Ability to notify external DNS


#1

So I had once a question from client: “Is it possible to use our own DNS as secondary (backup) DNS for Cloudflare?”
The general idea is that there may be a case when Cloudflare DNS will fail (I don’t believe that would happen because of anycast but it’s only my opinion) and there may be a need to change nameservers to something else (let’s omit that it will take about 24h).
So the client wanted an option to set in Cloudflare their own DNS servers as slaves to their domain zone - meaning CF DNS would NOTIFY slave of changes (but with their original records, not CF proxy records).

Thoughts?


#2

It’s something we’re considering… both for Cloudflare to be a secondary and to support transfer to a secondary server (likely only as some type of paid option). Today I guess a scripted bind import/export or API based script would be the method one could choose to use.

We also support DNS firewall (also a paid option), where the customer maintains their own DNS servers and we act as a proxy, in which case we don’t even have a copy of the zone file just cached records really. But to do that you’d really want a very redundant DNS setup since if it goes away the best we could do is serve stale records until your DNS was back online.


#3

Thank you for even considering these options.

Can you tell me (realistically speaking) is there any way that Cloudflare DNS would fail at some point?


#4

If others have additional use cases, would love to still hear about them even though @komarEX marked this as solved. Sometimes we all get too trapped into a certain way of thinking so other ideas and suggestions really are welcome.


#5

Well, Cloudflare DNS is software and all software has the potential to fail I suppose. We try very hard to test and validate so that we don’t break things, and improve when things grow old and brittle (we just finished a migration of a key DNS component to new architecture because the old system struggled to keep up some days… I think there is a blog post on it).

Should everyone have a copy of their DNS zone file backed up somewhere no matter who the DNS provider they are using is? Absolutely… well maybe not my mom because the 3 people who read her blog can probably wait 2 days for her son to get around to fixing it. But you get my point.

We’ve tried to make our DNS system as redundant as possible and as simple as possible from a code perspective to reduce the risk anything could go wrong, but Mr. Murphy has a sick and twisted sense of humor.

If I were running a large organization (and I’ve been in that position before), part of my DR strategy would be testing my redundant/failover solutions on a regular basis just in case. In terms of critical infrastructure Cloudflare’s DNS would probably be pretty low on my list compared to other systems I’d consider more likely to fail, but DNS is a critical piece of infrastructure so a backup of the records and at least a written plan for what to do in case of a disaster is probably a reasonable line item.