Setup
With outgoing zone transfers, you can keep Cloudflare as your primary DNS provider and use one or more secondary providers for increased availability and fault tolerance.
As explained in DNS record types, Cloudflare uses a process called CNAME
flattening to return the final IP address instead of the CNAME
target. CNAME
flattening improves performance and is also what allows you to set a CNAME
record on the zone apex.
Depending on the settings you have, when you use DNS-only CNAME
records with outgoing zone transfers, you can expect the following:
- For DNS-only
CNAME
records on the zone apex, Cloudflare will always transfer out the flattened IP addresses. - For DNS-only
CNAME
records on subdomains, Cloudflare will only transfer out flattened IP addresses if the setting Flatten all CNAMEs is enabled.
For each proxied DNS record in your zone, Cloudflare will transfer out two A
and two AAAA
records.
These records correspond to the Cloudflare IP addresses ↗ used for proxying traffic.
Make sure your account team has enabled your zone for outgoing zone transfers.
Review your existing DNS records to make sure all of them have the desired Proxy status.
If using the API, you may also want to locate your Zone and Account IDs.
A Transaction Signature (TSIG) authenticates communication between a primary and secondary DNS server.
While optional, this step is highly recommended.
To create a TSIG using the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Manage Account > Configurations.
- Click DNS Zone Transfers.
- For TSIG, click Create.
- Enter the following information:
- TSIG name: The name of the TSIG object using domain name syntax (more details in RFC 8945 section 4.2 ↗).
- Secret (optional): Get a shared secret to add to your third-party nameservers. If left blank, this field generates a random secret.
- Algorithm: Choose a TSIG signing algorithm.
- Click Create.
To create a TSIG using the API, send a POST request.
You only need to create a peer DNS server if you want:
- Your secondary nameservers to receive NOTIFYs for changes to your Cloudflare DNS records.
- A TSIG to sign zone transfer requests and NOTIFYs.
To create a peer using the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Manage Account > Configurations.
- Select DNS Zone Transfers.
- For Peer DNS servers, select Create.
- Enter the following information, paying particular attention to:
- IP: If configured, specifies where Cloudflare sends NOTIFY requests to.
- Port: Specifies the IP Port for the NOTIFY IP.
- Enable incremental (IXFR) zone transfers: Does not apply when you are using Cloudflare as your primary DNS provider (Cloudflare zones always accept IXFR requests).
- Link an existing TSIG: If desired, link the TSIG you previously created.
- Select Create.
To create a peer DNS server using the API, send a POST request.
If you previously created a peer DNS server, you should link it to your primary zone.
To create a secondary zone using the dashboard:
- Log in to the Cloudflare dashboard ↗.
- Select your account and zone.
- Go to DNS > Settings.
- For DNS Zone Transfers, select Manage linked peers.
- Select a peer.
- Select Save.
To link a primary zone to a peer using the API, send a POST request with the ID of the peer you previously created.
When you create an Access Control List (ACL), that list contains the source IP addresses that are allowed to send zone transfer requests. If you do not configure an ACL, your zone transfers will fail from IP addresses other than the one specified in the peer DNS server linked to your primary zone on Cloudflare.
For more details, refer to create an ACL.
Your secondary DNS provider should send zone transfer requests (via AXFR or IXFR) to this IP on port 53 and from the IP address specified in your peer configuration.
It should also have updated Access Control Lists (ACLs) to prevent NOTIFY messages sent from Cloudflare IP ranges from being blocked.
Using the information from your secondary DNS provider, create NS
records on your zone apex listing your secondary nameservers.
By default, Cloudflare ignores NS
records that are added to the zone apex. To modify this behaviour, enable multi-provider DNS:
- Log in to the Cloudflare dashboard ↗.
- Select your account and zone.
- Go to DNS > Settings.
- Enable Multi-provider DNS.
When you enable outgoing zone transfers, this will send a DNS NOTIFY message to your secondary DNS provider.
- Log in to the Cloudflare dashboard ↗.
- Select your account and zone.
- Go to DNS > Settings.
- For Outgoing Zone Transfers, switch the toggle to On.
To enable outgoing zone transfers using the API, send a POST request.
At your registrar, add the nameservers of your secondary DNS provider.