Monday, July 25, 2011

How To Run Your Own DNS Servers (Primary And Secondary) With ISPConfig 3 (Debian Squeeze)


This tutorial shows how you can run your own DNS servers (primary and secondary) with ISPConfig 3. To do this, you need two servers with two different public IP addresses and with ISPConfig 3 installed. I will use Debian Squeeze for both DNS servers here to demonstrate the base system setup process and ISPConfig 3 installation, but once you have ISPConfig 3 installed on your servers, the configuration inside ISPConfig 3 is identical, no matter what distribution you use.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

Our current situation is as follows: we have
  • ISPConfig server #1 (server1.example.com): IP address 1.2.3.4; this one will be our primary name server.
  • ISPConfig server #2 (server2.example.com): IP address 1.2.3.5; this one will be our secondary name server.
server1.example.com will be a full ISPConfig 3 installation. It will be the master ISPConfig 3 server (which runs the ISPConfig control panel interface) and act as an email, web, DNS, and MySQL server (this is the most common setup - one server that has all the services). server2.example.com will be a slave ISPConfig 3 server (no ISPConfig control panel interface) and will act only as the secondary DNS server. Of course, you can split up services between your servers as you like - the tutorial Installing A Multiserver Setup With Dedicated Web, Email, DNS And MySQL Database Servers On Debian 5.0 With ISPConfig 3 should give you the idea.
DNS A records for server1.example.com and server2.example.com must already exist (you can create them through your domain registrar's control panel). We will use server1.example.com and server2.example.com as the name servers for our zones later on; if you prefer something like ns1.example.com and ns2.example.com instead of server1.example.com and server2.example.com, you can use these, but make sure that there are DNS A records for ns1.example.com and ns2.example.com as well (that point to the same IPs as server1.example.com or server2.example.com).
I will show how to create a zone for the domain mydomain.com - this domain must already be registered through a domain registrar. After I have created the mydomain.com zone and verified that both server1.example.com and server2.example.com serve all mydomain.com records correctly, I will show how to make server1.example.com and server2.example.com the authoritative name servers for mydomain.com (see chapter 8).
More details about how to create DNS zones/records can be found in chapters 4.8 and 5.12 of the ISPConfig 3 Manual.
 

2 Setting Up server1.example.com (Primary DNS)

server1.example.com:
Please set up server1.example.com as shown in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3], but stop before the ISPConfig 3 installation.
To allow the other MySQL instances to connect to the MySQL database on this node during ISPConfig 3 installation, we have to add MySQL root user records in the master database for every slave server hostname and IP address. Log into MySQL:
mysql -u root -p
On the MySQL shell, run the following queries:
CREATE USER 'root'@'1.2.3.5' IDENTIFIED BY 'yourrootsqlpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'1.2.3.5' IDENTIFIED BY 'yourrootsqlpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'server2.example.com' IDENTIFIED BY 'yourrootsqlpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'server2.example.com' IDENTIFIED BY 'yourrootsqlpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
FLUSH PRIVILEGES;
quit;
Make sure you replace 1.2.3.5 with the IP address and server2.example.com with the hostname of your secondary DNS server!
Now we can install ISPConfig 3 on server1.example.com as follows:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php
root@server1:/tmp/ispconfig3_install/install# php -q install.php


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with .
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]:
 <-- ENTER

Installation mode (standard,expert) [standard]: <-- expert

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- ENTER

Adding ISPConfig server record to database.

Configure Mail (y,n) [y]:
 <-- ENTER

Configuring Postfix
Generating a 2048 bit RSA private key
............................................................................................+++
..........................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
 <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd Bytecode: Security mode set to "TrustSigned".
.
Stopping Courier authentication services: authdaemond.
Starting Courier authentication services: authdaemond.
Stopping Courier IMAP server: imapd.
Starting Courier IMAP server: imapd.
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
Stopping Courier POP3 server: pop3d.
Starting Courier POP3 server: pop3d.
Stopping Courier POP3-SSL server: pop3d-ssl.
Starting Courier POP3-SSL server: pop3d-ssl.
Configure Jailkit (y,n) [y]:
 <-- ENTER

Configuring Jailkit
Configure FTP Server (y,n) [y]:
 <-- ENTER

Configuring Pureftpd
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -8 UTF-8 -H -D -b -O clf:/var/log/pure-ftpd/transfer.log -E -u 1000 -A -B
Configure DNS Server (y,n) [y]:
 <-- ENTER

Configuring BIND

Hint: If this server shall run the ISPConfig interface, select 'y' in the 'Configure Apache Server' option.

Configure Apache Server (y,n) [y]:
 <-- ENTER

Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configure Firewall Server (y,n) [y]:
 <-- ENTER

Configuring Firewall
Install ISPConfig Web Interface (y,n) [y]:
 <-- ENTER

Installing ISPConfig
ISPConfig Port [8080]:
 <-- ENTER

Enable SSL for the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
.................................................................................................................++
..................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
 <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
 <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting web server: apache2 ... waiting .
Installation completed.
root@server1:/tmp/ispconfig3_install/install#

If you have chosen to enable SSL for the ISPConfig web interface, you can reach the ISPConfig web interface at https://server1.example.com:8080, otherwise at http://server1.example.com:8080.


3 Setting Up server2.example.com (Secondary DNS)

 
server2.example.com:
server2.example.com can be set up according to chapter 6 from the tutorial Installing A Multiserver Setup With Dedicated Web, Email, DNS And MySQL Database Servers On Debian 5.0 With ISPConfig 3. I will repeat these steps here:
apt-get -y install ntp ntpdate
apt-get -y install mysql-client mysql-server
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt
apt-get -y install bind9 dnsutils
ISPConfig 3 can now be installed as follows:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php
root@server2:/tmp/ispconfig3_install/install# php -q install.php


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with .
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]:
 <-- ENTER

Installation mode (standard,expert) [standard]: <-- expert

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server2.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- y

MySQL master server hostname []: <-- server1.example.com

MySQL master server root username [root]: <-- ENTER

MySQL master server root password []: <-- yourrootsqlpassword_on_server1.example.com

MySQL master server database name [dbispconfig]: <-- name_of_ispconfig_database_on_server1.example.com

Adding ISPConfig server record to database.

Configure Mail (y,n) [y]:
 <-- n

Configure Jailkit (y,n) [y]: <-- n

Configure FTP Server (y,n) [y]: <-- n

Configure DNS Server (y,n) [y]: <-- ENTER

Configuring BIND

Hint: If this server shall run the ISPConfig interface, select 'y' in the 'Configure Apache Server' option.

Configure Apache Server (y,n) [y]:
 <-- n

Configure Firewall Server (y,n) [y]: <-- ENTER

Configuring Firewall
Install ISPConfig Web Interface (y,n) [y]:
 <-- n

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
Installation completed.
root@server2:/tmp/ispconfig3_install/install#


4 Configuring server2.example.com To Be A Mirror Of server1.example.com

Now open the ISPConfig 3 control panel (http(s)://server1.example.com:8080) and go to System > Server Services. Select server2.example.com:


Make sure that the DNS-Server checkbox is checked and select server1.example.com in the Is mirror of Server selectbox and click on Save:



5 Creating A DNS Zone

To create a DNS zone, it is recommended to use the DNS Wizard (DNS > DNS Wizard > Add DNS Zone or click on the Add new DNS Zone with Wizard button) which will automatically create a set of common DNS records for your domain (like www, mail, ns records, etc.):


This will bring you to the wizard to create a new DNS zone. The form has the following fields:
  • Template: This refers to the templates that exist under DNS > DNS Wizard > Templates. These templates define what records will be created by default if you use the DNS Wizard. Let's assume we create a zone for the domain mydomain.com - the Default template will create A records for mydomain.com, www.mydomain.com, and mail.mydomain.com, two NS (nameserver) records, plus an MX (mail exchanger) record for mydomain.com that points to mail.mydomain.com.
  • Server: Select server1.example.com here.
  • Client: Here you select the client that owns the new DNS zone.
  • Domain: Fill in the domain for which you want to create the zone, e.g. mydomain.com - please note that you don't need a dot at the end, i.e., mydomain.com. would work as well, but example.com (without the trailing dot) is sufficient.
  • IP Address: Fill in the IP address that mydomain.com should point to - please note that www.mydomain.com and mail.mydomain.com will also point to that IP address (you can change that later on under DNS > DNS > Zones).
  • NS 1: Specify the hostname of the primary nameserver for the domain, server1.example.com. Again, no trailing dot is needed. The server you specify here must point or be identical to the server that you selected in the Server field.
  • NS 2: Specify the hostname of the secondary nameserver for the domain, server2.example.com. Again, no trailing dot is needed.
  • Email: Specify the email address of the zone administrator, e.g. zonemaster@example.com.
Click on Create DNS Record to create the zone:


Afterwards you can find the new zone in the list under DNS > DNS > Zones:


From the list view, it is possible to delete the DNS zone.
If you edit the zone and go to the Records tab, you will see the records that have automatically been created by the DNS Wizard (the Default template will create A records for mydomain.com, www.mydomain.com, and mail.mydomain.com, two NS (nameserver) records, plus an MX (mail exchanger) record for mydomain.com that points to mail.mydomain.com):


On the Records tab, you can edit or delete existing records and add further ones.

6 Testing

 
Now let's test if the zone and its records have been created on both server1.example.com and server2.example.com, and if they are served correctly. We can use the dig tool for it. You can run the following commands on any server (server1.example.com, server2.example.com, or any other server):
dig @server1.example.com any mydomain.com
This command asks server1.example.com to serve all records that it has for mydomain.com:
root@server1:~# dig @server1.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server1.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45584
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071901 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 0 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Tue Jul 19 14:09:38 2011
;; MSG SIZE  rcvd: 182

root@server1:~#
If we check server2.example.com, it should return the same records:
dig @server2.example.com any mydomain.com
root@server1:~# dig @server2.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server2.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5183
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071901 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 0 msec
;; SERVER: 1.2.3.5#53(1.2.3.5)
;; WHEN: Tue Jul 19 14:10:07 2011
;; MSG SIZE  rcvd: 182

root@server1:~#
You can do the same for www.mydomain.com and mail.mydomain.com and any other hostname you have created, e.g.:
dig @server1.example.com any www.mydomain.com
dig @server2.example.com any www.mydomain.com
dig @server1.example.com any mail.mydomain.com
dig @server2.example.com any mail.mydomain.com
This means our primary/secondary DNS setup is working as expected!

7 Creating Further Records

Let's create an SPF record for demonstration purposes. An SPF record is a TXT record, so we click on the TXT button on the Records tab of the mydomain.com zone.
The form contains the following fields:
  • Hostname: The name that this record describes. This field can contain an FQDN or just a hostname. If you specify an FQDN, the name must end with a dot; if you specify just a hostname, it must not end with a dot. Fill in mydomain.com. here (if you forget the dot at the end, the hostname would translate to mydomain.com.mydomain.com.).
  • Text: You can use the SPF wizard at http://old.openspf.org/ to find out what to fill in here (e.g. v=spf1 a mx ptr -all).
  • TTL: The time interval (in seconds) that this record may be cached before the source of the information should again be consulted. Zero values are interpreted to mean that the record can only be used for the transaction in progress, and should not be cached.
  • Active: This defines whether this TXT record is active or not.


Wait a few minutes, and then test if the record has been created on both server1.example.com and server2.example.com:
dig @server1.example.com any mydomain.com
root@server1:~# dig @server1.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server1.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23141
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      TXT     "v=spf1 a mx ptr -all"
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071903 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 0 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Tue Jul 19 14:23:19 2011
;; MSG SIZE  rcvd: 215

root@server1:~#
dig @server2.example.com any mydomain.com
root@server1:~# dig @server2.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server2.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13876
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      TXT     "v=spf1 a mx ptr -all"
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071903 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 1 msec
;; SERVER: 1.2.3.5#53(1.2.3.5)
;; WHEN: Tue Jul 19 14:23:36 2011
;; MSG SIZE  rcvd: 215

root@server1:~#
More details about how to create DNS zones/records can be found in chapters 4.8 and 5.12 of the ISPConfig 3 Manual.

8 Setting server1.example.com And server2.example.com As The Authoritative Name Servers For mydomain.com

Now that everything is working as expected, we want server1.example.com and server2.example.com to be the "official" (=authoritative) name servers for mydomain.com. When you register a domain at your domain registrar, it automatically uses DNS servers of your domain registrar (unless you specify your own name servers) which means if other hosts try to resolve your domain, the DNS servers of your domain registrar will be queried instead of your ISPConfig DNS servers.
To change that, go to your domain registrar's control panel, select your domain, and set your ISPConfig DNS servers as the authoritative name servers for the domain (this is a screenshot from the ResellerClub control panel; other domain registrars have similar control panels):


Please note that you should do this only after you have created the appropriate DNS records on your ISPConfig servers because some registries will complain if they do not find records for the domain on the new authoritative name servers.
If you register a new domain and want to use your ISPConfig servers as the authoritative DNS servers for the domain, you should first create the zone for the domain on the ISPConfig servers and then, while you register the domain, specify the ISPConfig servers as the authoritative name servers. That way your new domain uses the ISPConfig servers from the start on.

9 Links



No comments:

Post a Comment