NS1 status

Articles in this section

See more

Export a zone file

  • Updated
Follow

There are three methods you can use to export DNS zone files from the NS1 platform:

  • Option A: Enabling outgoing zone transfers (via AXFR)

    Note

    This method is recommended for exporting a BIND-compatible zone file directly to secondary IPs.

  • Option B: Using the NS1 API to view a zone's configuration details

  • Option C: Using a DNS summary script provided by NS1 Customer Support

There are three methods by which you can export zone files from the NS1 platform: via AXFR, NS1 API, or using a DNS summary script.

Note

Zone files exported from NS1 Connect include zone-level data and short answers for records within the zone. Exported files do not contain answer metadata or Filter Chain configuration details.

Option A: Enable outgoing zone transfers (via AXFR)

Note

Use this method if you require a BIND-compatible zone file for use with other DNS providers.

  1. Log into the NS1 portal and navigate to DNS > Zones. Then, click the name of the zone you want to export to view zone details.

    screenshot-foobar_zone_details.png

  2. Click the Zone Transfers tab and toggle the switch to Allow outgoing transfers.

    screenshot-zone_transfers_page.png

  3. Click + Add another IP address.

    screenshot-zone_transfers-add_first_IP.png

  4. Enter the Secondary IP address — that is, the IP address of the server hosting the secondary zone. Optionally, you can enter an IP subnet in this field using CIDR notation (e.g., 192.0.2.0/24) to allow NS1 to receive SOA/AXFR requests from any address within that subnet. Note that if you do this, however, “NOTIFYs” will be automatically disabled. Alternatively, you can add each secondary IP address individually to allow NOTIFYs to each.

  5. Optionally, select the checkbox next to Notify on change to enable DNS notifications (i.e., NOTIFY messages) from NS1 when there are changes to the primary zone.

    screenshot-zone_transfers_enable_notify_on_change.png

    In response, the secondary zone will send an SOA/AXFR query to NS1 requesting the new zone data. If you leave this option disabled, the zone transfer will occur in response to the next SOA/AXFR query whose frequency is based on the defined SOA refresh TTL value.

    If you enable notifications, complete the following additional fields:

    • Port - Enter the inbound port configured on the secondary IP to ensure the server can receive NOTIFY messages from NS1. The default port is 53. You might need to modify this if, for example, your security team has blocked inbound traffic to port 53 or if you’d prefer to use a different port.

    • Network - Select the network from which the DNS notification (i.e., NOTIFY) should originate. Upon changes to the NS1 zone, this network will send a NOTIFY to the secondary IP.

      Note

      You must select a network on which the corresponding NS1 zone is published — otherwise, NOTIFYs will be disabled. Optionally, you can select a network on which you plan to publish the zone, and then when you publish the zone to that network, the NOTIFYs will be automatically re-enabled.

  6. If you enable notifications, you have the additional option to enable Notify with TSIG. This ensures the NOTIFY messages are sent using TSIG authentication.

    screenshot-zone_transfers_notify_with_tsig.png

    If you select this option, you must also specify the following information:

    • TSIG hash - Indicates the cryptographic algorithm used to generate the TSIG key.

    • TSIG key name - Name of the TSIG key used in domain name syntax.

    • TSIG key value - The base64 string encoding the shared key secret.

    Note

    The "Notify with TSIG" option only enables TSIG authentication for the NOTIFY message. It does not enable TSIG authentication for the actual zone transfer from NS1.

  7. Click Save. Repeat this process as needed by clicking + Add another IP address, specifying additional secondary IP addresses or subnets to direct zone transfers from NS1.

  8. After adding all of the secondary IPs to the list, click Save zone transfers.

  9. Once complete, execute the following dig command to download the zone file:

    dig +noall +nocmd @xfr01.nsone.net <zoneFQDN> AXFR +answer +multiline > {./path/to/file/<zoneFQDN>-zonefile.txt}

    Replace <zoneFQDN> with the FQDN of the zone you are exporting and {./path/to/file/yourdomain.com-zonefile.txt} with the desired file path where the zone file will be downloaded.

    During the export process, NS1 omits any metadata or record types (e.g., ALIAS records) that are not BIND-compatible.

Option B: Export a zone file via NS1 API

Run the following API command to return all configuration details for the specified zone. Note that you must enter a valid NS1 API key that has the "View zones" permission enabled.

Warning

The API response format is not BIND-compatible; therefore, it is likely not supported as-is by third-party DNS providers.

curl -X GET -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/<zone>

where <zone> refers to the unique name of the zone. Likely, this is the same as the zone FQDN unless a custom zone name was applied or the zone was associated with a DNS view during zone creation.

Option C: Export a zone file via DNS summary script

If requested, NS1 can provide a script for you to run that produces a CSV file output of all NS1 zones and records. The script calls the API and formats the output into this human-readable format. To request this script, submit a support ticket.

Related articles