DNS Slaves - Bind AXFR/IXFR
Posted: Tue 7. Jan 2020, 14:23
BASIC INSTRUCTIONS FOR USING DNS SLAVES | German
KeyHelp by default sets up nameservers like ns.host.serverdomain.com and ns2.host.serverdomain.com, but additional nameservers may be added as slaves, for improving performance/reliability. Once the slaves are added, they will stay synchronised with your primary nameserver by AXFR/IXFR transfers automatically. These DNS Slaves will be available for all hosted domains. If you would like to use DNS Slaves, this is the easy way to do it - and it works perfectly on KeyHelp!
First, before making the changes on your server:
These 2 sections will be added, with all the DNS Slaves' IP addresses inside parenthesis:
allow-transfer { };
also-notify { };
See my example below, the completed file - named.conf.options
Just replace the IP addresses with your own, then save the file.
Now check that all your bind configuration is error-free, open a terminal and issue the following command (no output means all is good, otherwise it will show an error):
If no error, restart bind and check status:
Now you can check periodically that AXFR/IXFR transfers to slaves are successful:
Finally, we need to make sure all the DNS Zones include the Slaves. Go to your KeyHelp DNS Zone Editor and add NS entries for DNS Slaves:
KeyHelp > Domains > DNS Zone Editor
To cause all new domains to automatically use the DNS Slaves, add them to KeyHelp database DNS defaults:
# --------------------------------------------------
# /etc/bind/named.conf.options
# --------------------------------------------------
KeyHelp by default sets up nameservers like ns.host.serverdomain.com and ns2.host.serverdomain.com, but additional nameservers may be added as slaves, for improving performance/reliability. Once the slaves are added, they will stay synchronised with your primary nameserver by AXFR/IXFR transfers automatically. These DNS Slaves will be available for all hosted domains. If you would like to use DNS Slaves, this is the easy way to do it - and it works perfectly on KeyHelp!
First, before making the changes on your server:
- Visit your hosting provider or external DNS service, login to the user interface and add all your website domains for slave dns including your server IP address (instructions at your provider) - you can also add hostname here.
- Visit your domain registrar, login, add the slave nameservers to DNS for each website domain.
Code: Select all
/etc/bind/named.conf.options
allow-transfer { };
also-notify { };
See my example below, the completed file - named.conf.options
Just replace the IP addresses with your own, then save the file.
Now check that all your bind configuration is error-free, open a terminal and issue the following command (no output means all is good, otherwise it will show an error):
Code: Select all
named-checkconf
Code: Select all
service bind9 restart
service bind9 status
Code: Select all
journalctl -eu bind9
KeyHelp > Domains > DNS Zone Editor
To cause all new domains to automatically use the DNS Slaves, add them to KeyHelp database DNS defaults:
- Login to phpMyAdmin
- Click on Database "keyhelp"
- Click on Table "settings"
- Look for |category "dns"|name "nameserver"|value "ns..."| - double-click and enter all your nameservers here, seperated by commas.
# --------------------------------------------------
# /etc/bind/named.conf.options
# --------------------------------------------------
Code: Select all
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-transfer {
127.0.0.1;
localnets;
server.IP.address;
server.IPv6.address;
104.237.137.10;
65.19.178.10;
75.127.96.10;
207.192.70.10;
109.74.194.10;
2600:3c00::a;
2600:3c01::a;
2600:3c02::a;
2600:3c03::a;
2a01:7e00::a;
};
also-notify {
104.237.137.10;
65.19.178.10;
75.127.96.10;
207.192.70.10;
109.74.194.10;
2600:3c00::a;
2600:3c01::a;
2600:3c02::a;
2600:3c03::a;
2a01:7e00::a;
};
};