Secondary DNS: Difference between revisions

Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s).

<blockquote>A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux.

The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS

As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS.</blockquote>

==Process for setting up A&A as your Authoritative Secondary DNS Server as at May 2025==

The process for setting up A&A as your Authoritative Secondary DNS server(s).

# Configure required ACLs on your Firewall, remember to open TCP as well as UDP

# Configure required access ACLs on your Primary DNS for zone transfers and queries,

# Contact <code>support@aa.net.uk</code> to request your domain to be configured on A&A's Secondary DNS,

# Verify that <code>secondary-dns.co.uk</code> provides replies when responding to queries regarding your domain,

# Change the Authoritative DNS servers to include <code>secondary-dns.co.uk</code> for your domain at your Domain Registrar.

==What is needed to setup A&A as your Authoritative Secondary DNS==

You need to configure your Authoritative Primary DNS to:

* Set your Primary DNS to send NOTIFY to <code>secondary-dns.co.uk</code>. Required for your Primary DNS to notify A&A's Secondary that you've changed or reloaded your domain files.

<pre>

194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk **NOTIFY**

</pre>

* Allow <code>*.secondary-dns.co.uk</code>; & <code>*-nameless.aa.net.uk</code>; & <code>*.primary-dns.co.uk</code>; to request AXFR/IXFR zone transfers from your Primary DNS. Required to allow A&A's secondary DNS to copy your domains from your Primary DNS.

* Allow <code>*.secondary-dns.co.uk</code>; & <code>*-nameless.aa.net.uk</code>; & <code>*.primary-dns.co.uk</code>; to send queries to your Primary DNS. Required as some of A&A's secondaries send regular SOA query requests, to check the Serial. Also helpful if Support needs to query your Primary DNS.

==IP addresses required for Firewall and Primary DNS ACLs==

If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s):

<pre>

81.187.81.32; //secondary-dns.co.uk **legacy**

194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk

194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk **NEW**

194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk **NEW**

194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk **NEW**

194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk **NEW**

81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk

90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy**

90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk

</pre>

<blockquote>Starting from March 2025, in addition to legacy <code>secondary-dns.co.uk</code> IP addresses we will also initiate zone transfers from the newer DNS Infrastructure:

* <code>zonetransfers-a.secondary-dns.co.uk</code>; <code>zonetransfers-b.secondary-dns.co.uk</code>;

* <code>zonetransfers-a.primary-dns.co.uk</code>; <code>zonetransfers-b.primary-dns.co.uk</code>;

Legacy <code>secondary-dns.co.uk</code> will still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes.</blockquote>

==Abridged Example Configuration for a BIND9 Authoritative DNS Server==

This configuration was verified as working as at May 2025.

<pre>

/etc/bind/named.conf.local

masters notify_secondary_dns_co_uk {

194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk

};

acl transfer_secondary_dns_co_uk {

81.187.81.32; //secondary-dns.co.uk **legacy**

194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk

194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk

194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk

};

acl transfer_primary_dns_co_uk {

194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk

194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk

};

acl transfer_nameless_aa_net_uk {

81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk

90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy**

90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk

};

zone "example.com" {

type master;

file "/etc/bind/zones/db.example.com";

allow-query {

transfer_secondary_dns_co_uk;

transfer_primary_dns_co_uk;

transfer_nameless_aa_net_uk;

};

allow-transfer {

transfer_secondary_dns_co_uk;

transfer_primary_dns_co_uk;

transfer_nameless_aa_net_uk;

};

also-notify {

notify_secondary_dns_co_uk;

};

};

</pre>

==No longer Valid==