How to Add Secondary DNS to DirectAdmin Hosting Panel

Why Your DirectAdmin Server Needs a Secondary DNS

DirectAdmin typically runs BIND (named) or PowerDNS as its DNS server. By default, all your domains rely on a single nameserver. If that server goes offline — for maintenance, hardware failure, or a DDoS attack — every domain becomes unreachable. Visitors get DNS resolution errors, email stops delivering, and services time out.

A secondary DNS server keeps a synchronized copy of all your zones via AXFR (authoritative zone transfer). When the primary is unavailable, the secondary continues answering DNS queries for your domains. Your websites, email, and services stay online.

Most domain registrars require at least two nameservers, and RFC 2182 recommends three for production environments. Adding a secondary DNS is not just best practice — it is essential for production reliability.

Don't have a secondary nameserver yet? SecondDNS provides one on a free 3-month trial, no credit card required — get started, then follow the steps below.

How DirectAdmin DNS Works

DirectAdmin supports two DNS backends: BIND (named) and PowerDNS. The configuration approach differs between them.

BIND (named): DNS zones are stored as flat files under /etc/named/ or /var/named/. Zone transfers are configured in named.conf: allow-transfer grants the secondary permission to pull the zone, and also-notify makes BIND send a NOTIFY so the secondary refreshes immediately. This is the traditional approach most tutorials describe.

PowerDNS: DNS data is stored in a database backend. Transfers are controlled via allow-axfr-ips in pdns.conf. The SecondDNS installer detects which backend your server runs and configures the correct directives automatically.

In both cases, DirectAdmin manages DNS through hook scripts. When you create or delete a domain, DirectAdmin calls scripts in /usr/local/directadmin/scripts/custom/. The SecondDNS integration installs its own hooks at this location to register and deregister zones automatically — no manual zone management is required.

How Secondary DNS Integration Works

The SecondDNS integration for DirectAdmin uses custom hook scripts that DirectAdmin calls automatically after DNS events:

1. When you create a domain or domain pointer — the hook registers the zone with SecondDNS via API 2. SecondDNS pulls a full copy of the zone from your server via AXFR 3. When you delete a domain — the hook removes it from SecondDNS

All zone changes are propagated automatically through the BIND/PowerDNS NOTIFY mechanism. No manual steps, no cron jobs, no stale records.

DirectAdmin Secondary DNS Requirements

Before you begin, make sure you have:

- DirectAdmin 1.6 or later with BIND/named or PowerDNS - Root (sudo) access to the server - A SecondDNS API key (get one at seconddns.com/dashboard/api-key) - Your SecondDNS nameserver IP (find it in the dashboard under Settings > Nameservers) - TCP port 53 open inbound for the SecondDNS server IP

The zone transfer protocol AXFR uses TCP port 53, not UDP. Many firewall configurations only open UDP 53 for regular DNS queries. If TCP 53 is blocked, zone transfers will silently fail even though regular DNS resolution works.

Open TCP Port 53 for DNS Zone Transfers

Before running the installer, open TCP port 53 for the SecondDNS server. Find your nameserver IP in the dashboard under Settings > Nameservers, then replace SECONDARY_IP in the commands below.

If you use UFW:

ufw allow from SECONDARY_IP to any port 53 proto tcp
ufw reload

If you use iptables:

iptables -I INPUT -s SECONDARY_IP -p tcp --dport 53 -j ACCEPT

If you use nftables:

nft add rule inet filter input ip saddr SECONDARY_IP tcp dport 53 accept

To verify TCP port 53 is open from outside:

nmap -p 53 -sT YOUR_SERVER_IP

The installer automatically sets allow-transfer (BIND) or allow-axfr-ips (PowerDNS) to your assigned SecondDNS IP when you provide your API key.

Install Secondary DNS on DirectAdmin

Run the one-liner as root:

curl -sL https://raw.githubusercontent.com/seconddns/dns_integrations/main/hosting-panels/directadmin/install.sh | bash -s -- --api-key=YOUR_API_KEY

The installer will: - Verify your API key against the SecondDNS API - Detect your server IP address (IPv4 and IPv6) - Ask which protocol to use if both are available - Detect your DNS backend (BIND or PowerDNS) - Configure zone transfers automatically (allow-transfer grants the pull and also-notify triggers NOTIFY for BIND; allow-axfr-ips for PowerDNS) - Install hook scripts to /usr/local/directadmin/scripts/custom/ - Offer to sync existing domains

Replace YOUR_API_KEY with the key from your SecondDNS dashboard. The installer exits with a non-zero status if any step fails.

Configure Nameservers in DirectAdmin

After installation, register the secondary nameserver in DirectAdmin.

Option 1: Through the DirectAdmin panel (recommended) Log in as Admin → Server Manager → Name Servers. Set NS2 to your SecondDNS nameserver hostname (shown in the dashboard under Settings > Nameservers). If you have the Personalized NS add-on, use your branded hostname instead (e.g. ns2.yourdomain.com). This applies to all new domains automatically.

Option 2: Edit the DNS template directly

vi /usr/local/directadmin/data/templates/custom/dns_zone.conf

If the custom template directory does not exist, create it first:

mkdir -p /usr/local/directadmin/data/templates/custom
cp /usr/local/directadmin/data/templates/dns_zone.conf /usr/local/directadmin/data/templates/custom/

Add an NS record pointing to your SecondDNS nameserver hostname. For existing domains, add the NS record through DirectAdmin DNS Management or the bulk DNS update feature.

Sync Existing Domains to Secondary DNS

If you had domains in DirectAdmin before installation, sync them to the secondary:

seconddns sync

This compares your local zones against SecondDNS and adds any missing ones. Domains deleted locally are removed from the secondary. The command is idempotent — safe to run multiple times.

To verify a specific zone is registered:

seconddns status example.com

To list all zones currently on the secondary:

seconddns list

Verify Your DirectAdmin Secondary DNS Setup

Create a test domain in DirectAdmin and watch the hook log:

tail -f /var/log/seconddns.log

You should see:

Zone created: testdomain.com (caller=create:domain, user=admin)
[+] Zone testdomain.com added to SecondDNS

Then query both nameservers. Replace SECONDARY_IP with your nameserver IP from the dashboard:

dig @YOUR_SERVER_IP testdomain.com SOA +short
dig @SECONDARY_IP testdomain.com SOA +short

Both should return the same SOA serial in YYYYMMDDNN format. If the secondary shows a lower serial or returns SERVFAIL, check TCP port 53 access and the hook log.

Supported Domain Types

The integration handles all DirectAdmin domain types:

- Main domains (create:domain) - DNS zones (create:zone) - Domain pointers (create:pointer)

Each type triggers the hook automatically when created or deleted through the DirectAdmin control panel or API. The hook receives the domain name, username, and caller type from DirectAdmin and passes them to SecondDNS.

Troubleshooting DirectAdmin Secondary DNS

Zone not appearing on secondary Check the hook log at /var/log/seconddns.log. Verify the hooks are installed and executable:

ls -la /usr/local/directadmin/scripts/custom/dns_*_post.sh

If the files are missing, re-run the installer. If they exist but are not executable, run:

chmod +x /usr/local/directadmin/scripts/custom/dns_*_post.sh

AXFR refused (BIND) Check named.conf for allow-transfer pointing to your SecondDNS IP:

grep -A3 'allow-transfer' /etc/named.conf

The installer sets this automatically, but manual edits may override it. A change to allow-transfer is a config change, so apply it with reconfig (rndc reload only re-reads zone data):

rndc reconfig

AXFR refused (PowerDNS) Check pdns.conf for allow-axfr-ips:

grep allow-axfr-ips /etc/pdns/pdns.conf

Restart PowerDNS after any changes:

systemctl restart pdns

TCP port 53 blocked Run the nmap test from the firewall section. CSF users: verify the SecondDNS IP is in /etc/csf/csf.allow.

Test a hook manually To trigger the create hook without creating a real domain:

domain=example.com username=admin caller=create:domain /usr/local/directadmin/scripts/custom/dns_create_post.sh

Hook not triggered Verify DirectAdmin's hook system is enabled. Some older DirectAdmin builds require the custom scripts directory to be explicitly activated in the configuration.

Uninstalling

To remove the integration:

curl -sL https://raw.githubusercontent.com/seconddns/dns_integrations/main/hosting-panels/directadmin/uninstall.sh | bash

This removes the hook scripts and configuration file. Your zones on the secondary DNS are not deleted automatically — remove them through the SecondDNS dashboard or run:

seconddns remove-all

before uninstalling if you want them cleared from the secondary.

Related Guides

If you manage other hosting panels or want to extend your DNS redundancy setup, see:

- How to Add Secondary DNS to CyberPanel - How to Add Secondary DNS to cPanel/WHM - How to Add Secondary DNS to Plesk - Secondary DNS Monitoring with Nagios - Secondary DNS Monitoring with Zabbix - How to Set Up a Secondary DNS Server - Understanding AXFR Zone Transfers - DNS Redundancy: Why It Matters and How to Achieve It