This is an old revision of the document!
Use dig +trace
for more query details.
http://www.virtualmin.com/documentation/dns/slave-configuration
Make sure ports 10000:10010 are open between the two DNS servers.
Without Virtualmin, a slave domain can be created on the slave server using the Webmin BIND DNS Server module on the slave server to Create a new slave zone
.
With a Virtualmin primary DNS server, create slave DNS zones on Virtualmin slave servers:
You would use this command if your primary zone is configured and working, but no slave configuration exists…possibly after a virtual server transfer.
virtualmin modify-dns --all-domains | --domain <yourdomain.tld> --add-all-slaves
Initiate a transfer at the slave server and check the log (may be messages
or syslog
):
rndc retransfer yourdomain.tld tail -200 /var/log/syslog
This command performs a test zone transfer at the slave server CLI:
dig domain.tld. axfr @ns.dnsdomain.tld
BIND's default behavior is to use whichever network interface the route to the destination points out and a random, unprivileged port.
Test for random source ports:
dig +short porttest.dns-oarc.net TXT
Force source port to 53:
This is old methodology and will cause problems with some mail servers.
vim /etc/bind/named.conf.options // Limit the outbound source port to get through outgoing firewall query-source address * port 53;
To allow outbound DNS lookups through a CSF firewall, with random source ports, append a line:
vim /etc/csf/csf.allow udp|out|d=53|| # Outbound DNS query with random source port
Set all domains to TTL value:
virtualmin modify-dns --all-domains --ttl 400
Enable or Disable DNSSEC on all domains:
virtualmin modify-dns --all-domains --disable-dnssec virtualmin modify-dns --all-domains --enable-dnssec
The 'dots' at the end of host and domain names are important.
Remove all NS records, then re-add new ones:
virtualmin modify-dns --domain xyz.tld --remove-record "xyz.tld. NS" virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns1.dnsdomain.tld." virtualmin modify-dns --domain xyz.tld --add-record "xyz.tld. NS ns2.dnsdomain.tld."
List all name servers for all domains:
for dom in $(virtualmin list-domains --with-feature dns --name-only); do host -t ns $dom; done |sort
Replace name server (NS) records for all domains:
for dom in $(virtualmin list-domains --with-feature dns --name-only); do virtualmin modify-dns --domain $dom --remove-record "$dom. NS" virtualmin modify-dns --domain $dom --add-record "$dom. NS ns1.dnsdomain.tld." virtualmin modify-dns --domain $dom --add-record "$dom. NS ns2.dnsdomain.tld." done
Set all SPF records to 'discourage' (~all
):
virtualmin modify-dns --all-domains --spf-all-discourage
Webmin → Servers → BIND DNS Server → Module Config → Zone File Options → Serial number style → Date based
Webmin → Servers → Bind DNS Server → Zone Defaults → Default email address
Virtualmin → System Settings → Server Templates → Default → BIND DNS Domain → Master DNS server hostname
Webmin → Servers → BIND DNS Server → Addresses and Topology → Allow recursive queries from Listed → localhost and localnets
Limit recursive lookups by editing /etc/bind/named.conf.options
to include:
allow-recursion { localnets; localhost; };
Webmin → Servers → BIND DNS Server → DNSSEC Verification →
Webmin → Servers → BIND DNS Server → DNSSEC Key Re-Signing →
Virtualmin will add DNSSEC records automatically to new domains as they are created.
Virtualmin → System Settings → Server Tempates → Default Settings → BIND DNS domain
Webmin → Servers → BIND DNS Server
Webmin → Servers → BIND DNS Server → <Zone to Modify>
Virtualmin → <Domain (Zone) to Modify> → Server Configuration
DS records complete the chain of trust for your DNSSEC signed domains.
You configure DS records at your Domain Name Registrar.
http://manage.resellerclub.com/kb/answer/1909
Get the information you need at one of these locations:
cat /var/named/dsset-yourdomain.tld. cat /var/lib/bind/dsset-yourdomain.tld.
Algorithm | Name |
---|---|
3 | DSA/SHA1 |
5 | RSA/SHA1 |
6 | DSA-NSEC3-SHA1 |
7 | RSASHA1-NSEC3-SHA1 |
8 | RSA/SHA-256 |
9 | RSA/SHA-512 |
Digest Type | Name |
---|---|
1 | SHA-1 |
2 | SHA-256 |
Enter:
dsset-yourdomain.tld
dsset-yourdomain.tld
5
= RSA-SHA1
1
= 40-bit digest2
= 64-bit digestdsset-yourdomain.tld
dsset-yourdomain.tld