====== Virtualmin - DNS ======
:!: Use ''dig +trace'' for more query details.
===== Slave DNS =====
http://www.virtualmin.com/documentation/dns/slave-configuration
:!: Make sure ports 10000:10010 are open between the two DNS servers.
:!: Without Virtualmin, a slave domain can be created on the slave server using the Webmin BIND DNS Server module on the slave server to ''Create a new slave zone''.
**With a Virtualmin primary DNS server**, create slave DNS zones on Virtualmin slave servers:
:!: You would use this command if your primary zone is configured and working, but no slave configuration exists...possibly after a virtual server transfer.
virtualmin modify-dns --all-domains | --domain --add-all-slaves
Initiate a transfer **at the slave server** and check the log (may be ''messages'' or ''syslog''):
rndc retransfer yourdomain.tld
tail -200 /var/log/syslog
This command performs a test zone transfer **at the slave server** CLI:
dig domain.tld. axfr @ns.dnsdomain.tld
===== Firewall =====
BIND's default behavior is to use whichever network interface the route to the destination points out and a random, unprivileged port.
**Test** for random source ports:
dig +short porttest.dns-oarc.net TXT
**Force source port** to 53:
:!: This is old methodology and **will** cause problems with some mail servers.
vim /etc/bind/named.conf.options
// Limit the outbound source port to get through outgoing firewall
query-source address * port 53;
To **allow outbound DNS lookups through a CSF firewall**, with random source ports, append a line:
vim /etc/csf/csf.allow
udp|out|d=53|| # Outbound DNS query with random source port
===== CLI =====
Set all domains to TTL value:
virtualmin modify-dns --all-domains --ttl 400
Enable or Disable DNSSEC on all domains:
virtualmin modify-dns --all-domains --disable-dnssec
virtualmin modify-dns --all-domains --enable-dnssec
:!: The 'dots' at the end of host and domain names are important.
Remove all NS records, then re-add new ones:
virtualmin modify-dns --domain xyz.tld --remove-record "xyz.tld. NS"
virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns1.dnsdomain.tld."
virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns2.dnsdomain.tld."
List all name servers for all domains:
for dom in $(virtualmin list-domains --with-feature dns --name-only); do host -t ns $dom; done |sort
Replace name server (NS) records for all domains:
for dom in $(virtualmin list-domains --with-feature dns --name-only); do
virtualmin modify-dns --domain $dom --remove-record "$dom. NS"
virtualmin modify-dns --domain $dom --add-record "$dom. NS ns1.dnsdomain.tld."
virtualmin modify-dns --domain $dom --add-record "$dom. NS ns2.dnsdomain.tld."
done
Set all SPF records to 'discourage' (''~all''):
virtualmin modify-dns --all-domains --spf-all-discourage
===== SOA Record =====
==== Serial Number Format ====
**Webmin -> Servers -> BIND DNS Server -> Module Config -> Zone File Options -> Serial number style -> Date based**
==== Default E-Mail Address ====
**Webmin -> Servers -> Bind DNS Server -> Zone Defaults -> Default email address**
==== Master DNS Host Name ====
**Virtualmin -> System Settings -> Server Templates -> Default -> BIND DNS Domain -> Master DNS server hostname**
===== Recursion =====
**Webmin -> Servers -> BIND DNS Server -> Addresses and Topology -> Allow recursive queries from Listed -> localhost and localnets**
Limit recursive lookups by editing ''/etc/bind/named.conf.options'' to include:
allow-recursion {
localnets;
localhost;
};
===== DNSSEC =====
==== Enable DNSSEC ====
**Webmin -> Servers -> BIND DNS Server -> DNSSEC Verification ->**
* **DNSSEC enabled?** Yes
* **DNSSEC response validation enabled?** Yes (automatic mode)
**Webmin -> Servers -> BIND DNS Server -> DNSSEC Key Re-Signing ->**
* **Automatic key re-signing enabled?** Yes
* **Period between re-signs?** 21 days
==== For Newly Created Domains ====
:!: Virtualmin will add DNSSEC records automatically to new domains as they are created.
**Virtualmin -> System Settings -> Server Tempates -> Default Settings -> BIND DNS domain ->**
* **Create DNSSEC key and sign new domains?** Yes
* **DNSSEC cryptographic algorithm** RSASHA1
* **Number of DNSSEC keys** Zone key and key-signing key
==== For Existing Domains ====
**Webmin -> Servers -> BIND DNS Server -> -> Setup DNSSEC Key**
* **Key algorithm** RSASHA1
* **Key size** Average size
* **Number of keys to create** Zone key and key-signing key
* **Create and Add Key**
* **Apply Zone**
:!: You can also remove, then recreate the key.
==== Examine DNSSEC Records ====
**Virtualmin -> -> Server Configuration ->**
* **DNS Options**
* You can see **DNSSEC zone keys** and registrar **DS records** here
* **DNS Records -> Manually Edit**
* You can see DNSSEC records here
**Force Virtualmin to regenerate all records**, if necessary:
**Virtualmin -> -> Server Configuration -> DNS Options -> Save**
==== Testing DNSSEC ====
http://dnssec-debugger.verisignlabs.com
==== Delegation Signer (DS) Records ====
DS records complete the chain of trust for your DNSSEC signed domains.
:!: You configure DS records at your Domain Name Registrar.
=== ResellerClub Registrar ===
http://manage.resellerclub.com/kb/answer/1909
=== More DS Record Info ===
You can also get the information you need at one of these locations:
cat /var/named/dsset-yourdomain.tld.
cat /var/lib/bind/dsset-yourdomain.tld.
^Algorithm ^Name ^
|3 |DSA/SHA1 |
|5 |RSA/SHA1 |
|6 |DSA-NSEC3-SHA1 |
|7 |RSASHA1-NSEC3-SHA1 |
|8 |RSA/SHA-256 |
|9 |RSA/SHA-512 |
^Digest Type ^Name ^
|1 |SHA-1 |
|2 |SHA-256 |
Enter:
* **Keytag** (keyid)
* A number between 0 and 65535
* The **fourth field** in ''dsset-yourdomain.tld''
* **Algorithm**
* Probably RSA-SHA1
* The **fifth field** in ''dsset-yourdomain.tld''
* ''5'' = ''RSA-SHA1''
* **Digest Type**
* ''1'' = **40-bit** digest
* ''2'' = **64-bit** digest
* The **sixth field** in ''dsset-yourdomain.tld''
* **Digest**
* The **last field** in ''dsset-yourdomain.tld''
* Remove the space when entering the 64-bit digest