Add DNSimple as Secondary DNS with a Hidden Primary
Table of Contents
- Prerequisites
- Requirements
- Step 1: Set Up DNSimple as secondary DNS
- Step 2: Update the delegation at your domain registrar
- Step 4: Verify & test your setup
- Have more questions?
A hidden primary DNS setup allows you to keep your primary DNS server private while using DNSimple as a secondary DNS provider to handle public queries. This setup enhances security, redundancy, and performance by ensuring your primary authoritative name servers are not exposed to the internet.
Your primary name servers can be located behind firewalls, on internal networks, or on premises, allowing full control over zone management.
This guide explains how to configure a hidden primary while leveraging DNSimple as your secondary DNS provider. Your primary DNS server is hidden from public queries, while DNSimple acts as the secondary DNS provider.
Prerequisites
Don’t add DNSimple as a secondary DNS server to domains with DNSSEC. We do not import external RRSIG records, and this will produce resolution failures from DNSSEC-aware resolvers.
Ensure that you are not currently using DNSSEC, or disable DNSSEC before using secondary DNS.
Before proceeding, follow this guide to familiarize yourself with setting up DNSimple as a secondary DNS provider. This article expands on that setup.
Requirements
- A primary DNS provider that supports AXFR (Authoritative Zone Transfers).
- A DNSimple account with a plan that supports DNSimple as secondary DNS.
- Ability to change domain delegation at your domain registrar.
Step 1: Set Up DNSimple as secondary DNS
- Navigate to the domain you want to configure.
- Configure the zone to as secondary DNS this guide.
Step 2: Update the delegation at your domain registrar
- Log in to your domain registrar.
- Update the delegation using DNSimple’s name servers.
Do not list the hidden primary DNS server to keep it private.
Step 3: Configure your hidden primary DNS
- At your primary DNS provider, add your DNS records (A, MX, CNAME, TXT, etc.).
- Enable AXFR (Zone Transfers), and add DNSimple’s AXFR client IP addresses to the Allow-List.
- Ensure your NS records do NOT include the hidden primary to keep it private.
Step 4: Verify & test your setup
The configuration can take 10 to 30 minutes to take effect.
Records have been synchronized in DNSimple
Verify that the records have been synchronized in your DNSimple account.
Public queries resolve through DNSimple
Run the following dig command from your console:
dig @ns1.dnsimple.com example.com
Hidden primary is not exposed
Verify that the hidden primary name servers are not publicly exposed by running:
> whois your-domain-name.com
...
Name Server: ns1.dnsimple.com
Name Server: ns2.dnsimple-edge.net
Name Server: ns3.dnsimple.com
Name Server: ns4.dnsimple-edge.org
Have more questions?
If you have questions or need any assistance with your secondary DNS configuration, contact support, and we’ll be happy to help.