OCI - Cloudflare Public DNS Zone replication - part 2
April 25, 2024 | 9 minute readHi! Welcome to the second blog focused on OCI – Cloudflare DNS zone transfers. In the first blog, I did a demo on how to set up zone replication from an OCI Primary Zone to the Cloudflare Secondary Zone. In this blog, I’ll do a demo on the reverse flow.
DNS Zone Transfer refresh
Whenever you define a zone in a DNS server you have the option to make it either primary or secondary. If you define it as primary you can add/update records but if you define it as secondary you can only define the location of the primary server as changes to the zone are not allowed since the secondary server only holds a copy of the zone. When the zone is defined, the secondary server will connect to the primary server over TCP port 53 and will transfer the full zone. After that, the transfer will be triggered under these circumstances:
a) When The REFRESH value in the zone’s SOA record expires, the secondary server connects to the primary server and requests the SOA record. If the SOA’s serial has changed, the secondary will transfer the whole zone or just the changes to the zone.
b) The secondary server receives a NOTIFY message from the primary that the SOA serial has changed. The secondary server connects to the primary server and requests the SOA record. If the SOA’s serial has changed, the secondary will transfer the whole zone or just the changes to the zone. The NOTIFY mechanism is considered optional and not all DNS services implement it.
When the secondary server requests DNS data, it can request:
a) A full zone transfer called an AXFR query.
b) A partial zone transfer called an IXFR query, only for the changes between the secondary’s copy and the primary’s last state. The IXFR support is considered optional as the primary needs to have a history of all changes that occurred with each SOA serial increase (the SOA’s serial increases each time you change something to the zone). When the secondary does an IXFR request it provides its last known SOA serial so it is the job of the primary to know which changes to send.
Note: both OCI and Cloudflare have implemented the NOTIFY and the IXFR mechanisms.
OCI – Cloudflare zone transfers
In order to use zone transfers in Cloudflare you need:
a) An Enterprise license – DNS zone transfers are only available for Enterprise licenses. In any other license type, you will not see the relevant menus.
b) Even if you have Enterprise licenses you may not find the relevant menus for zone transfers. If that is the case, contact Cloudflare support to enable DNS Zone transfers for your account.
Before showing the actual Console configuration on both OCI and Cloudflare we need to discuss some design details. Both OCI and Cloudflare use dedicated DNS servers for zone transfers, different from the authoritative servers. Furthermore, Cloudflare splits the servers that do zone transfers into servers dedicated to sending NOTIFY messages to the Secondary and servers that do actual zone transfers. Let’s get the server list from both sides before moving on to the Consoles.
OCI Zone Transfers DNS servers
The OCI servers dedicated to zone transfers are not available in the Console. To get them we need to use OCI CLI or an API. For simplicity, we will use an OCI CLI call from the OCI Shell. The OCI CLI call looks like this:
oci dns zone-transfer-server list --compartment-id compartment_id
where the compartment_id is the root compartment (tenancy) ocid.
The OCI CLI call will return servers used for both use cases (OCI is either Primary or Secondary). For this blog entry, we are configuring OCI to be Secondary and Cloudflare to be Primary so we will use the following OCI DNS servers: 138.1.0.148, 138.1.3.112, and 138.1.41.121.
Note: these DNS servers were allocated to my tenancy so you have to do this step and get the servers allocated to you which may or may not be the same.
Cloudflare Zone Transfers DNS servers
Cloudflare has documented its zone transfer servers here.
Now that we have IPs, let’s build a more accurate diagram:
Zone transfer security
a) Access lists – when you configure the DNS zone transfer you need to put the IPs of the other side in the relevant menus. This will also act as an access list, preventing zone transfers from occurring to IPs not directly configured in the Consoles.
b) TSIG keys – while both Cloudflare and Oracle Cloud support TSIG keys for zone transfers, the option was implemented differently on each side. That means that, at this moment, adding TSIG keys to the communication will not work.
Now we can move to the demo part of the blog.
Demo
1. Cloudflare Primary DNS Zone
In Cloudflare, I have a Primary Zone called cdn-lab.cloud.
When you create a zone in Cloudflare you also get assigned authoritative DNS servers which need to be added to the Registrar’s DNS config. For this zone, Cloudflare assigned millie.ns.cloudflare.com and rajeev.ns.cloudflare.com.
2. Define OCI servers in Cloudflare
Under your account in Cloudflare, go to Manage Account -> Configurations -> DNS Zone Transfers -> Peer DNS servers and create three entries for the OCI Secondary DNS servers: 138.1.0.148, 138.1.3.112, and 138.1.41.121.
Add all 3 OCI Secondary servers, 1 by 1.
3. Link the OCI Secondary servers to the DNS Zone, in Cloudflare.
Go to the DNS Zone -> DNS -> Settings
Enable Outgoing Zone Transfers and then click “Manage linked peers”. Select the 3 Secondary servers from OCI and click Save.
4. OCI Secondary DNS Zone
Go to Networking -> DNS management -> Zones and create a new Public Secondary zone. OCI will request at least one UPSTREAM server (Zone Primary server). I will only add 172.65.64.6, from Cloudflare, and add the rest later.
In a few minutes, the zone will become available.
Notice the authoritative servers OCI allocated, as we will need them on the Registrar’s page: ns1.p201.dns.oraclecloud.net., ns2.p201.dns.oraclecloud.net., ns3.p201.dns.oraclecloud.net., ns4.p201.dns.oraclecloud.net.
5. Configure upstream servers.
In the zone details page, we can add the remaining upstream servers 198.41.144.240/28 and 198.41.150.240/28. The OCI Console does not accept ranges for the upstream servers so you will need to add each IP in those ranges manually:
o From 198.41.144.240 to 198.41.144.254 (15 IPs)
o From 198.41.150.240 to 198.41.150.254 (15 IPs)
In the end, you should have 31 upstream servers.
Note: OCI does not have a way to distinguish between “Notify” servers and actual zone transfer servers so we will add them all as upstream servers. Whenever a change happens in Cloudflare, OCI will send an IXFR request to all of them but only the first one will answer as the rest are only sending Notify messages.
6. Registrar DNS configuration.
The last step is to go to your Registrar’s config page and add all authoritative DNS servers, both from OCI and Cloudflare.
- The OCI DNS servers are: ns1.p201.dns.oraclecloud.net., ns2.p201.dns.oraclecloud.net., ns3.p201.dns.oraclecloud.net., ns4.p201.dns.oraclecloud.net. ; you can get them from the zone details page and you don’t really need to put all of them in the registrar. For his demo, I will simply add them all.
- The Cloudflare DNS servers were given in the previous step and are millie.ns.cloudflare.com and rajeev.ns.cloudflare.com.
Each Registrar has its own menu, mine looks like this:
And we’re done, DNS zone transfers are completed. Note that, with Secondary Zones, OCI does not show any records in the OCI Console. To make sure the transfer works you need to do a DNS query targeting OCI NS servers and see that it works.
7. Some simple tests.
Let’s test that everything works as expected. I will create a new DNS record in Cloudflare named oci.cdn-lab.cloud.
The expected behavior is that the record will automatically be transferred to OCI, without any intervention from anybody.
And there it is, OCI automatically updated the Secondary zone with the new record.
Proxied vs “DNS only” records
When you create a DNS entry in Cloudflare you have two options, for proxy status:
- DNS only: Cloudflare won’t provide any CDN services, it’s a DNS record and nothing else.
- Proxied: The traffic will be passing through Cloudflare’s network to provide CDN services.
Whenever a zone transfer happens to a Secondary Zone, the following will occur:
- If the record is "DNS only" the secondary zone will get a copy of the record.
- If the record is Proxied then the secondary zone will get a custom A record which points the hostname to Cloudflare IPs so the CDN services can be applied.
For the DNS-only case we have an example above, the record transferred unaltered. Let’s see an example for a proxied record. Here is how it looks in the Cloudflare config page:
Here is how it looks in OCI, in the Secondary Zone:
And this completes the DEMO. I hope you like it! For a demo on the reverse flow, where Cloudflare is Secondary and Oracle Cloud is Primary please take a look at part 1.