Using a hidden primary with OCI DNS

March 29, 2024 | 3 minute read
Text Size 100%:

Using secondary domain name server (DNS) on Oracle Cloud Infrastructure (OCI) with a hidden primary configuration can offer some useful benefits in the management and security for your zones in the DNS. Typically, a hidden primary configuration is one where the management of the zones (configured as primary) is performed at your on-premises environment where companies commonly manage their external DNS through their DNS, DHCP, and IP address management (IPAM), or DDI, appliance. The zones on OCI DNS are configured as secondary, receiving updates from the on-premises primary through DNS NOTIFY and zone transfers. The hidden part comes into play with the nameserver delegation chain.

OCI DNS as a secondary configuration

In a hidden primary, only the nameservers for the zones configured as secondary (in this example on OCI) are in the delegation. By doing so, from the internet’s perspective, only the OCI nameservers are visible. No concept of the DNS servers for the on-premises primary where you’re managing the zones exists. The main benefit to configure your DNS in this way is that you maintain the ability and comfort of managing the DNS how you’re used to with on-premises and DDI.

However, all DNS queries for your zones go to OCI’s DNS edge to be resolved and not directed at your on-premises DNS server. OCI’s DNS edge is globally anycast, consisting of nearly 40 points of presence, which provides the ability to remain performant, highly available, and able to elegantly handle large volumes of traffic. OCI is equipped to handle malicious attacks targeted at the DNS, such as DDOS attacks.  OCI’s edge is well-equipped to respond to, identify, and mitigate these attacks over having that attack traffic hit an on-premises environment, where usually it’s a unicast location, and the impact of an attack there would be quite severe.

Management and traffic flow of a hidden primary with a single DNS provider.


Hidden primary with multiple DNS providers

For users looking to keep redundancy in the authoritative DNS, the hidden primary configuration is completely viable have two DNS providers configured as secondary off your hidden primary DNS. Instead of adding one set of nameservers in delegation, you add both DNS providers, which are configured as secondary, while keeping your primary on-premises DNS hidden. In general, configuring the secondary DNS stays in sync with your primary through DNS mechanisms like DNS NOTIFY, IXFR/AXFR zone transfers, and SOA values to guide when the secondary DNS checks for updates.

Management and traffic flow of a hidden primary using multi-vendor DNS providers


Key points for creating a hidden primary using OCI

Keep the following factors in mind when creating your hidden primary in OCI:

  • Your primary DNS nameservers should not be in delegation at the registrar. Ensure that the OCI nameservers are the only ones defined.
  • Create the zone on your primary DNS. Whether creating a zone or using an existing zone, ensure that the OCI nameservers are the only nameservers defined in the apex of the zone, so that your primary nameservers are hidden.
  • OCI DNS supports TSIG keys, so you can secure the communication between primary and secondary DNS.


Overall, running a hidden primary configuration is a great way to utilize secondary DNS with OCI’s global anycast DNS edge. In doing so, you gain all the benefits that come with it, such as low-latency responses, high availability, and letting OCI handle any DDOS attacks, while still maintaining control and management of your zones through your on-premises or DDI environment.

To learn more about secondary DNS on OCI, visit the Secondary DNS documentation. To learn more about OCI and the DNS offering, see Domain Name System (DNS). To get started implementing your DNS on Oracle Cloud Infrastructure, see the Public DNS documentation.


Jarrod Meschino

I am a Solution Architect, who helps guide and support teams in proper design, planning and execution of complex Authoritative DNS projects and solutions. I work closely with customers, business partners, and internal account managers and engineers to comprehensively support customer needs by understanding business requirements, managing expectations and liaising with Product Managers to provide feedback leading to development of solutions and strategic product roadmaps.

Previous Post

Announcing support for adding multiple alarm severity levels in one alarm definition

Satyendra Kuntal | 3 min read

Next Post

Moffitt Cancer Center to revolutionize cancer care delivery using AI and machine learning with NVIDIA, Oracle and Deloitte

Dan Spellman | 3 min read