OCI - Cloudflare Public DNS Zone replication - part 1

Hi! Welcome to a 2-part blog focused on public DNS zone transfers. In this entry, part 1, we will talk about DNS zone transfers in general and we will do a demo for the scenario where OCI holds the primary DNS servers and Cloudflare holds the secondary DNS servers. In part 2, we will demo the reverse, Cloudflare will be primary and OCI will be secondary.

DNS Zone Transfers

Whenever you define a zone in a DNS server you have the option to make it either primary or secondary. If you define it as primary you can add/update records but if you define it as secondary you can only define the location of the primary server as changes to the zone are not allowed since the secondary server only holds a copy of the zone. When the zone is defined, the secondary server will connect to the primary server over TCP port 53 and will transfer the full zone. After that, the transfer will be triggered under these circumstances:

a) When The REFRESH value in the zone’s SOA record expires, the secondary server connects to the primary server and requests the SOA record. If the SOA’s serial has changed, the secondary will transfer the whole zone or just the changes to the zone.
b) The secondary server receives a NOTIFY message from the primary that the SOA serial has changed. The secondary server connects to the primary server and requests the SOA record. If the SOA’s serial has changed, the secondary will transfer the whole zone or just the changes to the zone. The NOTIFY mechanism is considered optional and not all DNS services implement it.

When the secondary server requests DNS data, it can request:
a) A full zone transfer called an AXFR query.
b) A partial zone transfer called an IXFR query, only for the changes between the secondary’s copy and the primary’s current state. The IXFR support is considered optional as the primary needs to have a history of all changes that occurred with each SOA serial increase (the SOA’s serial increases each time you change something to the zone). When the secondary does an IXFR request it provides its last known SOA serial so it is the job of the primary to know which changes to send.

Note: both OCI and Cloudflare have implemented the NOTIFY and the IXFR mechanisms.
Cloudflare explains very well what the SOA record is here.

One important thing to note is that both the primary and the secondary servers are considered authoritative for the zone and both will respond to the DNS queries from clients. Also, using DNS Zone transfers can bring some nice enhancements to your infrastructure:
- You will have a copy of your zone in DNS servers running on a different infrastructure which may protect you when the infrastructure running your primary servers has issues.
- You can include the secondary DNS servers in the DNS pool that answers to client queries, offloading DNS traffic from your primary servers.
Let’s put all of the above in a diagram.

DNS Zone transfers can become complicated and we don’t have the space to dig deeper. Let’s focus on a demo for setting up zone transfers between the Oracle Cloud as Primary and Cloudflare as Secondary.

OCI – Cloudflare zone transfers

In order to use zone transfers in Cloudflare you need:

a) An Enterprise license – DNS zone transfers are only available for Enterprise licenses. In any other license type, you will not see the relevant menus.
b) Even if you have Enterprise licenses you may not find the relevant menus for zone transfers. If that is the case, contact Cloudflare support to enable DNS Zone transfers for your account.

Before showing the actual Console configuration on both OCI and Cloudflare we need to discuss some design details. Both OCI and Cloudflare use dedicated DNS servers for zone transfers, different from the authoritative servers. Furthermore, Cloudflare splits the servers that do zone transfers into servers dedicated to receiving NOTIFY messages from the Primary and servers that do actual zone transfers. Let’s get the server list from both sides before moving on to the Consoles.

OCI Zone Transfers DNS servers

The OCI servers dedicated to zone transfers are not available in the Console. To get them we need to use OCI CLI or an API. For simplicity, we will use an OCI CLI call from the OCI Shell. The OCI CLI call looks like this:

oci dns zone-transfer-server list --compartment-id compartment_id 

where the compartment_id is the root compartment (tenancy) ocid.

The OCI CLI call will return servers used for both use cases (OCI is either Primary or Secondary). For this blog entry, we are configuring OCI to be Primary and Cloudflare to be Secondary so we will use the following DNS servers: 138.1.3.26, 147.154.137.246, and 147.154.151.52.

Note: these DNS servers were allocated to my tenancy so you have to do this step and get the servers allocated to you which may or may not be the same.

Cloudflare Zone Transfers DNS servers

Cloudflare has documented its zone transfer servers here .

Now that we have IPs, let’s build a more accurate diagram:

Zone transfer security

a) Access lists – when you configure the DNS zone transfer you need to put the IPs of the other side in the relevant menus. This will also act as an access list, preventing zone transfers from occurring to IPs not directly configured in the Consoles of both entities.
b) TSIG keys – while both Cloudflare and Oracle Cloud support TSIG keys for zone transfers, the option was implemented differently on each side. That means that, at this moment, adding TSIG keys to the communication will not work.

Now we can move to the demo part of the blog.

Demo

1. OCI Primary DNS Zone

Go to Networking -> DNS management -> Zones and create a new Public zone. I already have my zone called oci-lab.cloud.

The zone has to be Primary and Public. Note that once created you will see the OCI allocated authoritative servers: ns1.p201.dns.oraclecloud.net., ns2.p201.dns.oraclecloud.net., ns3.p201.dns.oraclecloud.net., ns4.p201.dns.oraclecloud.net. We will need to add them to the Registrar’s DNS configuration later on.

2. Configure downstream servers.

In the zone details page we can add downstream servers which tells OCI it needs to:

- Send Notify messages to those servers whenever a change happens
- Accept zone transfer requests from those servers.

Click on Downstream servers on the left and add:

- The 2 Notify IPs of Cloudflare: 172.65.30.82 and 172.65.50.145
- The zone transfer servers: 198.41.144.240/28  and 198.41.150.240/28.

The OCI Console does not accept ranges for the downstream servers so you will need to add each IP in those ranges manually:

- From 198.41.144.240 to 198.41.144.254 (15 IPs)
- From 198.41.150.240 to 198.41.150.254 (15 IPs)

Note: OCI does not have a way to distinguish between “Notify” servers and actual zone transfer servers so we will add them all as downstream servers. Whenever a change will happen, OCI will send a Notify message to all Cloudflare IPs.

3. Cloudflare Zone transfer settings

Under your account in Cloudflare, go to Manage Account -> Configurations -> DNS Zone Transfers -> Peer DNS servers and create three entries for the OCI DNS servers:  138.1.3.26, 147.154.137.246, and 147.154.151.52.

4. Cloudflare Secondary Zone

In your Cloudflare account add a new site, as a Secondary Zone.

Press Continue and make sure you select an Enterprise license or Zone transfers will fail. In the next menu, link the OCI Primary servers:

After you press Continue, Cloudflare will do a zone transfer and show you what it got from OCI:

If this matches the OCI Zone configuration (it should) then press Continue. In the next page, Cloudflare will display the authoritative name servers allocated to the new zone.

For me, these servers are ns0082.secondary.cloudflare.com and ns0212.secondary.cloudflare.com. You can press Done. The zone will become available only after you add these two servers to the Registrar’s DNS config.

5. Registrar DNS configuration.

The last step is to go to your Registrar’s config page and add all authoritative DNS servers, both from OCI and Cloudflare.
- The OCI DNS servers are:  ns1.p201.dns.oraclecloud.net., ns2.p201.dns.oraclecloud.net., ns3.p201.dns.oraclecloud.net., ns4.p201.dns.oraclecloud.net. ; you can get them from the zone details page and you don’t really need to put all of them in the registrar but you should definitely put the one in the SOA record, which is NS1. For his demo, I will simply add them all.
- The Cloudflare DNS servers were given in the previous step and are: ns0082.secondary.cloudflare.com and ns0212.secondary.cloudflare.com

Each Registrar has its own menu, mine looks like this:

When you are done, go back to Cloudflare to confirm you have added their NS servers, from the zone overview page.

Note: It will take a few minutes for the zone to become active. After a few minutes, you will see the zone marked as “active” on the account overview page.

And we’re done, DNS zone transfers are completed.

6. Some simple tests.

Let’s test that everything works as expected. I will create a new DNS record in OCI named cloudflare.oci-lab.cloud.

The expected behavior is that the record will automatically appear in Cloudflare, without any intervention from anybody.

And there it is, Cloudflare automatically updated the zone with the new record. Let’s also do a DNS request to Cloudflare. I will query one of the two allocated authoritative servers.

As expected, Cloudflare will serve DNS queries for the Secondary zone.

And this completes the DEMO. I hope you like it! For a demo on the reverse flow, where Cloudflare is Primary and Oracle Cloud is Secondary please take a look at part 2.