Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » hosting » virtualmin_dns
Trace: virtualmin_dns
internet:hosting:virtualmin_dns

This is an old revision of the document!

Table of Contents

Virtualmin - DNS

:!: Use dig +trace for more query details.

Slave DNS

http://www.virtualmin.com/documentation/dns/slave-configuration

:!: Make sure ports 10000:10010 are open between the two DNS servers.

:!: If a slave domain needs to be created on the slave, use the Webmin BIND DNS Server module on the slave server to Create a new slave zone.

At the primary DNS server, create slave DNS zones on Virtualmin slave servers:

:!: You would use this command if your primary zone is configured and working, but no slave configuration exists…possibly after a virtual server transfer. 

virtualmin modify-dns --all-domains --add-all-slaves

Initiate a transfer at the slave server and check the log (may be messages or syslog): 

rndc retransfer yourdomain.tld

tail -200 /var/log/syslog

Perform a zone transfer at the slave server CLI: 

dig domain.tld. axfr @ns.dnsdomain.tld

Firewall

BIND's default behavior is to use whichever network interface the route to the destination points out and a random, unprivileged port.

Test for random source ports: 

dig +short porttest.dns-oarc.net TXT

Force source port to 53:

:!: This WILL cause problems with some mail servers. 

vim /etc/bind/named.conf.options

        // Limit the outbound source port to get through outgoing firewall
        query-source address * port 53;

To allow outbound DNS lookups through a CSF firewall, with random source ports, append a line: 

vim /etc/csf/csf.allow

udp|out|d=53|| # Outbound DNS query with random source port

CLI

Set all domains to TTL value: 

virtualmin modify-dns --all-domains --ttl 400

Enable or Disable DNSSEC on all domains: 

virtualmin modify-dns --all-domains --disable-dnssec
virtualmin modify-dns --all-domains --enable-dnssec

:!: The 'dots' at the end of host and domain names are important.

Remove all NS records, then re-add new ones: 

virtualmin modify-dns --domain xyz.tld --remove-record "xyz.tld. NS"
virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns1.dnsdomain.tld."
virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns2.dnsdomain.tld."

List all name servers for all domains: 

for dom in $(virtualmin list-domains --with-feature dns --name-only); do host -t ns $dom; done |sort

Replace name server (NS) records for all domains: 

for dom in $(virtualmin list-domains --with-feature dns --name-only); do
virtualmin modify-dns --domain $dom --remove-record "$dom. NS"
virtualmin modify-dns --domain $dom --add-record "$dom. NS ns1.dnsdomain.tld."
virtualmin modify-dns --domain $dom --add-record "$dom. NS ns2.dnsdomain.tld."
done

Set all SPF records to 'discourage' (~all): 

virtualmin modify-dns --all-domains --spf-all-discourage

SOA Record

Serial Number Format

Webmin → Servers → BIND DNS Server → Module Config → Zone File Options → Serial number style → Date based

Default E-Mail Address

Webmin → Servers → Bind DNS Server → Zone Defaults → Default email address

Master DNS Host Name

Virtualmin → System Settings → Server Templates → Default → BIND DNS Domain → Master DNS server hostname

Recursion

Limit recursive lookups by editing /etc/bind/named.conf.options to add: 

allow-recursion {
        localnets;
        localhost;
        };

DNSSEC

For Newly Created Domains

:!: Virtualmin will add DNSSEC records automatically to new domains as they are created.

:!: You may need to enable DNSSEC in Webmin for this to work as advertised (see below).

Virtualmin → System Settings → Server Tempates → Default Settings → BIND DNS domain

  • Create DNSSEC key and sign new domains
    • Yes

For Existing Domains

Webmin → Servers → BIND DNS Server

  • DNSSEC Verification
    • Enable DNSSEC Verification

  • DNSSEC Key Re-Signing
    • Enable

Webmin → Servers → BIND DNS Server → <Zone to Modify>

  • Setup DNSSEC Key
    • Create and Add Key
    • You can also remove, then recreate the key
  • Apply Zone

Virtualmin → <Domain (Zone) to Modify> → Server Configuration

  • DNS Options
    • You can see DNSSEC zone keys here
  • DNS Records
    • You can see DNSSEC records here

Testing DNSSEC

http://dnssec-debugger.verisignlabs.com

Delegation Signer (DS) Records

DS records complete the chain of trust for your DNSSEC signed domains.

:!: You configure DS records at your Domain Name Registrar.

ResellerClub Registrar

http://manage.resellerclub.com/kb/answer/1909

Get the information you need at one of these locations: 

cat /var/named/dsset-yourdomain.tld.
cat /var/lib/bind/dsset-yourdomain.tld.
Algorithm Name
3 DSA/SHA1
5 RSA/SHA1
6 DSA-NSEC3-SHA1
7 RSASHA1-NSEC3-SHA1
8 RSA/SHA-256
9 RSA/SHA-512
Digest Type Name
1 SHA-1
2 SHA-256

Enter:

  • Keytag (keyid)
    • A number between 0 and 65535
    • The fourth field in dsset-yourdomain.tld
  • Algorithm
    • Probably RSA-SHA1
    • The fifth field in dsset-yourdomain.tld
    • 5 = RSA-SHA1
  • Digest Type
    • 1 = 40-bit digest
    • 2 = 64-bit digest
    • The sixth field in dsset-yourdomain.tld
  • Digest
    • The last field in dsset-yourdomain.tld
    • Remove the space when entering the 64-bit digest
internet/hosting/virtualmin_dns.1554392489.txt.gz · Last modified: 2019/04/04 09:41 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki