User Tools
Table of Contents
Virtualmin - DNS
Use dig +trace for more query details.
Slave DNS
http://www.virtualmin.com/documentation/dns/slave-configuration
Make sure ports 10000:10010 are open between the two DNS servers.
Without Virtualmin, a slave domain can be created on the slave server using the Webmin BIND DNS Server module on the slave server to Create a new slave zone.
With a Virtualmin primary DNS server, create slave DNS zones on Virtualmin slave servers:
You would use this command if your primary zone is configured and working, but no slave configuration exists…possibly after a virtual server transfer.
virtualmin modify-dns --all-domains | --domain <yourdomain.tld> --add-all-slaves
Initiate a transfer at the slave server and check the log (may be messages or syslog):
rndc retransfer yourdomain.tld tail -200 /var/log/syslog
This command performs a test zone transfer at the slave server CLI:
dig domain.tld. axfr @ns.dnsdomain.tld
Firewall
BIND's default behavior is to use whichever network interface the route to the destination points out and a random, unprivileged port.
Test for random source ports:
dig +short porttest.dns-oarc.net TXT
Force source port to 53:
This is old methodology and will cause problems with some mail servers.
vim /etc/bind/named.conf.options
// Limit the outbound source port to get through outgoing firewall
query-source address * port 53;
To allow outbound DNS lookups through a CSF firewall, with random source ports, append a line:
vim /etc/csf/csf.allow udp|out|d=53|| # Outbound DNS query with random source port
CLI
Set all domains to TTL value:
virtualmin modify-dns --all-domains --ttl 400
Enable or Disable DNSSEC on all domains:
virtualmin modify-dns --all-domains --disable-dnssec virtualmin modify-dns --all-domains --enable-dnssec
The 'dots' at the end of host and domain names are important.
Remove all NS records, then re-add new ones:
virtualmin modify-dns --domain xyz.tld --remove-record "xyz.tld. NS" virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns1.dnsdomain.tld." virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns2.dnsdomain.tld."
List all name servers for all domains:
for dom in $(virtualmin list-domains --with-feature dns --name-only); do host -t ns $dom; done |sort
Replace name server (NS) records for all domains:
for dom in $(virtualmin list-domains --with-feature dns --name-only); do virtualmin modify-dns --domain $dom --remove-record "$dom. NS" virtualmin modify-dns --domain $dom --add-record "$dom. NS ns1.dnsdomain.tld." virtualmin modify-dns --domain $dom --add-record "$dom. NS ns2.dnsdomain.tld." done
Set all SPF records to 'discourage' (~all):
virtualmin modify-dns --all-domains --spf-all-discourage
SOA Record
Serial Number Format
Webmin → Servers → BIND DNS Server → Module Config → Zone File Options → Serial number style → Date based
Default E-Mail Address
Webmin → Servers → Bind DNS Server → Zone Defaults → Default email address
Master DNS Host Name
Virtualmin → System Settings → Server Templates → Default → BIND DNS Domain → Master DNS server hostname
Recursion
Webmin → Servers → BIND DNS Server → Addresses and Topology → Allow recursive queries from Listed → localhost and localnets
Limit recursive lookups by editing /etc/bind/named.conf.options to include:
allow-recursion {
localnets;
localhost;
};
DNSSEC
Enable DNSSEC
Webmin → Servers → BIND DNS Server → DNSSEC Verification →
- DNSSEC enabled? Yes
- DNSSEC response validation enabled? Yes (automatic mode)
Webmin → Servers → BIND DNS Server → DNSSEC Key Re-Signing →
- Automatic key re-signing enabled? Yes
- Period between re-signs? 21 days
For Newly Created Domains
Virtualmin will add DNSSEC records automatically to new domains as they are created.
Virtualmin → System Settings → Server Tempates → Default Settings → BIND DNS domain →
- Create DNSSEC key and sign new domains? Yes
- DNSSEC cryptographic algorithm RSASHA1
- Number of DNSSEC keys Zone key and key-signing key
For Existing Domains
Webmin → Servers → BIND DNS Server → <Zone to Modify> → Setup DNSSEC Key
- Key algorithm RSASHA1
- Key size Average size
- Number of keys to create Zone key and key-signing key
- Create and Add Key
- Apply Zone
You can also remove, then recreate the key.
Examine DNSSEC Records
Virtualmin → <Domain/Zone> → Server Configuration →
- DNS Options
- You can see DNSSEC zone keys and registrar DS records here
- DNS Records → Manually Edit
- You can see DNSSEC records here
Force Virtualmin to regenerate all records, if necessary:
Virtualmin → <Domain/Zone> → Server Configuration → DNS Options → Save
Testing DNSSEC
Delegation Signer (DS) Records
DS records complete the chain of trust for your DNSSEC signed domains.
You configure DS records at your Domain Name Registrar.
ResellerClub Registrar
More DS Record Info
You can also get the information you need at one of these locations:
cat /var/named/dsset-yourdomain.tld. cat /var/lib/bind/dsset-yourdomain.tld.
| Algorithm | Name |
|---|---|
| 3 | DSA/SHA1 |
| 5 | RSA/SHA1 |
| 6 | DSA-NSEC3-SHA1 |
| 7 | RSASHA1-NSEC3-SHA1 |
| 8 | RSA/SHA-256 |
| 9 | RSA/SHA-512 |
| Digest Type | Name |
|---|---|
| 1 | SHA-1 |
| 2 | SHA-256 |
Enter:
- Keytag (keyid)
- A number between 0 and 65535
- The fourth field in
dsset-yourdomain.tld
- Algorithm
- Probably RSA-SHA1
- The fifth field in
dsset-yourdomain.tld 5=RSA-SHA1
- Digest Type
1= 40-bit digest2= 64-bit digest- The sixth field in
dsset-yourdomain.tld
- Digest
- The last field in
dsset-yourdomain.tld - Remove the space when entering the 64-bit digest
