Configuring outgoing zone transfers (XFR)

If you have a secondary DNS provider that supports incoming zone transfers via AXFR, you can set up outgoing zone transfers from your NS1 Connect zones to sync zone and record data across multiple providers.

You can configure outgoing zone transfers from primary or secondary zones by specifying one or more secondary IPv4 addresses or CIDR blocks pointing to your external DNS service. This enables zone transfer requests at the rate specified by the "Refresh" value in the origin zone's SOA record. You can also configure notifications to the secondary servers whenever there is an update to the zone, which, in turn, prompts the secondary servers to request a zone transfer immediately. To configure notifications to the secondary servers, you must also specify the port listening for incoming requests, and the network from which the transfer will originate.

Note: Outgoing zone transfers are not compatible with zone versioning. If you have inactive zone versions saved, delete them to enable and configure outgoing zone transfers.

How it works

Typically, a zone transfer is initiated upon changes to zone data or in response to an SOA refresh request from a secondary server. When a change is made to the primary zone configuration, NS1 Connect sends a DNS notification (NOTIFY) to the secondary server(s). In response, they send an SOA/AXFR query to NS1 Connect so they can update the zone data on their end. Finally, the new zone data is transferred. Note that the NOTIFY component is optional and may be automatically disabled based on your settings. If disabled, zone transfers will only occur until the next SOA/AXFR query from the secondary servers, which happens regularly based on the zone's SOA refresh TTL setting. If notifications are enabled, you have the option to enable TSIG authentication for the outbound NOTIFY query.

You can enable outgoing transfers from secondary zones hosted by NS1 Connect to other secondary IP addresses (hosted externally). This type of configuration can create redundancy in public DNS by using a hidden primary configuration whereby the source of truth doesn't serve public traffic directly. Instead, the zone data is copied to the secondary zone hosted by NS1 Connect, which acts as a primary to the specified secondary IPs.

Some zone data is specific to advanced features and functions on NS1 Connect, including ALIAS records, answer metadata, answer groups, and Filter Chain configurations. These details are not included in the outgoing zone transfer as they are not supported by other DNS providers.

Instructions

Complete the following steps below to enable and configure outgoing zone transfers for a primary or secondary zone.

  1. Click DNS > Zones.
  2. Click the name of the zone.
  3. Click the Zone transfers tab
  4. Click the toggle next to Allow outgoing transfers.
  5. Click Add an IPv4 address or CIDR block.
  6. Enter the Secondary IPv4 address or CIDR block of the server hosting the secondary zone. Entering an IP subnet using CIDR notation (for example, 192.0.2.0/24) allows NS1 Connect to receive SOA/AXFR requests from any address within that subnet.

  7. Optionally, select the Notify on change checkbox to enable DNS notifications (NOTIFYs) from NS1 Connect when there are changes to the primary zone.

    Note: If you specify an IP subnet as opposed to a single address, NOTIFY messages to inform secondary servers upon changes to the zone are disabled.

    In response, the secondary zone sends an SOA/AXFR query to NS1 Connect requesting the new zone data. If you leave this option disabled, the zone transfer occurs in response to the next SOA/AXFR query whose frequency is based on the defined SOA refresh TTL value.

    If you enable notifications, complete the following additional fields:

    Port
    Enter the inbound port configured on the secondary IP to ensure the server can receive NOTIFY messages from NS1 Connect. The default port is 53. You might need to modify this if, for example, your security team has blocked inbound traffic to port 53 or if you’d prefer to use a different port.
    Network
    Select the network from which the DNS notification (NOTIFYs) will originate. Upon changes to the NS1 Connect zone, this network will send a NOTIFY to the secondary server.
    Note: NOTIFY messages cannot be sent if the zone is not published to the selected network. Ensure the zone is published to this network or select a different one.
  8. If you enable notifications, you have the additional option to enable Notify with TSIG. This ensures the NOTIFY messages are sent using TSIG authentication.

    If you select this option, you must also specify the following information:

    TSIG hash
    Indicates the cryptographic algorithm used to generate the TSIG key.
    TSIG key name
    Name of the TSIG key used in domain name syntax.
    TSIG key value
    The base64 string encoding the shared key secret.
    Note: The Notify with TSIG option only enables TSIG authentication for the NOTIFY message. It does not enable TSIG authentication for the transfer of zone data.
  9. Click Save.
  10. Click Save zone transfers.
    Note: You must click Save and Save zone transfers to save the configurations.

Repeat this process to specify additional secondary servers to direct zone transfers from NS1 Connect.