Secondary DNS can be used not only to combine two or more servers to work together, but it can be used to have a hidden master server where to manage all DNS zones, records and settings and the zones and changes to be propagated automatically to a public server which will face all the DNS traffic. Such configuration allows you to protect the backend hidden server from DDoS attacks or your domain names to be served only from a fast anycast network, so the unicast network connection of the hidden master server will not affect the global speed of the domain name.
Hidden master is a simple DNS configuration that prevents attacks on the Master DNS server. Usually, this server is not listed at the registrar or as NS record in the DNS zone. This way, the Master DNS server is always protected, as nobody will be able to see that it exist. If something wrong happens to the Slave DNS server, there will be no impact on the Master DNS server. Optional, it can be behind a Firewall.
In order to use Hidden Master DNS server with ClouDNS, you must first create NS records in your Master DNS zone for the name servers available to you at ClouDNS. These servers are listed in the pop-up window when you click on "available name servers" on your Dashboard page - DNS hosting section, right next to "create zone" button. You must make sure, that there are no NS records for your Master DNS server in your DNS zone. Once you create the NS records, you have to create all other records in your Master DNS zone. Afterwards, login to your profile and create a Slave DNS zone.
Once the zone is created and you have entered the IP address of your Master DNS server, you must click on "Primary Settings" in the DNS zone management page. You have to allow zone transfer and notify on your Master DNS server for the listed IP addresses. If you are using BIND, you can simply copy and paste the suggested configuration in your zone file.
After you complete the steps above, you can check the SOA serial on your Master DNS server. Then, you can click on SOA, next to your DNS zone in your Dashbaord. If the SOA serials match, your DNS zone is synchronized and you have a Hidden Master DNS server configuration.
In case your Master DNS server is behind a Firewall, please allow connection from the IP addresses of our name servers.