[Webinar] The Art of Measuring DNS Performance - Register Now!

Secondary Zones

You can use NS1 as a secondary DNS provider, slaved to your primary DNS server.

To configure a secondary zone, you must already have a primary DNS provider or server, and your primary server must allow AXFR queries over TCP for our server IPs. You will not be able to use the advanced functionality of NS1 (such as the Filter Chain) for records in a secondary zone, and you will need to use your primary server/provider's tools to manage your zone's records.

To set up a new secondary zone:

  1. Configure your primary DNS server to allow AXFR queries over TCP (and SOA queries over UDP) for 192.241.159.119 and 192.135.223.10
  2. Go to the Zones section and click "Add Zone", then select "Secondary zone".
  3. Enter your domain name, the IPv4 address (not the hostname) of your primary DNS server, and if the server is not running on the standard port 53, adjust the port setting. 
  4. Click "Add Zone".


The secondary zone will be created in a "pending" state -- it may take a few minutes for us to do the first synchronization against your primary server. You can monitor this status under the "Zone Settings" tab and also update the Primary IP or Port if necessary.


Once the zone syncs, all the records you have configured on your primary server will appear in the zone in your NS1 account. Next, you can use the nameservers provided on the nameservers tab within the zone to direct DNS traffic for the zone to NS1. To do so, you must add NS records for each NS1 nameserver to the zone on your primary DNS server, and then modify the nameservers for your domain at your registrar.

Your zone will be resynchronized according to the refresh interval specified in the SOA record for your zone. If a zone transfer fails, the zone enters a "warning" state, and we will continue attempting to perform the zone transfer at the retry interval given by your SOA record until it succeeds, or the expiry timeout as provided in your SOA record is hit. If the expiry timeout is hit and we have been unable to resynchronize your zone, the zone enters an "error" state and we will stop answering queries for the zone.

If you would like to configure your NS1 secondary zone with TSIG (Transaction Signature) authentication, this knowledge base article has further details.