DNS Slaves - Bind AXFR/IXFR

For modifications in and around KeyHelp.
Post Reply
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

DNS Slaves - Bind AXFR/IXFR

Post by george »

BASIC INSTRUCTIONS FOR USING DNS SLAVES | German

KeyHelp by default sets up nameservers like ns.host.serverdomain.com and ns2.host.serverdomain.com, but additional nameservers may be added as slaves, for improving performance/reliability. Once the slaves are added, they will stay synchronised with your primary nameserver by AXFR/IXFR transfers automatically. These DNS Slaves will be available for all hosted domains. If you would like to use DNS Slaves, this is the easy way to do it - and it works perfectly on KeyHelp!

First, before making the changes on your server:
  • Visit your hosting provider or external DNS service, login to the user interface and add all your website domains for slave dns including your server IP address (instructions at your provider) - you can also add hostname here.
  • Visit your domain registrar, login, add the slave nameservers to DNS for each website domain.
Now the hosting/external-DNS and registrar entries are done, let's proceed to make the changes on your server. We must add the DNS Slaves to our Bind configuration, using the IP addresses of the slaves. Open and edit the file:

Code: Select all

/etc/bind/named.conf.options
These 2 sections will be added, with all the DNS Slaves' IP addresses inside parenthesis:

allow-transfer { };
also-notify { };

See my example below, the completed file - named.conf.options
Just replace the IP addresses with your own, then save the file.

Now check that all your bind configuration is error-free, open a terminal and issue the following command (no output means all is good, otherwise it will show an error):

Code: Select all

named-checkconf
If no error, restart bind and check status:

Code: Select all

service bind9 restart
service bind9 status
Now you can check periodically that AXFR/IXFR transfers to slaves are successful:

Code: Select all

journalctl -eu bind9
Finally, we need to make sure all the DNS Zones include the Slaves. Go to your KeyHelp DNS Zone Editor and add NS entries for DNS Slaves:

KeyHelp > Domains > DNS Zone Editor

To cause all new domains to automatically use the DNS Slaves, add them to KeyHelp database DNS defaults:
  • Login to phpMyAdmin
  • Click on Database "keyhelp"
  • Click on Table "settings"
  • Look for |category "dns"|name "nameserver"|value "ns..."| - double-click and enter all your nameservers here, seperated by commas.
Done!


# --------------------------------------------------
# /etc/bind/named.conf.options
# --------------------------------------------------

Code: Select all

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };

	allow-transfer {
		127.0.0.1;
		localnets;
		server.IP.address;
		server.IPv6.address;
     104.237.137.10;
     65.19.178.10;
     75.127.96.10;
     207.192.70.10;
     109.74.194.10;
     2600:3c00::a;
     2600:3c01::a;
     2600:3c02::a;
     2600:3c03::a;
     2a01:7e00::a;
		};
     also-notify {
     104.237.137.10;
     65.19.178.10;
     75.127.96.10;
     207.192.70.10;
     109.74.194.10;
     2600:3c00::a;
     2600:3c01::a;
     2600:3c02::a;
     2600:3c03::a;
     2a01:7e00::a;
 };

};
Last edited by george on Tue 7. Jan 2020, 14:41, edited 2 times in total.
User avatar
Martin
Posts: 984
Joined: Wed 20. Jan 2016, 00:43

Re: DNS Slaves - Bind AXFR/IXFR

Post by Martin »

Hello,

thank you. You may also put the Bind Config Example into a <code> Tag, so formatting is the same. The current example would result in a bind syntax error.
Viele Grüße,
Martin
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

Re: DNS Slaves - Bind AXFR/IXFR

Post by george »

Done!
Thanks Martin.
Sweden
KeyHelp Translator
Posts: 1
Joined: Fri 31. Jan 2020, 15:50

Re: DNS Slaves - Bind AXFR/IXFR

Post by Sweden »

Thank you! Is it possible to get full instructions for the slave DNS (BIND9) server as well?
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

Re: DNS Slaves - Bind AXFR/IXFR

Post by george »

Hi Sweden,
the instructions above are meant for using your ISP's or 3rd party DNS servers as slaves, and they are usually already configured to do IXFR/AXFR transfers. As long as your Bind server can "also-notify" and "allow-transfer" to them, it should work!
If you are setting up both Master and Slaves yourself, the instructions above are good for the master. For the slave setup, there are plenty of good guides online.
https://www.google.com/search?q=setup+d ... ian+ubuntu
User avatar
Tobi
Community Moderator
Posts: 2812
Joined: Thu 5. Jan 2017, 13:24

Re: DNS Slaves - Bind AXFR/IXFR

Post by Tobi »

Sorry but i don't see the point of a better reliability?

If my KeyHelp server is the master nameserver and also the webhost for a certain domain, it doesn't matter if i have a backup nameserver.

Because if the master nameserver is down the webhost is also down.

Can you please explain the advantage of your construct?
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

Re: DNS Slaves - Bind AXFR/IXFR

Post by george »

Hi Tobi,
firstly, it is possible for the Bind server to suffer a temporary issue, or go down (fail), while the rest of the services are ok. Having at least one secondary nameserver - NOT on the same machine or IP - is standard practice and recommended.

Using external nameservers will also reduce the load (stress) on the master, and so reduce the load on the server, which can lead to better resource usage and faster response times. If your nameservers have good global coverage (like Cloudflare), global visitors may also benefit from faster DNS queries.

I have 6 nameservers (including 1 master), and can rest knowing that visitors will arrive...
User avatar
Tobi
Community Moderator
Posts: 2812
Joined: Thu 5. Jan 2017, 13:24

Re: DNS Slaves - Bind AXFR/IXFR

Post by Tobi »

Thanks for your explanation!

I´m using four external nameservers. Not the internal, except for one domain.
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
silverhost
KeyHelp Translator
Posts: 4
Joined: Sat 27. May 2023, 13:48
Location: Hungary
Contact:

Re: DNS Slaves - Bind AXFR/IXFR

Post by silverhost »

Hi,

Full solution for that.

Basic data:
----
Server1 domain: panel1.server1.etc
Server1 IP: 1.1.1.1

Server2 domain: panel2.server2.etc
Server2 IP: 2.2.2.2

NS1: ns1.server1.etc
NS2: ns2.server2.etc
----

After that case of both domains (server1.etc and server2.etc) set unique nameservers to:
----
ns1.server1.etc
ns2.server2.etc
----

First:
----
Make glue record for both domain that register where you bought your domain:

ns1.server1.etc set ip to -->> 1.1.1.1
ns2.server2.etc set ip to -->> 2.2.2.2
----

Install your KeyHelp panel to both server:
----
Server1 install domain: panel1.server1.etc
Server2 install domain: panel2.server2.etc
----

After install login and make user both on both servers (for example username: hostingadmin).

Add to that user the domains:
----
Case of Server1 add domain: server1.etc
Case of Server2 add domain: server2.etc
----

Edit DNS zone case of both domains:
----
Case of Server1-server1.etc add: ns1 A record with this IP: 1.1.1.1
Case of Server2-server2.etc add: ns1 A record with this IP: 2.2.2.2
----

Login SSH to command line to servers (for exapmle with Putty).

That commands run as a root user.

Server1 ans Server2 generate SSH key for root user:
----

Code: Select all

ssh-keygen
----

Copy thee public key from Server2 to Server1 command run on Server1:
----

Code: Select all

scp root@2.2.2.2:/root/.ssh/id_rsa.pub .ssh/authorized_keys
----

Copy thee public key from Server1 to Server2 command run on Server2:
----

Code: Select all

scp root@1.1.1.1:/root/.ssh/id_rsa.pub .ssh/authorized_keys
----

Allow BIND to refresh each other zones.

Server1:
----

Code: Select all

nano /etc/bind/named.conf.options
instead of this line-->>

Code: Select all

    allow-transfer { none; };
insert that -->>

Code: Select all

    auth-nxdomain no;

    allow-transfer { 2.2.2.2; };

    also-notify { 2.2.2.2; };

    transfers-out 100;

    allow-query-cache { none; };

    minimal-responses yes;
----

Server1:
----

Code: Select all

nano /etc/bind/named.conf.options
instead of this line-->>
allow-transfer { none; };

insert that -->>

Code: Select all

    auth-nxdomain no;

    allow-transfer { 1.1.1.1; };

    also-notify { 1.1.1.1; };

    transfers-out 100;

    allow-query-cache { none; };

    minimal-responses yes;
----

Make empty named.conf.slave file on both servers.

Server1+Server2:
----

Code: Select all

nano /etc/bind/named.conf.slave
insert that -->>

Code: Select all

//
// Created by KeyHelp on 2023-06-03 15:20:01
//
// DO NOT CHANGE ANYTHING IN THIS FILE!
// CHANGES WILL BE LOST ON NEXT UPDATE.
//
----

Make it writeable for BIND case of both servers.

Server1+Server2:
----

Code: Select all

chown bind:bind /etc/bind/named.conf.slave
----

Edit named.conf file case of both servers.

Server1:
----

Code: Select all

nano /etc/bind/named.conf
end of file insert that -->>

Code: Select all

//Slave server config incude
include "/etc/bind/named.conf.slave";
----

Make a *.sh command file for the automatization.

Server1:
----

Code: Select all

nano /root/dns-cluster.sh
insert that -->>

Code: Select all

#!/bin/bash

MASTER=2.2.2.2
MASTERCONFIG=/etc/bind/named.conf.keyhelp
SLAVECONFIG=/etc/bind/named.conf.slave

scp root@$MASTER:$MASTERCONFIG $SLAVECONFIG

sed -i 's/master;/slave;\n  masters { '$MASTER'; };/g' $SLAVECONFIG

sed -i 's+etc/bind/keyhelp_domains+var/lib/bind+g' $SLAVECONFIG

systemctl reload bind9
----

Server2:
----

Code: Select all

nano /root/dns-cluster.sh
insert that -->>

Code: Select all

#!/bin/bash

MASTER=1.1.1.1
MASTERCONFIG=/etc/bind/named.conf.keyhelp
SLAVECONFIG=/etc/bind/named.conf.slave

scp root@$MASTER:$MASTERCONFIG $SLAVECONFIG

sed -i 's/master;/slave;\n  masters { '$MASTER'; };/g' $SLAVECONFIG

sed -i 's+etc/bind/keyhelp_domains+var/lib/bind+g' $SLAVECONFIG

systemctl reload bind9
----

Make a cron for automatized run for dns-cluster.sh file.

Server1+Server2:
----

Code: Select all

crontab -e
end of file insert that -->>

Code: Select all

#Run every 10 minutes
*/10 * * * * /root/dns-cluster.sh
----

First test.

Server1 and Server2:
----

Code: Select all

cd root

Code: Select all

./dns-cluster.sh
----

Check Server1 and Server2 (if no repsons no error):
----

Code: Select all

named-checkconf
----

Check status:
----

Code: Select all

service bind9 status
same output witjout error-->>

Code: Select all

● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-06-04 19:57:05 CEST; 1h 30min ago
       Docs: man:named(8)
    Process: 14485 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
   Main PID: 926 (named)
      Tasks: 50 (limit: 154416)
     Memory: 428.8M
        CPU: 1.911s
     CGroup: /system.slice/named.service
             └─926 /usr/sbin/named -f -u bind

jún 04 21:20:02 panel named[926]: automatic empty zone: HOME.ARPA
jún 04 21:20:02 panel named[926]: configuring command channel from '/etc/bind/rndc.key'
jún 04 21:20:02 panel named[926]: configuring command channel from '/etc/bind/rndc.key'
jún 04 21:20:02 panel named[926]: reloading configuration succeeded
jún 04 21:20:02 panel named[926]: reloading zones succeeded
jún 04 21:20:02 panel rndc[14485]: server reload successful
jún 04 21:20:02 panel systemd[1]: Reloaded BIND Domain Name Server.
jún 04 21:20:02 panel named[926]: all zones loaded
jún 04 21:20:02 panel named[926]: running
jún 04 21:20:02 panel named[926]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
if get new zones it will be show how many zones updated example:

Code: Select all

transfer of 'server2.etc/IN' from 2.2.2.2#53: Transfer completed: 1 messages, 14 records, 890 bytes, 0.028 secs (31785 bytes/sec) (serial 2023060305)
----

After refresh you can find the other server zones inf that file:
----

Code: Select all

nano /etc/bind/named.conf.keyhelp
----

And the DNS files here:
----

Code: Select all

nano var/lib/bind
----

You can check the history:

Code: Select all

nano /var/log/syslog
Thats all.
Laszlo
https://silverhost.hu
KeyHelp official translator into Hungarian
If you find any errors or typos in the translation, please report them privately!
Post Reply