A common strategy for organizations to establish network resiliency is to publish the DNS zones and records associated with their domains across multiple DNS providers. If the primary DNS servers go down, the resolver will look for any secondary servers specified in the domain's top-level NS record to ensure requesting clients can access your domains. In this type of configuration, the primary provider hosts the source zone file and sends copies of the zone data to one or more secondary providers.
You can configure the IBM NS1 Connect to be the primary provider for one or more of your zones, specifying one or more secondary providers to which it will send updated zone data periodically or upon request. The NS1 Connect platform supports authoritative transfers (AXFR) in which case the entire zone file is transferred from the NS1 Connect platform to the secondary servers. Note, however, that some NS1 configuration details—such as Filter Chain configurations and certain types of DNS records—are not supported by other providers and are not included in the zone file transfer.
The steps below outline the process for establishing NS1 as your primary DNS provider.
If you haven't already, create a primary zone on the NS1 Connect platform, ensuring that one or more NS1 DNS networks are selected before saving. The NS1 nameservers assigned to the zone vary depending on the network(s) to which the zone is published. Note that DNS traffic to the domain will not flow through NS1 nameservers until the delegation is updated at the domain registrar.
After saving the primary zone, you must configure outgoing zone transfers—specifying one or more secondary servers and their incoming ports to receive the zone data from NS1.
Optionally, you can enable the "Notify on change" option to allow the NS1 platform to notify your secondary provider upon changes to the primary zone data. If selected, you must specify the port on which your secondary server is configured to receive NOTIFY messages from NS1, as well as the NS1 network from which the NOTIFY message will originate. If you do not select this option, then the secondary zone data will not be updated until the next SOA refresh specified in the secondary zone configuration settings.
Follow the instructions provided by your secondary DNS provider to create a secondary zone, specifying NS1's AXFR server as primary. The specific server you specify depends on the NS1 network to which the primary zone is published.
-
For primary zones published to the shared Managed DNS network (network 0), the secondary service must be configured to allow incoming zone data and, if enabled, NOTIFY messages from xfr01.nsone.net (192.135.223.10).
-
Primary zones that are not published to the shared Managed DNS network, such as a dedicated namespace within the Managed network, the IP addresses for the zone transfer services will be provided to you.
If using BIND, you can add the following code snippet to the configuration file:
zone "<zoneFQDN>" IN { type slave; file "/var/lib/bind/<myzone.com>.db"; masters { 192.135.223.10; }; };
You can use a dig
command to verify the configurations match on the primary (NS1) and secondary DNS servers, but note that this process may vary depending on your setup. For example:
$ dig @xfr01.nsone.net +noall +answer -t soa <zoneFQDN> +multiline
Once you are ready to initiate traffic flow through NS1 nameservers, you must update the nameserver delegation at the domain registrar (e.g., GoDaddy, BlueHost, etc.) to point to the NS1 nameservers. Do not update the registrar until you are ready to send DNS traffic to the new nameservers. If you are undergoing a large migration to the NS1 platform or between NS1 services, adhere to the guidance provided by the NS1 team before updating the registrar.