How to Add Secondary DNS to CyberPanel Hosting Panel

Why CyberPanel Needs a Secondary DNS

CyberPanel uses PowerDNS as its built-in DNS server. By default, all your domains rely on a single nameserver. If that server goes down — during a reboot, a kernel update, a DDoS attack, or a hardware failure — every domain on it becomes unreachable. Visitors get DNS resolution errors, email delivery fails, and API calls time out.

Adding a secondary DNS server eliminates this single point of failure. Every zone is automatically replicated via AXFR (authoritative zone transfer), so your DNS keeps answering queries even when the primary is offline or under maintenance.

Domain registrars require at least two nameservers, and RFC 2182 recommends three for production environments. Without a secondary, you are one failure away from a full DNS outage that affects every domain on the server.

Don't have a secondary nameserver yet? SecondDNS provides one on a free 3-month trial, no credit card required — get started, then follow the steps below.

How CyberPanel DNS Works

CyberPanel runs PowerDNS — not BIND. This matters because the configuration approach is different from what most secondary DNS tutorials describe.

In PowerDNS, DNS data is stored in a MySQL database (the cyberpanel database, domains and records tables) rather than flat zone files. PowerDNS reads and writes through its database backend. This means you cannot simply edit a named.conf file to configure zone transfers — you need to update PowerDNS settings in pdns.conf and use PowerDNS utilities (pdnsutil) to manage zone properties.

When you configure secondary DNS for CyberPanel, you are telling PowerDNS to:

1. Mark each zone as MASTER so PowerDNS sends NOTIFY messages when a zone changes 2. Allow the SecondDNS server IP to perform AXFR requests (allow-axfr-ips) 3. Update the SOA serial in a format that triggers zone refresh on the secondary

The SecondDNS plugin handles all of this automatically by hooking into CyberPanel's domain creation and deletion events.

How Secondary DNS Integration Works

The SecondDNS plugin for CyberPanel hooks into the domain creation and deletion workflow. When you add a new domain in CyberPanel, the plugin automatically:

1. Changes the zone type from NATIVE to MASTER so PowerDNS sends NOTIFY to the secondary when the zone changes (AXFR itself is permitted via allow-axfr-ips) 2. Updates the SOA serial to the standard YYYYMMDDNN format 3. Registers the zone with SecondDNS via API so the secondary server pulls a full copy

When you delete a domain, the plugin removes it from the secondary. No manual steps, no forgotten zones, no stale records.

After setup, your assigned SecondDNS nameserver holds a read-only copy of every zone and answers DNS queries with full authority, identical to your primary nameserver. Your nameserver hostname and IPs are shown in the SecondDNS dashboard under Settings > Nameservers.

CyberPanel Secondary DNS Requirements

Before you begin, make sure you have:

- CyberPanel v2.x or later with PowerDNS - Root (sudo) access to the server - git installed on the server - A SecondDNS API key (get one at seconddns.com/dashboard/api-key) - Your SecondDNS nameserver IP (find it in the dashboard under Settings > Nameservers) - TCP port 53 open inbound for the SecondDNS server IP

The zone transfer protocol (AXFR) uses TCP port 53, not UDP. Many firewall configurations only open UDP 53 for regular DNS queries. If TCP 53 is blocked, zone transfers will silently fail even though regular DNS resolution works.

Open TCP Port 53 for DNS Zone Transfers

Before running the installer, verify that TCP port 53 is reachable from the SecondDNS server. Find your nameserver IP in the SecondDNS dashboard under Settings > Nameservers, then replace SECONDARY_IP in the commands below.

If you use UFW:

ufw allow from SECONDARY_IP to any port 53 proto tcp
ufw reload

If you use iptables:

iptables -I INPUT -s SECONDARY_IP -p tcp --dport 53 -j ACCEPT

To verify TCP port 53 is reachable from another machine:

nmap -p 53 -sT YOUR_SERVER_IP

The installer automatically adds the correct IP to PowerDNS allow-axfr-ips when you provide your API key — it reads your assigned nameserver from the SecondDNS API.

Install Secondary DNS on CyberPanel

Run the one-liner as root:

curl -sL https://raw.githubusercontent.com/seconddns/dns_integrations/main/hosting-panels/cyberpanel/install.sh | bash -s -- --api-key=YOUR_API_KEY

The installer will: - Verify your API key - Detect your server IP (IPv4 and IPv6) - Install the CLI tool and CyberPanel plugin - Configure PowerDNS for AXFR (master mode, allow-axfr-ips set to your assigned SecondDNS server IP, SOA serial format) - Offer to restart CyberPanel to activate the plugin

Replace YOUR_API_KEY with the key from your SecondDNS dashboard. The installer exits with a non-zero status if any step fails and prints which step failed.

Fix PowerDNS Schema on CyberPanel

CyberPanel v2.4.5 ships with an outdated PowerDNS database schema. Two missing columns cause PowerDNS to crash when updating zones. Run these SQL queries in the MySQL console:

mysql -e "ALTER TABLE cyberpanel.domains ADD COLUMN options TEXT DEFAULT NULL;"
mysql -e "ALTER TABLE cyberpanel.domains ADD COLUMN catalog VARCHAR(255) DEFAULT NULL;"

Then restart PowerDNS:

systemctl restart pdns

If a column already exists, the command will print a harmless Duplicate column error — this is safe to ignore. This step is only required on CyberPanel v2.4.5. Earlier and later versions are not affected.

Configure Nameservers in CyberPanel

Go to CyberPanel > DNS > Create/Edit Nameservers and set:

- NS1: your primary nameserver (e.g. ns1.yourdomain.com) - NS2: your SecondDNS nameserver hostname (shown in the dashboard under Settings > Nameservers)

If you have the Personalized NS add-on, use your branded hostname instead (e.g. ns2.yourdomain.com). This ensures every new zone includes the correct secondary nameserver in its NS records.

Existing zones can be updated with the sync command from Step 4.

Sync Existing Domains to Secondary DNS

If you already have domains in CyberPanel before installation, sync them to the secondary DNS:

seconddns sync

This compares your local zones with the secondary and adds any missing ones. Domains that were deleted locally are removed from the secondary. The sync command is idempotent — you can run it multiple times without creating duplicates.

To check the status of a specific zone:

seconddns status example.com

Verify Your CyberPanel Secondary DNS Setup

Create a test domain in CyberPanel and confirm it appears on the secondary:

seconddns list

Then query both nameservers to confirm zone transfer. Replace SECONDARY_IP with your nameserver IP from the dashboard:

dig @YOUR_PRIMARY_SERVER_IP example.com SOA +short
dig @SECONDARY_IP example.com SOA +short

Both commands should return the same SOA serial in YYYYMMDDNN format. If the secondary shows a lower serial, the zone transfer has not completed yet — wait 30 seconds and retry.

If the secondary returns SERVFAIL or no response, check your firewall rules for TCP port 53 (see the firewall step above). The most common cause of failed zone transfers is TCP 53 blocked at the firewall level while UDP 53 is open.

Troubleshooting CyberPanel Secondary DNS

Zone not appearing on secondary Check the plugin log at /var/log/seconddns.log. Make sure CyberPanel was restarted after installation. Verify the API key is valid by running:

seconddns status

AXFR refused PowerDNS is rejecting the zone transfer request. The installer sets allow-axfr-ips automatically, but manual edits to pdns.conf may override it. Check the current value:

grep allow-axfr-ips /etc/pdns/pdns.conf

The value should match your SecondDNS nameserver IP (shown in the dashboard). If not, update it and restart PowerDNS:

systemctl restart pdns

SOA serial stuck at 1 The plugin updates the serial after zone creation. If the zone was created before the plugin was installed, run:

seconddns sync

or force a serial update manually:

pdnsutil increase-serial YOURDOMAIN.COM

PowerDNS crashes on zone update Apply the schema fix from Step 2. This is a known issue with CyberPanel v2.4.5.

Plugin not triggered on new domain creation Check that the signal block exists in the CyberPanel entry point. Run the installer again to re-register signals — this is safe to run on an already-installed setup.

TCP port 53 test fails Run the nmap test from the firewall section. If TCP 53 is blocked, add the firewall rule for your SecondDNS nameserver IP (from the dashboard) and retry the zone transfer.

Zone transfer times out Large zones (thousands of records) may take longer than the default timeout. Check the size of the zone:

pdnsutil list-zone YOURDOMAIN.COM | wc -l

Zones with over 10,000 records may take several minutes for the initial transfer.

Uninstalling

To remove the integration:

curl -sL https://raw.githubusercontent.com/seconddns/dns_integrations/main/hosting-panels/cyberpanel/uninstall.sh | bash

This removes the CLI, plugin, signal registration, and systemd hook. Your zones on the secondary are not deleted automatically — remove them from the SecondDNS dashboard or run:

seconddns remove-all

before uninstalling if you want them cleared from the secondary.

Related Guides

If you manage other hosting panels or want to extend your DNS redundancy setup, see:

- How to Add Secondary DNS to cPanel/WHM - How to Add Secondary DNS to DirectAdmin - How to Add Secondary DNS to Plesk - Secondary DNS Monitoring with Nagios - Secondary DNS Monitoring with Zabbix - How to Set Up a Secondary DNS Server - Understanding AXFR Zone Transfers - DNS Redundancy: Why It Matters and How to Achieve It