Important Updates to Zone Transfer IP Addresses

Date: 2023-04-05

Inbound Transfer

This Tech Note is intended to assist those customers who have domains that are Secondary on UltraDNS, and Primary on another DNS provider. This note should also referenced when customers are adding a new domain to UltraDNS by utilizing the Zone Transfer options. Please make the necessary modifications to your Primary nameserver allow-transfer ACLs, also-notify ACLs, and firewall security policies for DNS to include only the IP addresses as noted below.

Allow Transfer

23.21.200.163

23.21.206.251

50.112.240.144

50.112.240.145

54.75.253.83

176.34.183.208

52.201.103.62

52.87.134.132

34.205.12.198

52.201.155.234

52.201.155.120

52.39.68.132

35.165.213.102

52.10.123.90

52.10.63.3

Also Notify

54.217.202.161

107.21.214.87

54.245.253.13

23.21.48.87

23.21.59.232

Examples

The following is an example of a BIND named.conf zone statement with an ACL for allowing zone transfers as it may appear with this change.


Example 1: ACL for UltraDNS Zone transfer servers
`zone "yourdomain.com" {` `type master;` `file "yourdomain.com.db";` `allow-transfer { 23.21.200.163; 23.21.206.251; 50.112.240.144; 50.112.240.145; 54.75.253.83; 176.34.183.208; 52.201.103.62; 52.87.134.132; 34.205.12.198; 52.201.155.234; 52.201.155.120; 52.39.68.132; 35.165.213.102; 52.10.123.90; 52.10.63.3; };` `also-notify { 54.217.202.161; 107.21.214.87; 54.245.253.13; 23.21.48.87; 23.21.59.232; }` `}`

Trusted Signatures (TSIG) Security

We have updated how our system handles TSIG-secured zone transfers so that our zone transfer provisioning servers all support TSIG security. If you use TSIG to secure zone transfers between your DNS primaries and UltraDNS, the zone transfer provisioning IP addresses listed above will support TSIG authentication.

The new zone transfer servers use the same key or shared secret that is already configured in the UltraDNS Portal for your domains.

Zone Transfer Behavior and Load

Zone Transfer requests will arrive from any one of the source addresses in the pool. In most cases, there will only be a single zone transfer request per notify or zone refresh interval. On occasion, we may issue a second zone transfer request from the same set of servers. This is done primarily for testing and data validation — for example, we may test UltraDNS software or validate zone transfer data quality by retrieving a second copy of a zone from your nameserver(s).

Note: This may be available at a global/options level. Check your nameserver documentation.

Outbound Transfer

Purpose: Used by domains that are primary on UltraDNS and secondary on another DNS provider.

Primary Name Server IP Addresses:

54.197.245.255

54.245.236.74

Other Notes

This only applies to zones configured on the "PDNS" service platform. Zones hosted on other platforms managed by Neustar Registry, XTLD, etc., do not use these settings.

If you have any questions, please contact UltraDNS Support at dns.ultraproducts.support to open a ticket, or call +1 (844) 929-0808 or +1 (540) 835-5462, options 1 - 2.