All Products
Search
Document Center

Enable Secondary DNS

Last Updated: Sep 14, 2018

Currently, when you enable Secondary DNS, Alibaba Cloud DNS is set as the secondary DNS and your existing DNS service is set as the primary DNS by default. To use Secondary DNS, you need to configure the primary DNS first and then enable Secondary DNS through Alibaba Cloud DNS.

Prerequisites

If you host your DNS internally, make sure your DNS server supports the standard XFR and NOTIFY protocols. If you use a hosted DNS service, make sure your DNS provider allows you to configure the Secondary DNS service. The following section takes an on-premise DNS system as an example. You can find relevant information from your DNS provider if you use a hosted DNS service.

As the secondary DNS, Alibaba Cloud DNS needs to synchronize resource records from the primary DNS. Therefore, you need to set up data forwarding rules on the primary DNS and use encryption mechanisms to secure the communication between the primary and secondary DNS services. The following section takes a BIND DNS server (version 9.9.4 or later) as an example and describes how to configure a primary DNS in order to enable Secondary DNS.

Configure a BIND DNS server

Add the following configuration information to the configuration file /etc/named.conf.

  1. zone "Domain (for example, xxx.com)" IN {
  2. type master;
  3. allow-update { 127.0.0.1; };
  4. allow-transfer {key test_key};
  5. notify explicit;
  6. also-notify {47.101.22.159 port 53;106.15.210.94 port 53;};
  7. file "zone_file";
  8. };

The parameters are as follows:

  • zone specifies the domain.

  • allow-transfer specifies the key file. Currently, Alibaba Cloud DNS only supports Transaction Signatures (TSIG). TSIG enables communication between the primary and secondary DNS servers. You need to specify the KEY for TSIG based server communication.

    Note: We recommend that you use TSIG to secure DNS communication. TSIG uses shared secret keys and one-way hashing to authenticate DNS messages and secure the synchronization between the primary and secondary DNS servers. You can generate a TSIG key for a hash function such as MD5, SHA256, and SHA1, and configure TSIG on your primary and secondary DNS servers. For more information, see Generate a TSIG key.

  • also-notify specifies the IP addresses of secondary DNS servers that need to be notified when resource records change on the primary DNS server. You can specify multiple IP addresses. Specify the following Alibaba Cloud DNS servers: secondarydns1.alidns.com, secondarydns2.alidns.com. The corresponding IP addresses are 47.101.22.159 and 106.15.210.94.

Generate a TSIG key

You can use the dnssec-keygen tool to generate a TSIG key. The commands are as follows:

  1. [root@www ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST test_key
  2. Generating key pair
  3. test_key. +157+64252

The parameters are as follows:

  • -a represents the hash function. Select one of our supported functions: HMAC-MD5, HMAC-SHA1, or HMAC-SHA256.

  • -b represents the number of bytes in the key. The key size is dependent on the hash algorithm you have selected. For an HMAC key, the size is between 1 to 512 bytes.

  • -n represents the owner type of the key file, such as ZONE, HOST, ENTITY, and USER. HOST or ZONE is commonly used.

  • test_key represents the name of the key file. This name is used in allow-transfer when you configure the primary DNS, and in TSIG Key Name when you configure the secondary DNS in step 8-i.

After these commands are executed, a .key and .private file are generated in the current directory. For example, Ktest_key. +157+64252.key and Ktest_key. +157+64252.private. The .key file contains the DNS KEY record, which is used in TSIG Key Value when you configure the secondary DNS in step 8-i. The .private file contains the fields that are specified by the algorithm.

Steps

Enable Secondary DNS for your domain by following these steps:

  1. Log on to the Alibaba Cloud DNS console.

  2. Go to Basic DNS. If you can find your domain in the list, skip to step 4. Otherwise, click Add Domain.

  3. In the Add Domain dialog box, enter your domain, and click OK.

  4. Select your domain and click More > Upgrade to Advanced DNS. If your domain has already been bound to an advanced DNS instance, you do not need to Upgrade to Advanced DNS. Skip to step 6.

  5. On the Alibaba Cloud DNS purchase page, select an advanced DNS instance, make your purchase, and bind your domain to this instance. For more information, see Buy and manage instances.

  6. Go to the Secondary DNS page, and click Add Secondary DNS.

    add-secondary-dns-button

  7. Select the domain that you want to enable Secondary DNS for, and click OK.

    Note: Currently, Secondary DNS is in beta testing and only available to domains that are bound to advanced DNS instances. To use this service, you must add your domain to Basic DNS and bind the domain to an advanced DNS instance. For more information, see steps 2 to 5.

  8. On the Add Secondary DNS page, complete the following configurations to enable Secondary DNS.

    adding-secondary-dns-dialog

    1. Primary DNS Servers: Click Add on the right side to add a record about the primary DNS. The parameters are as follows:

      primary-dns-info

      Note: For more information about TSIG, see Generate a TSIG key.

      • IP Address: The IP address of the primary DNS server. Make sure that this address is accessible from the Internet.
      • TSIG Key Type: The type of the hash function. You can choose from SHA1, SHA256, and MD5.
      • TSIG Key Name: The name of the TSIG.
      • TSIG Key Value: The value of the TSIG.
    2. Notification Sender IP: Click Add on the right side to specify the IP address or address range that sends DNS configuration updates.

      When changes occur to the resource records on your primary DNS, you need to configure the primary DNS so that it sends notifications to Alibaba Cloud DNS based on the standard NOTIFY protocol. You must provide the secondary DNS with the IP address of the server that sends notifications. Otherwise, your requests may be rejected.

      notification-sender-ip

    3. Click to enable Fault Notification. When Fault Notification is enabled, the system will notify you by SMS when the communication between the primary and secondary DNS is interrupted.

      check-message-notification

  9. After the configuration is completed, Secondary DNS is enabled for your domain. You can view the running status of the secondary DNS, such as Enabled, as shown in the following figure.

    secondary-dns-enabled

    Note: If Cloud DNS Server Configuration shows Error, you need to complete steps 10 and 11 to fix the issue and ensure the secondary DNS can provide DNS service to your customers.

  1. Add NS records that delegate to name servers vip1.alidns.com and vip2.alidns.com to the resource records on your primary DNS. Record type: NS; Host record: @; Record value: vip1.alidns.com and vip2.alidns.com (in two separate resource records).

  2. Add Alibaba Cloud DNS servers vip1.alidns.com and vip2.alidns.com to the DNS records of your domain name registrar. For more information, see Change DNS records of different domain name registrars.

    After Secondary DNS is enabled, you are not allowed to manually change the resource records in Basic DNS. All records are synchronized from the primary DNS.

    no-manual-synchronization