NS1 as a Secondary Provider

You can use NS1 as a secondary DNS provider, slaved to your primary DNS server.

To configure a secondary zone, you must already have a primary DNS provider or server, and your primary server must allow AXFR queries over TCP for our server IPs. You will not be able to use the advanced functionality of NS1 (such as the Filter Chain) for records in a secondary zone, and you will need to use your primary server/provider's tools to manage your zone's records.

To set up a new secondary zone:

  1. Configure your primary DNS server to allow AXFR queries over TCP (and SOA queries over UDP) from
  2. Go to the Zones section and click "Add Zone", then select "Secondary zone".
  3. Enter your domain name, the IPv4 address (not the hostname) of your primary DNS server, and if the server is not running on the standard port 53, adjust the port setting. 
  4. Click "Add Zone".

The secondary zone will be created in a "pending" state -- it may take a few minutes for us to do the first synchronization against your primary server. You can monitor this status under the "Zone Settings" tab and also update the Primary IP or Port if necessary.

Once the zone syncs, all the records you have configured on your primary server will appear in the zone in your NS1 account. Next, you can use the nameservers provided on the nameservers tab within the zone to direct DNS traffic for the zone to NS1. To do so, you must add NS records for each NS1 nameserver to the zone on your primary DNS server, and then modify the nameservers for your domain at your registrar.

Your zone will be resynchronized according to the refresh interval specified in the SOA record for your zone. If a zone transfer fails, the zone enters a "warning" state, and we will continue attempting to perform the zone transfer at the retry interval given by your SOA record until it succeeds, or the expiry timeout as provided in your SOA record is hit. If the expiry timeout is hit and we have been unable to resynchronize your zone, the zone enters an "error" state and we will stop answering queries for the zone.

NS1 offers authentication using TSIG (Transaction Signature) when being used as a secondary zone. 

Enabling TSIG

Before completing the new zone, you will need to select enable TSIG. The next step is to supply a type of hash, a name for the key being created  and the key itself. The key works as a password to authenticate communication between the two DNS servers (AXFR) to securely transfer changes for zone records. The hash type and key will need to match between the primary and secondary DNS providers.

Once completed, save the new zone. The secondary zone will be created in a "pending" state -- it may take a few minutes for the first synchronization against your primary server.

Request a Demo

Contact Us

Get Pricing