Cloudflare Docs
DNS
DNS
Visit DNS on GitHub
Set theme to dark (⇧+D)

Set up incoming zone transfers (Cloudflare as Secondary)

With incoming zone transfers, you can keep your primary DNS provider and use Cloudflare as a secondary DNS provider.

Normal incoming zone transfers only provide DNS resolution. If you also want your traffic to benefit from Cloudflare’s performance and security features, you need to set up Secondary DNS Override.

​​ Before you begin

Make sure you have completed the following tasks before setting up incoming zone transfers.

​​ At your primary DNS provider

Your primary DNS provider should allow traffic from the IP address and port specified in your peer server configuration.

It should also have updated Access Control Lists (ACLs) to prevent zone transfers from being blocked.

We strongly recommend configuring DNS NOTIFY at your primary DNS provider to ensure your secondary zone on Cloudflare is updated with the most recent changes as quickly as possible. In order to do so, set up Cloudflare NOTIFY IPs at your primary DNS provider.

You will also need the following information from your Primary DNS provider:

  • Primary IP address: The IP address that Cloudflare sends zone transfer requests to (via AXFR or IXFR).
  • Zone transfer type: Will zone transfers be full (AXFR) or incremental (IXFR)?
  • TSIG name (optional): A descriptive name of the TSIG following domain name syntax ( RFC 8945 section 4.2).
  • TSIG secret (optional): The secret string used to authenticate zone transfers.
  • TSIG algorithm (optional): The algorithm used to authenticate zone transfers.

​​ At Cloudflare

Make sure your account team has enabled your zone for Secondary DNS.

Get the following values from your Cloudflare account:

​​ DNSSEC

If you want DNSSEC available for your secondary zone, you will need one of the following setups (reach out to your account team for more details):

  • Hidden primary: Since Cloudflare secondary nameservers are the only nameservers authoritatively responding to DNS queries, Cloudflare can sign records on the fly.
  • Pre-signed zones: If your primary DNS provider signs records and transfers out the signatures, Cloudflare serves records and DNSSEC signatures as is without doing any signing. Cloudflare only supports NSEC records (and not NSEC3 records) and this setup does not support Secondary Overrides.
  • Multi-signer DNSSEC: Both Cloudflare and your primary DNS provider know the signing keys of the other provider and perform their own online signing in accordance with RFC 8901.

​​ Step 1 - Create TSIG (optional)

A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server.

While optional, this step is highly recommended.

​​ Using the dashboard

To create a TSIG using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Manage Account > Configurations.
  3. Click DNS Zone Transfers.
  4. For TSIG, click Create.
  5. Enter the following information:
    • TSIG name: The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2).
    • Secret (optional): Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret.
    • Algorithm: Choose a TSIG signing algorithm.
  6. Click Create.

​​ Using the API

To create a TSIG using the API, send a POST request.

​​ Step 2 - Create Peer Server

​​ Using the dashboard

To create a peer server using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Manage Account > Configurations.
  3. Click DNS Zone Transfers.
  4. For Peer DNS servers, click Create.
  5. Enter the following information, paying particular attention to:
    • IP: Specifies where Cloudflare sends transfer requests to.
    • Port: Specifies the IP Port for the transfer IP.
    • Enable incremental (IXFR) zone transfers: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.
    • Link a an existing TSIG: If desired, link the TSIG you previously created.
  6. Click Create.

​​ Using the API

To create a peer DNS server using the API, send a POST request.

​​ Step 3 - Create the Secondary Zone

​​ Using the dashboard

To create a secondary zone using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. In the top navigation bar, click Add site.
  3. Enter your zone name and choose Secondary DNS (if this option is not available, contact your account team).
  4. Click Add site.
  5. Select your plan type.
  6. Choose a value for Zone refresh, which controls the number of seconds between zone updates from your primary DNS server.
  7. Select the peer server you previously created. If needed, you can link more than one peer server to a zone.
  8. Click Continue.
  9. Review the list of transferred records and click Continue.
  10. Click Initiate zone transfer.

​​ Using the API

To create a secondary zone using the API, send a POST request with the type parameter set to "secondary".

​​ Step 4 - Update registrar

At your registrar, add the secondary nameservers specified in the Cloudflare dashboard.

When you have added them, go into your new secondary zone and click Done, check nameservers.

​​ Step 5 - Create notifications (optional)

To increase the reliability of your incoming zone transfers, set up notifications to be notified when your primaries are failing, when records are updated, and more.

​​ Step 6 - Proxy traffic through Cloudflare (optional)

Normal incoming zone transfers only provide DNS resolution. If you also want your traffic to benefit from Cloudflare’s performance and security features, you need to set up Secondary DNS Override.