Configuring NS1 as a primary DNS provider
A common strategy for organizations to establish network resiliency is to publish the DNS zones across multiple DNS providers. If the primary DNS servers go down, the resolver looks for any secondary servers that are specified in the domain's top-level NS record to ensure requesting clients can access your domains. In this type of configuration, the primary provider hosts the source zone file and sends copies of the zone data to one or more secondary providers.
To configure IBM® NS1 Connect® to be the primary provider, you must specify one or more secondary providers to which it will send zone data. The NS1 Connect platform supports authoritative transfers (AXFR) in which case the entire zone file is transferred to the secondary servers. Note, however, that some configuration details, such as Filter Chain configurations and certain types of DNS records, are not supported by other providers and are not included in the zone file transfer.
The following steps outline the process for establishing NS1 Connect as your primary DNS provider.
Step 1 - Create a primary zone on the IBM NS1 Connect® platform.
If you haven't already, create a primary zone on the NS1 Connect platform, ensuring that one or more DNS networks are selected before saving. The nameservers assigned to the zone vary depending on the network(s) to which the zone is published. Note that DNS traffic to the domain will not flow through nameservers until the delegation is updated at the domain registrar.
Step 2 - Enable outgoing zone transfers.
After saving the primary zone, you must configure outgoing zone transfers—specifying one or more secondary servers and their incoming ports to receive the zone data from the NS1 Connect platform.
Optionally, you can enable the Notify on change option to allow the NS1 Connect platform to notify your secondary provider upon changes to the primary zone data. If selected, you must specify the port on which your secondary server is configured to receive NOTIFY messages from the NS1 Connect platform, as well as the NS1 DNS network from which the NOTIFY message will originate. If you do not select this option, then the secondary zone data will not be updated until the next SOA refresh specified in the secondary zone configuration settings.
Step 3 - Configure a secondary zone on the secondary provider platform.
Follow the instructions provided by your secondary DNS provider to create a secondary zone, specifying the NS1 Connect AXFR server as primary. The specific server you specify depends on the DNS network to which the primary zone is published.
- For primary zones published to the shared Managed DNS network (network 0), the secondary service must be configured to allow incoming zone data and, if enabled, NOTIFY messages from xfr01.nsone.net (192.135.223.10).
- Primary zones that are not published to the shared Managed DNS network, such as a dedicated namespace within the Managed network, the IP addresses for the zone transfer services will be provided to you.
If using BIND, you can add the following code snippet to the configuration file:
zone "<zoneFQDN>" IN { type slave; file "/var/lib/bind/<myzone.com>.db"; masters { 192.135.223.10; }; };You can use a dig command to verify the configurations match on the primary and
secondary DNS servers, but note that this process may vary depending on your setup. For example:
$ dig @xfr01.nsone.net +noall +answer -t soa <zoneFQDN> +multilineStep 4 - Update the domain registrar.
Once you are ready to initiate traffic flow through NS1 Connect nameservers, you must update the nameserver delegation at the domain registrar (for example, GoDaddy, BlueHost, and so on) to point to the NS1 nameservers. Do not update the registrar until you are ready to send DNS traffic to the new nameservers. If you are undergoing a large migration to the NS1 Connect platform or between services, adhere to the guidance provided by the NS1 team before updating the registrar.