User Tools

Site Tools


internet:hosting:virtualmin_dns

Virtualmin - DNS

:!: Use dig +trace for more query details.

Slave DNS

http://www.virtualmin.com/documentation/dns/slave-configuration

:!: Make sure ports 10000:10010 are open between the two DNS servers.

:!: Without Virtualmin, a slave domain can be created on the slave server using the Webmin BIND DNS Server module on the slave server to Create a new slave zone.

With a Virtualmin primary DNS server, create slave DNS zones on Virtualmin slave servers:

:!: You would use this command if your primary zone is configured and working, but no slave configuration exists…possibly after a virtual server transfer.

virtualmin modify-dns --all-domains | --domain <yourdomain.tld> --add-all-slaves

Initiate a transfer at the slave server and check the log (may be messages or syslog):

rndc retransfer yourdomain.tld

tail -200 /var/log/syslog

This command performs a test zone transfer at the slave server CLI:

dig domain.tld. axfr @ns.dnsdomain.tld

Firewall

BIND's default behavior is to use whichever network interface the route to the destination points out and a random, unprivileged port.

Test for random source ports:

dig +short porttest.dns-oarc.net TXT

Force source port to 53:

:!: This is old methodology and will cause problems with some mail servers.

vim /etc/bind/named.conf.options

        // Limit the outbound source port to get through outgoing firewall
        query-source address * port 53;

To allow outbound DNS lookups through a CSF firewall, with random source ports, append a line:

vim /etc/csf/csf.allow

udp|out|d=53|| # Outbound DNS query with random source port

CLI

Set all domains to TTL value:

virtualmin modify-dns --all-domains --ttl 400

Enable or Disable DNSSEC on all domains:

virtualmin modify-dns --all-domains --disable-dnssec
virtualmin modify-dns --all-domains --enable-dnssec

:!: The 'dots' at the end of host and domain names are important.

Remove all NS records, then re-add new ones:

virtualmin modify-dns --domain xyz.tld --remove-record "xyz.tld. NS"
virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns1.dnsdomain.tld."
virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns2.dnsdomain.tld."

List all name servers for all domains:

for dom in $(virtualmin list-domains --with-feature dns --name-only); do host -t ns $dom; done |sort

Replace name server (NS) records for all domains:

for dom in $(virtualmin list-domains --with-feature dns --name-only); do
virtualmin modify-dns --domain $dom --remove-record "$dom. NS"
virtualmin modify-dns --domain $dom --add-record "$dom. NS ns1.dnsdomain.tld."
virtualmin modify-dns --domain $dom --add-record "$dom. NS ns2.dnsdomain.tld."
done

Set all SPF records to 'discourage' (~all):

virtualmin modify-dns --all-domains --spf-all-discourage

SOA Record

Serial Number Format

Webmin → Servers → BIND DNS Server → Module Config → Zone File Options → Serial number style → Date based

Default E-Mail Address

Webmin → Servers → Bind DNS Server → Zone Defaults → Default email address

Master DNS Host Name

Virtualmin → System Settings → Server Templates → Default → BIND DNS Domain → Master DNS server hostname

Recursion

Webmin → Servers → BIND DNS Server → Addresses and Topology → Allow recursive queries from Listed → localhost and localnets

Limit recursive lookups by editing /etc/bind/named.conf.options to include:

allow-recursion {
        localnets;
        localhost;
        };

DNSSEC

Enable DNSSEC

Webmin → Servers → BIND DNS Server → DNSSEC Verification →

  • DNSSEC enabled? Yes
  • DNSSEC response validation enabled? Yes (automatic mode)

Webmin → Servers → BIND DNS Server → DNSSEC Key Re-Signing →

  • Automatic key re-signing enabled? Yes
  • Period between re-signs? 21 days

For Newly Created Domains

:!: Virtualmin will add DNSSEC records automatically to new domains as they are created.

Virtualmin → System Settings → Server Tempates → Default Settings → BIND DNS domain →

  • Create DNSSEC key and sign new domains? Yes
  • DNSSEC cryptographic algorithm RSASHA1
  • Number of DNSSEC keys Zone key and key-signing key

For Existing Domains

Webmin → Servers → BIND DNS Server → <Zone to Modify> → Setup DNSSEC Key

  • Key algorithm RSASHA1
  • Key size Average size
  • Number of keys to create Zone key and key-signing key
  • Create and Add Key
  • Apply Zone

:!: You can also remove, then recreate the key.

Examine DNSSEC Records

Virtualmin → <Domain/Zone> → Server Configuration →

  • DNS Options
    • You can see DNSSEC zone keys and registrar DS records here
  • DNS Records → Manually Edit
    • You can see DNSSEC records here

Force Virtualmin to regenerate all records, if necessary:

Virtualmin → <Domain/Zone> → Server Configuration → DNS Options → Save

Testing DNSSEC

Delegation Signer (DS) Records

DS records complete the chain of trust for your DNSSEC signed domains.

:!: You configure DS records at your Domain Name Registrar.

ResellerClub Registrar

More DS Record Info

You can also get the information you need at one of these locations:

cat /var/named/dsset-yourdomain.tld.
cat /var/lib/bind/dsset-yourdomain.tld.
Algorithm Name
3 DSA/SHA1
5 RSA/SHA1
6 DSA-NSEC3-SHA1
7 RSASHA1-NSEC3-SHA1
8 RSA/SHA-256
9 RSA/SHA-512
Digest Type Name
1 SHA-1
2 SHA-256

Enter:

  • Keytag (keyid)
    • A number between 0 and 65535
    • The fourth field in dsset-yourdomain.tld
  • Algorithm
    • Probably RSA-SHA1
    • The fifth field in dsset-yourdomain.tld
    • 5 = RSA-SHA1
  • Digest Type
    • 1 = 40-bit digest
    • 2 = 64-bit digest
    • The sixth field in dsset-yourdomain.tld
  • Digest
    • The last field in dsset-yourdomain.tld
    • Remove the space when entering the 64-bit digest
internet/hosting/virtualmin_dns.txt · Last modified: 2019/04/04 11:06 by gcooper