, you can keep your primary DNS provider and use Cloudflare as a secondary DNS provider.

Normal incoming zone transfers only provide DNS resolution. If you also want your traffic to benefit from Cloudflare’s performance and security features, you need to set up Secondary DNS Override.


Before you begin

  • You should already have a registered domain, set up with your primary DNS provider.
  • Make sure you have completed the following tasks at your primary DNS provider and at Cloudflare.

At your primary DNS provider

Your primary DNS provider should allow traffic from the IP address and port specified in your peer server configuration.

It should also have updated Access Control Lists (ACLs) to prevent zone transfers from being blocked.

We strongly recommend configuring DNS NOTIFY at your primary DNS provider to ensure your secondary zone on Cloudflare is updated with the most recent changes as quickly as possible. In order to do so, set up Cloudflare NOTIFY IPs at your primary DNS provider.

You will also need the following information from your Primary DNS provider:

  • Primary IP address: The IP address that Cloudflare sends zone transfer requests to (via AXFR or IXFR).
  • Zone transfer type: Will zone transfers be full (AXFR) or incremental (IXFR)?
  • TSIG name (optional): A descriptive name of the TSIG following domain name syntax (RFC 8945 section 4.2).
  • TSIG secret (optional): The secret string used to authenticate zone transfers.
  • TSIG algorithm (optional): The algorithm used to authenticate zone transfers.

At Cloudflare

Make sure your account team has enabled your zone for Secondary DNS.

Get the following values from your Cloudflare account:


1. Create TSIG (optional)

A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server.

While optional, this step is highly recommended.

To create a TSIG using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Manage Account > Configurations.
  3. Select DNS Zone Transfers.
  4. For TSIG, select Create.
  5. Enter the following information:
    • TSIG name: The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2).
    • Secret (optional): Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret.
    • Algorithm: Choose a TSIG signing algorithm.
  6. Select Create.

2. Create Peer Server

To create a peer server using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Manage Account > Configurations.
  3. Select DNS Zone Transfers.
  4. For Peer DNS servers, select Create.
  5. Enter the following information, paying particular attention to:
    • IP: Specifies where Cloudflare sends transfer requests to.
    • Port: Specifies the IP Port for the transfer IP.
    • Enable incremental (IXFR) zone transfers: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.
    • Link an existing TSIG: If desired, link the TSIG you previously created.
  6. Select Create.

3. Create the Secondary Zone

To create a secondary zone using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. In the top navigation bar, click Add site.
  3. Enter your zone name and choose Secondary DNS (if this option is not available, contact your account team).
  4. Click Add site.
  5. Select your plan type.
  6. Choose a value for Zone refresh, which controls the number of seconds between zone updates from your primary DNS server.
  7. Select the peer server you previously created. If needed, you can link more than one peer server to a zone.
  8. Click Continue.
  9. Review the list of transferred records and click Continue.
  10. Click Initiate zone transfer.

4. Update registrar

At your registrar, add the secondary nameservers specified in the Cloudflare dashboard. Do not remove your primary DNS provider’s nameservers.

When you have added the Cloudflare nameservers, go into your new secondary zone and click Done, check nameservers.

5. Create notifications (optional)

To increase the reliability of your incoming zone transfers, set up notifications to be notified when your primaries are failing, when records are updated, and more.

6. Proxy traffic through Cloudflare (optional)

Normal incoming zone transfers only provide DNS resolution. If you also want your traffic to benefit from Cloudflare’s performance and security features, you need to set up Secondary DNS Override.