Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Secondary DNS: Difference between revisions

From AAISP Support Site
Content deleted Content added
AA-Andrew (talk | contribs)
mNo edit summary
AA-Andrew (talk | contribs)
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s).
If you are running your own DNS, you will need a secondary. You can use secondary-dns.co.uk which is configured to try and automatically secondary any new domain from an AAISP allocated IP address that a customer uses.


<blockquote>A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux.
Using our secondary name server is normally automatic if you are using BIND-8/9. To make it pick up a domain automatically you have to change the top level delegation to list your name server and secondary-dns.co.uk, and then have bind send a notify from your primary. Our name server checks the delegation first and then adds the zone, loading from your primary servers IP. If you later change the IP of your primary, then the old IP must return that it is not authoritative in order to clear the zone allowing it to reload from the new primary. If you encounter any difficulties, please contact technical support, who can make changes manually if necessary.


The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS

As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS.</blockquote>

==Process for setting up A&A as your Authoritative Secondary DNS Server as at May 2025==

The process for setting up A&A as your Authoritative Secondary DNS server(s).
# Configure required ACLs on your Firewall, remember to open TCP as well as UDP
# Configure required access ACLs on your Primary DNS for zone transfers and queries,
# Contact <code>support@aa.net.uk</code> to request your domain to be configured on A&A's Secondary DNS,
# Verify that <code>secondary-dns.co.uk</code> provides replies when responding to queries regarding your domain,
# Change the Authoritative DNS servers to include <code>secondary-dns.co.uk</code> for your domain at your Domain Registrar.

==What is needed to setup A&A as your Authoritative Secondary DNS==

You need to configure your Authoritative Primary DNS to:
* Set your Primary DNS to send NOTIFY to <code>secondary-dns.co.uk</code>. Required for your Primary DNS to notify A&A's Secondary that you've changed or reloaded your domain files.
<pre>
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk **NOTIFY**
</pre>
* Allow <code>*.secondary-dns.co.uk</code>; & <code>*-nameless.aa.net.uk</code>; & <code>*.primary-dns.co.uk</code>; to request AXFR/IXFR zone transfers from your Primary DNS. Required to allow A&A's secondary DNS to copy your domains from your Primary DNS.
* Allow <code>*.secondary-dns.co.uk</code>; & <code>*-nameless.aa.net.uk</code>; & <code>*.primary-dns.co.uk</code>; to send queries to your Primary DNS. Required as some of A&A's secondaries send regular SOA query requests, to check the Serial. Also helpful if Support needs to query your Primary DNS.

==IP addresses required for Firewall and Primary DNS ACLs==

If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s):

<pre>
81.187.81.32; //secondary-dns.co.uk **legacy**
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk **NEW**
194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk **NEW**

194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk **NEW**
194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk **NEW**

81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy**
90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk
</pre>

<blockquote>Starting from March 2025, in addition to legacy <code>secondary-dns.co.uk</code> IP addresses we will also initiate zone transfers from the newer DNS Infrastructure:
* <code>zonetransfers-a.secondary-dns.co.uk</code>; <code>zonetransfers-b.secondary-dns.co.uk</code>;
* <code>zonetransfers-a.primary-dns.co.uk</code>; <code>zonetransfers-b.primary-dns.co.uk</code>;

Legacy <code>secondary-dns.co.uk</code> will still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes.</blockquote>

==Abridged Example Configuration for a BIND9 Authoritative DNS Server==

This configuration was verified as working as at May 2025.

<pre>
/etc/bind/named.conf.local

masters notify_secondary_dns_co_uk {
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
};

acl transfer_secondary_dns_co_uk {
81.187.81.32; //secondary-dns.co.uk **legacy**
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk
194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk
};

acl transfer_primary_dns_co_uk {
194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk
194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk
};

acl transfer_nameless_aa_net_uk {
81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy**
90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk
};

zone "example.com" {
type master;
file "/etc/bind/zones/db.example.com";
allow-query {
transfer_secondary_dns_co_uk;
transfer_primary_dns_co_uk;
transfer_nameless_aa_net_uk;
};
allow-transfer {
transfer_secondary_dns_co_uk;
transfer_primary_dns_co_uk;
transfer_nameless_aa_net_uk;
};
also-notify {
notify_secondary_dns_co_uk;
};
};
</pre>

==No longer Valid==

<del>If you are running your own DNS, you will need a secondary. You can use secondary-dns.co.uk which is configured to try and automatically secondary any new domain from an AAISP allocated IP address that a customer uses.</del>

<del>Using our secondary name server is normally automatic if you are using BIND-8/9. To make it pick up a domain automatically you have to change the top level delegation to list your name server and secondary-dns.co.uk, and then have bind send a notify from your primary. Our name server checks the delegation first and then adds the zone, loading from your primary servers IP. If you later change the IP of your primary, then the old IP must return that it is not authoritative in order to clear the zone allowing it to reload from the new primary. If you encounter any difficulties, please contact technical support, who can make changes manually if necessary.
</del>


[[Category:DNS]]
[[Category:DNS]]

Latest revision as of 14:50, 13 May 2025

Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s).

A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux.

The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS

As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS.

Process for setting up A&A as your Authoritative Secondary DNS Server as at May 2025

The process for setting up A&A as your Authoritative Secondary DNS server(s).

  1. Configure required ACLs on your Firewall, remember to open TCP as well as UDP
  2. Configure required access ACLs on your Primary DNS for zone transfers and queries,
  3. Contact support@aa.net.uk to request your domain to be configured on A&A's Secondary DNS,
  4. Verify that secondary-dns.co.uk provides replies when responding to queries regarding your domain,
  5. Change the Authoritative DNS servers to include secondary-dns.co.uk for your domain at your Domain Registrar.

What is needed to setup A&A as your Authoritative Secondary DNS

You need to configure your Authoritative Primary DNS to:

  • Set your Primary DNS to send NOTIFY to secondary-dns.co.uk. Required for your Primary DNS to notify A&A's Secondary that you've changed or reloaded your domain files.
194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk                  **NOTIFY**
  • Allow *.secondary-dns.co.uk; & *-nameless.aa.net.uk; & *.primary-dns.co.uk; to request AXFR/IXFR zone transfers from your Primary DNS. Required to allow A&A's secondary DNS to copy your domains from your Primary DNS.
  • Allow *.secondary-dns.co.uk; & *-nameless.aa.net.uk; & *.primary-dns.co.uk; to send queries to your Primary DNS. Required as some of A&A's secondaries send regular SOA query requests, to check the Serial. Also helpful if Support needs to query your Primary DNS.

IP addresses required for Firewall and Primary DNS ACLs

If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s):

81.187.81.32;                           //secondary-dns.co.uk                  **legacy**
194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
194.4.173.3;  2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk  **NEW**
194.4.173.4;  2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk  **NEW**

194.4.172.3;  2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk    **NEW**
194.4.172.4;  2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk    **NEW**

81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
90.155.23.32; 2001:8b0:0:23::32;        //b-nameless.aa.net.uk                 **legacy**
90.155.62.60; 2001:8b0:0:62::60;        //c-nameless.aa.net.uk

Starting from March 2025, in addition to legacy secondary-dns.co.uk IP addresses we will also initiate zone transfers from the newer DNS Infrastructure:

  • zonetransfers-a.secondary-dns.co.uk; zonetransfers-b.secondary-dns.co.uk;
  • zonetransfers-a.primary-dns.co.uk; zonetransfers-b.primary-dns.co.uk;

Legacy secondary-dns.co.uk will still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes.

Abridged Example Configuration for a BIND9 Authoritative DNS Server

This configuration was verified as working as at May 2025.

/etc/bind/named.conf.local

masters notify_secondary_dns_co_uk {
			194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
};

acl transfer_secondary_dns_co_uk {
			81.187.81.32;                           //secondary-dns.co.uk  **legacy**
			194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
			194.4.173.3;  2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk
			194.4.173.4;  2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk
};

acl transfer_primary_dns_co_uk {
			194.4.172.3;  2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk
			194.4.172.4;  2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk
};

acl transfer_nameless_aa_net_uk {
			81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
			90.155.23.32; 2001:8b0:0:23::32;        //b-nameless.aa.net.uk  **legacy**
			90.155.62.60; 2001:8b0:0:62::60;        //c-nameless.aa.net.uk
};

zone "example.com" {
	type master;
	file "/etc/bind/zones/db.example.com";
	allow-query {
		    transfer_secondary_dns_co_uk;
		    transfer_primary_dns_co_uk;
		    transfer_nameless_aa_net_uk;
	};
	allow-transfer {
		    transfer_secondary_dns_co_uk;
		    transfer_primary_dns_co_uk;
		    transfer_nameless_aa_net_uk;
	};
	also-notify {
		    notify_secondary_dns_co_uk;
	};
};

No longer Valid

If you are running your own DNS, you will need a secondary. You can use secondary-dns.co.uk which is configured to try and automatically secondary any new domain from an AAISP allocated IP address that a customer uses.

Using our secondary name server is normally automatic if you are using BIND-8/9. To make it pick up a domain automatically you have to change the top level delegation to list your name server and secondary-dns.co.uk, and then have bind send a notify from your primary. Our name server checks the delegation first and then adds the zone, loading from your primary servers IP. If you later change the IP of your primary, then the old IP must return that it is not authoritative in order to clear the zone allowing it to reload from the new primary. If you encounter any difficulties, please contact technical support, who can make changes manually if necessary.