Secondary DNS: Difference between revisions

Secondary DNS (view source)

Revision as of 17:39, 8 May 2025

3,968 bytes added , 8 May

Update page to have more detail relating to A&A as Secondary DNS. Using config verified to work - after working with A&A staff tech.

Roger.Wilco

Editor

23

edits

Revision as of 13:29, 11 February 2025 (view source) AA-Andrew (talk \| contribs) m (→‎IP addresses for ACLs) ← Older edit		Revision as of 17:39, 8 May 2025 (view source) Roger.Wilco (talk \| contribs) (Update page to have more detail relating to A&A as Secondary DNS. Using config verified to work - after working with A&A staff tech.) Newer edit →
Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s). ~~This information is out of date, please see: https://support.aa.net.uk/New_Authoritive_DNS~~ A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux. The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS ~~We will have new systems in place for managing Secondary DNS.~~ As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS. ==Working Configuration as at May 2025== ~~==IP addresses for ACLs==~~ ~~If we are running secondary DNS to your own primary, then please allow these IP addresses for zone transfers:~~ ~~===New===~~ ~~Starting from March 2025 we initiate zone transfers from these IP addresses:~~ 194.4.172.3 194.4.172.4 194.4.173.3 194.4.173.4 2001:8b6:1:0:194:4:172:3 2001:8b6:1:0:194:4:172:4 2001:8b6:2:0:194:4:173:3 2001:8b6:2:0:194:4:173:4 The process for setting up A&A as your Authoritative Secondary DNS server(s). ~~===Legacy ===~~ # Configure required ACLs on your Firewall, ~~These will still be in use until mid-2025. Keep these in your ACLs as well as the new ones above.~~ # Configure required access ACLs on your Primary DNS for zone transfers and queries, 194.4.173.1 # Contact support@aa.net.uk to request your domain to be configured on A&A's Secondary DNS, 2001:8b0:0:81::51bb:5120 # Verify that 'secondary-dns.co.uk' provides replies when responding to queries regarding your domain, # Change the Authoritative DNS servers to include 'secondary-dns.co.uk' for your domain at your Domain Registrar. ==What is needed to setup A&A as your Authoritative Secondary DNS== You need to configure your Authoritative Primary DNS to: # Send NOTIFY to 'secondary-dns.co.uk', # Allow '.secondary-dns.co.uk'; & '-nameless.aa.net.uk'; to send queries to your Primary DNS, # Allow '.secondary-dns.co.uk'; & '.primary-dns.co.uk' to request AXFR/IXFR zone transfers. ==IP addresses required for Firewall and Primary DNS ACLs== If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s): <nowiki> 81.187.81.32; //secondary-dns.co.uk legacy 194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk legacy 194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk NEW 194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk NEW 194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk NEW 194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk NEW 81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk 90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk legacy 90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk </nowiki> Starting from March 2025, in addition to legacy 'secondary-dns.co.uk' IP addresses we will also initiate zone transfers from the newer DNS Infrastructure: * 'zonetransfers-a.secondary-dns.co.uk'; 'zonetransfers-b.secondary-dns.co.uk'; * 'zonetransfers-a.primary-dns.co.uk'; 'zonetransfers-b.primary-dns.co.uk'; Legacy 'secondary-dns.co.uk' will still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes. ==Abridged Example Configuration for a BIND9 Authoritative DNS Server== This configuration was verified as working as at May 2025. <nowiki> /etc/bind/named.conf.local masters notify_secondary_dns_co_uk { 194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk }; acl transfer_secondary_dns_co_uk { 81.187.81.32; //secondary-dns.co.uk legacy 194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk 194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk 194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk }; acl transfer_primary_dns_co_uk { 194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk 194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk }; acl transfer_nameless_aa_net_uk { 81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk 90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk legacy 90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk }; zone "example.com" { type master; file "/etc/bind/zones/db.example.com"; allow-query { transfer_secondary_dns_co_uk; transfer_primary_dns_co_uk; transfer_nameless_aa_net_uk; }; allow-transfer { transfer_secondary_dns_co_uk; transfer_primary_dns_co_uk; transfer_nameless_aa_net_uk; }; also-notify { notify_secondary_dns_co_uk; }; }; </nowiki> ==No longer Valid== <del>If you are running your own DNS, you will need a secondary. You can use secondary-dns.co.uk which is configured to try and automatically secondary any new domain from an AAISP allocated IP address that a customer uses.</del>