All Products
Search

This Product

    :Enable Secondary DNS

    Document Center

    :Enable Secondary DNS

    Last Updated:Jul 03, 2023

    This topic describes how to enable the Secondary DNS feature.

    Feature description

    • Alibaba Cloud DNS PrivateZone allows you to use Secondary DNS to synchronize DNS records from a data center to Alibaba Cloud.

    • After you enable Secondary DNS for a private zone, you cannot modify the existing DNS records by changing the configuration of the private zone. All DNS records are synchronized from the primary DNS server.

    • To synchronize data from the primary DNS server in a data center, you must specify a public IP address that supports data synchronization and enable TCP port 53 or UDP port 53.

    Preparations

    Before you enable Secondary DNS, you must configure the primary DNS server in the Alibaba Cloud DNS console. Then, enable Secondary DNS in the Alibaba Cloud DNS console. The following example shows how to configure a self-managed primary DNS server that uses BIND 9.9.4 or later.

    1. Add the following code to the configuration file "named.conf" for the primary DNS server that uses BIND 9:

    zone "Domain name, such as example.com" IN {
    type master;
    allow-update { 127.0.0.1; };
    allow-transfer {key test_key;};
    notify explicit;
    also-notify {39.107.XXX.XXX port 53 key test_key;39.107.XXX.XXX port 53 key test_key;};
    file "zone_file";
};

    Parameters

    • zone: the name of the private zone for which you want to enable Secondary DNS.

    • allow-transfer: the Transaction Signature (TSIG) key that is used for data synchronization between the primary and secondary DNS servers.

      Note: Based on Request for Comments (RFC) standards, we recommend that you use TSIG to ensure the security of DNS records. In most cases, TSIG uses shared secret keys and one-way hashing to authenticate DNS records. This ensures that data can be synchronized between the primary and secondary DNS servers in a secure manner. You can generate a TSIG key that is encrypted by the MD5, SHA-256, or SHA-1 algorithm and then specify the key in the configurations of your primary and secondary DNS servers.

    • also-notify: the IP address of the secondary DNS server to which notifications are sent if the DNS records of the primary DNS server are changed. You can specify the IP addresses of multiple secondary DNS servers. In this example, the IP addresses of two secondary DNS servers are configured. You can go to the Secondary DNS page in the Alibaba Cloud DNS console to obtain the IP addresses of the servers. 

    Secondary DNS servers: 39.107.XXX.XXX, 39.107.XXX.XXX

    Note: After you modify the named.conf file, you must run the following command to restart DNS: 

    Restart command: rndc reconfig

    Generate a TSIG key

    1. Use the DNS Security Extensions (DNSSEC) key generation tool dnssec-keygen to generate a TSIG key. Sample command:

    dnssec-keygen -a HMAC-SHA256 -b 128 -n HOST test_key
    Warning

    The preceding command can be run only by a root user. To avoid system stability or data security issues, proceed with caution when you perform operations as a root user.

    Returned result:

    Generating key pair
test_key.+157+64252

    Command description:

    • -a: the encryption algorithm that is used to generate the key. Valid values: HMAC-MD5, HMAC-SHA1, and HMAC-SHA256.

    • -b: the number of bytes in the key. The size of the key is determined by the encryption algorithm that is used. An HMAC key must be 1 to 512 bytes in size.

    • -n: the owner type of the key file. Valid values: ZONE, HOST, ENTITY, and USER. In most cases, the value of -n is HOST or ZONE.

    • test_key: the name of the key file. The value of this parameter is used as the value of the allow-transfer parameter in the configurations of the primary DNS server in the BIND configuration file and is also used as the value of the TSIG Key Name parameter in the Primary DNS Information section in the Alibaba Cloud DNS console.

    After you run the preceding command, a .key file and a .private file are generated in the current directory. For example, the Ktest_key.+157+64252.key and Ktest_key.+157+64252.private files are generated. The .key file contains the DNS KEY record, which indicates the value of the generated TSIG key. When you configure parameters in the Primary DNS Information section of the Alibaba Cloud DNS console, set the TSIG Key Value parameter to the DNS KEY record. The .private file contains the fields that are specified by the encryption algorithm that is used.

    1. Add the generated TSIG key to the named.conf file.

    • Copy and paste the following configuration to the named.conf file:

    key "test_key" {        algorithm hmac-sha256;       secret "Key content";};

    • Use the include() method to add the TSIG key to the named.conf file.

    Sample command:

    include "/etc/named/dns-key";

    The content of the /etc/named/dns-key file is in the following format:

    key "test_key" {
        algorithm hmac-sha256;
        secret "Key content";
};

    Procedure

    1. Log on to the Alibaba Cloud DNS console.

    2. In the left-side navigation pane, click Secondary DNS. On the Secondary DNS page, click Enable Secondary DNS. On the Public Domain Names tab, click Add Secondary DNS. In the Add Secondary DNS panel, select the private zone for which you want to enable Secondary DNS from the Domain Name drop-down list and click OK.

    3. On the Add Secondary DNS page, configure the parameters in the Primary DNS Information and Server IP Addresses of Notification Senders sections, select If the secondary DNS cannot connect to your primary DNS, notifications are sent by text message to your administrator., and then click OK.

      Add Secondary DNS page

    • Primary DNS Information: In the upper-right corner of this section, click Add. Then, add a record for the primary DNS server.

    Parameters

    IP Address: the IP address of the primary DNS server. Make sure that the IP address can be accessed over the Internet. 
TSIG Key Type: the encryption algorithm. Valid values: SHA1, SHA256, and MD5. 
TSIG Key Name: the name of the generated TSIG key. 
TSIG Key Value: the value of the generated TSIG key.

    Add Primary DNS Information

    • Server IP Addresses of Notification Senders: In the upper-right corner of this section, click Add. Then, specify the IP Address parameter or the Start IP Address and End IP Address parameters.

    IP address: the IP address of the server that is used to send notifications when the DNS records of the primary DNS server are changed based on the standard Notify Protocol. Make sure that the IP address can be connected to prevent notifications from being blocked.

    IP Address

    • If the secondary DNS cannot connect to your primary DNS, notifications are sent by text message to your administrator: If you select the check box, Alibaba Cloud DNS will send text messages to notify you if the secondary DNS server fails to connect to a primary DNS server.

    Notification

    4. After you complete the preceding configuration of the Secondary DNS, view the status of the Secondary DNS on the Secondary DNS page.

    • If the switch in the Synchronization column is Connected, the secondary DNS feature is enabled for the private zone in Alibaba Cloud DNS.

    • If the value that is displayed in the Primary/Secondary DNS Connection Status column is Disconnected, check whether the configuration on the Secondary DNS page is valid, whether the primary DNS server runs as expected, and whether the IP address of the primary DNS server can be connected. After you troubleshoot the issue, click Connect to Primary DNS to connect to the primary DNS server.