Adding a second authoritative DNS provider is one of the simplest ways to protect your domain from a provider outage or DDoS event. This guide walks through configuring CloudFloorDNS as a secondary DNS provider for zones whose primary DNS lives on Cloudflare — using standard AXFR/IXFR zone transfers, TSIG authentication, and NOTIFY for near-instant sync.
Why run secondary DNS at all?
A single DNS provider is a single point of failure. If your only authoritative network goes down — outage, misconfiguration, or attack — your domain stops resolving and every service on it goes dark. A second provider on a separate Anycast network keeps you resolving even when your primary is unreachable.
Before you begin
You will need the following. Don’t worry if some values aren’t obvious yet — the steps below show where each one comes from.
- An active CloudFloorDNS account with a Secondary DNS plan (from $40/month).
- Administrative access to your Cloudflare account for the zone you want to back up.
- The ability to add records and configure zone transfers at Cloudflare.
Important Cloudflare requirement
Cloudflare’s outgoing zone transfers (Cloudflare-as-primary, which is what this setup needs) are an Enterprise-tier feature and must be enabled by your Cloudflare account team. If your zone isn’t on a plan that supports outgoing AXFR/IXFR, contact Cloudflare to enable it before starting. If you’d rather not depend on that, ask us about a dual-primary arrangement instead — we’ll help you pick the right model.
Setup steps
1
Create your Secondary zone in CloudFloorDNS
In the CloudFloorDNS control panel, add your domain as a Secondary zone. You’ll tell our platform the IP address of your primary nameserver (Cloudflare’s outgoing transfer IP) so we know where to pull the zone from. The panel will then display the CloudFloorDNS transfer IPs and your assigned secondary nameservers — copy these; you’ll need them at Cloudflare.
2
(Recommended) Create a TSIG key
A Transaction Signature (TSIG) is a shared secret that authenticates the zone transfer so only your two providers can exchange the zone. It’s optional but strongly recommended. Generate a TSIG key and note its three values — the names must match exactly on both sides or transfers will fail:
TSIG name: cloudflare-cfds.example.com.
TSIG algorithm: hmac-sha256
TSIG secret: <base64-encoded shared secret>3
Enable outgoing zone transfers at Cloudflare
In the Cloudflare dashboard, open account Settings → DNS Settings. Under DNS Zone Transfers, create a peer DNS server that points to CloudFloorDNS — enter our transfer IP and port 53, and link the TSIG you created in the previous step. Then link that peer to the zone you want to back up.
Make sure Cloudflare’s Access Control Lists allow transfers to our IPs and don’t block NOTIFY traffic between the two networks.
4
Add NS records for your secondary nameservers
Using the secondary nameservers from Step 1, add NS records at your zone apex listing the CloudFloorDNS nameservers alongside Cloudflare’s. By default Cloudflare ignores apex NS records, so enable multi-provider DNS on the zone so both providers are properly delegated.
5
Initiate the first zone transfer
Back in CloudFloorDNS, trigger the initial transfer (or wait for the first scheduled pull). Our platform requests the full zone via AXFR, then keeps it current with incremental IXFR transfers and NOTIFY messages whenever you change a record at Cloudflare. Confirm the record count in our panel matches what you have at Cloudflare.
If no records appear: the usual culprits are a mismatched TSIG name, the wrong primary IP, or an ACL at Cloudflare blocking our transfer IP. Re-check those three before anything else.
6
Verify resolution from both providers
Query your domain directly against a CloudFloorDNS nameserver to confirm it answers authoritatively and the records match your primary:
dig @ns-your-assigned.cloudfloordns.net example.com ANY +noall +answer
# Compare the SOA serial on both providers — they should converge:
dig @cloudflare-ns example.com SOA +short
dig @cloudfloordns-ns example.com SOA +shortOnce both providers return matching, authoritative answers, your secondary DNS is live.
Create a Free Account
Talk to a DNS Expert
What you get with CloudFloorDNS as your secondary
| Capability | Detail |
|---|---|
| Transfer protocols | AXFR (full) and IXFR (incremental), with NOTIFY-driven sync |
| Authentication | TSIG (HMAC) signed transfers; ACL-restricted peers |
| Security | DNSSEC supported; DDoS-resilient Anycast footprint |
| Network | Global Anycast, multi-continent POPs, dual-stack IPv4/IPv6 |
| Models | Live Secondary, Dark Secondary, or Dual-Primary |
| Uptime | 100% uptime SLA — backed by 25+ years of DNS operations |
See full Secondary DNS features & pricing →
Frequently asked questions
Do I have to move my DNS away from Cloudflare?
No. In this setup Cloudflare stays your primary. CloudFloorDNS runs alongside it as a secondary, pulling a copy of your zone so your domain keeps resolving if Cloudflare is ever unreachable.
How quickly do changes sync from Cloudflare?
With NOTIFY configured at the primary, updates propagate to the secondary within seconds of an edit. Without NOTIFY, the secondary refreshes on the configured zone-refresh interval.
Is DNSSEC preserved across the transfer?
Yes — signed zone data is transferred intact. DNSSEC with a multi-provider setup does require careful key handling; our team can walk you through the right configuration for your zones.
What if Cloudflare won’t enable outgoing zone transfers on my plan?
Outgoing AXFR/IXFR is a Cloudflare Enterprise feature. If that’s not available to you, a dual-primary configuration achieves similar resilience without depending on Cloudflare’s outgoing transfers. Contact us and we’ll recommend the best approach.
Related secondary DNS guides
- Secondary DNS overview & pricing
- Secondary DNS with GoDaddy as primary
- Why use a secondary DNS provider?