About the F5 DNS Cloud Service

In the initial release, the F5 DNS Cloud Service is a secondary authoritative DNS service. With global distribution, built-in DDoS Protection, and automatic scaling, the DNS Cloud Service can serve as a backup to your primary DNS services.

In the DNS protocol, there are primary authoritative DNS server and secondary authoritative DNS servers. The primary DNS servers always hold the true configuration, and you make configuration changes only on the primary DNS servers. The secondary DNS servers then transfer the configurations from the primary servers. In the event that the primary DNS fails, a secondary DNS server continues providing DNS responses.

For now, you must continue to use your current primary DNS servers and configure the DNS Cloud Service as a secondary DNS server. All configuration changes you make on the primary DNS server are replicated to the DNS Cloud Service through RFC-compliant zone transfers.

The DNS Cloud Service can process all of your DNS traffic if you configure your registrar or NS records to only point to the DNS Cloud Service, thus making your primary DNS server a “hidden primary” DNS server. F5 recommends this choice because you can hide your primary DNS and send all traffic to the DNS Cloud Service, which reduces the vulnerability of the primary DNS server to an attack, and improves DNS response times by leveraging our globally distributed DNS infrastructure and Anycast network.


You can specify which zones are transferred to the DNS Cloud Service. The DNS service uses Zone Transfer (AXFR) to retrieve DNS resource records from your primary DNS server. You can configure as many zones as needed. For each applicable zone, you must specify an existing TSIG key.


After you configure your DNS server to use the DNS Cloud Service as a secondary DNS server, there will be no impact to your applications if the primary DNS server becomes unavailable.

The DNS Cloud Service will continue to provide DNS responses. However, new configuration changes will only be possible when the primary DNS server is operational again.