Connection: Secure DNS server

This article describes how to connect Secure DNS server.

The service is connected in three steps:

  1. Set up communication between your DNS server and the Qrator Labs DNS server.
  2. Make sure the Qrator Labs DNS server is responding to your zone requests.
  3. Specify the Qrator Labs DNS server as authoritative for your zone.


Before you connect, you should, for your DNS server, configure a new IP address that has not been used or published before. In doing so, you can disable access to the server via previous IP address in step 3.

1. Setting up communication between DNS servers

Setting up secondary DNS server communication

Before connecting the service in secondary DNS server mode, make sure that the DNS server you are using allows you to configure zone transfer to secondary authoritative DNS servers. If you are using the domain registrar's or hosting's DNS server, make sure this is enabled in their control panel (e.g: instructions for GoDaddy).

In the access control list (ACL) of your DNS server, allow zone transfer to the server This will allow the Qrator Labs DNS server to act as a secondary DNS server.

Tell the Qrator Labs technical support team the IP address of your primary DNS server. They will configure the secondary DNS server accordingly, and then the secondary DNS server will request a zone transfer from the primary DNS server.

Setting up DNS proxy server communication

To enable DNS proxy server mode, tell the Qrator Labs technical support team the IP address of your DNS server and a list of domains that need to be proxied. Technical support will configure the Qrator Labs DNS server accordingly, and then the server will be able to forward requests for the specified domains to your server.

2. Check configuration

Before you switch to Qrator Labs DNS server, check the new configuration. To do this, send one or more requests about your domains to this server. If the server does not find the record you are looking for, or returns incorrect information, please contact technical support to find out what is causing the problem.

You can use the nslookup utility to check, specifying the DNS server as the last argument. For example, a command to get the IP address of the domain from the Qrator Labs DNS server would look like this:


3. Switching to the Qrator Labs DNS server

In the domain registrar's control panel, specify the Qrator Labs DNS server as the authoritative server for your zone, and remove your DNS server from the list.

Depending on the TTL settings on the domain registrar's side, it may take up to 72 hours to update the NS records.


If you used a new IP address that is different from the one specified in the NS records earlier, then after updating the records, you should disable access to the former address in the firewall settings on your side. Thus, without knowing the new IP address, an attacker will be unable to direct an attack to the primary server. Updating the Qrator Labs DNS server on time is therefore made difficult. This DNS server hiding technique is known as hidden primary.