New User Totally Confused over DNS and RNDC

Discussion in 'Installation/Configuration' started by Rick Simnett, Aug 16, 2024.

  1. Rick Simnett

    Rick Simnett New Member

    Hello,
    Im totally new to ISPConfig and am working through setup scenarios as our company is considering adopting ispconfig as our default server control panel. I've got ISPConfig set up on a single server currently, and am trying to figure out how to configure it to create, update and remove zones via RNDC to our remote NS servers.

    I cannot use the multi-server configuration to do this as our DNS servers (ns.mediagiantdesign.com and ns1.mediagiantdesign.com) are physical machines running bind and our routing in our 2 data centers. All of our network currently has these two machines setup as slaves through Plesk (the control panel we currently use), and all data is sync'd via rndc.

    How do I setup the ISPConfig box I have to also use these machines as slaves via RNDC and not sync using the database as is defined in the manual, and the online tutorials I have found?

    Any help, links or guidance is much appreciated.

    Thanks in advance.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You must install ISPConfiig on the other DNS systems, too, as a multiserver setup, as ISPConfig can not control and configure a system that it is not installed on. But you do not set them to be mirrored, they are just normal slave nodes connected to your ISPConfig master. Now you add the primary zone using ISPConfig on the primary server and add a slave zone using ISPConfig on the secondary servers. The zone data will then be synced by BIND automatically between master and slave systems and not through the ISPConfig database.
     
  3. Rick Simnett

    Rick Simnett New Member

    Thanks for the reply!

    Unfortunately, thats not an option, as our DNS server are all running via Ubiquiti Edge Routers. Our dns infrastructure is existing and already set up and running as rndc. We cannot switch, as even if we adopt ISPConfig, we already have many cpanel and plesk machines set up using those same servers and using RNDC to sync their individual zones. Is there no option to have RNDC do the work with ISPConfig?

    I dont have a problem manually configuring the rndc keys, if that becomes a necessary step to make it work. I just need to know where/how to do it.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm not that familiar with RNDC as we do not need it in ISPConfig setups, but as far as I know, RNDC can just be used to resync or transfer a zone, but the zone still must be added on the secondary. Or do you create the initial slave zone entry in BIND using RNDC somehow as well?
     
  5. Rick Simnett

    Rick Simnett New Member

    Im not an expert in bind, but I do have a decent understanding of how bind and rndc work.

    The zone would first be created on the master server (in this case the ISPConfig local bind server), and then would be pushed via RNDC onto the slave servers, assuming the slave server is configured to allow zone creations.

    In plesk, with the dns slave extension - you configure a list of external IPS that correspond to your DNS slaves and associate an rndc key to each slave.

    Plesk then fires off OS commands to execute RNDC (bash as far as I can tell from monitoring its execution). RNDC uses the key and the ip of the slave to open a tcp connection to port 953 to the slave, and assuming the creds checkout, the slave server will accept the zone details and update accordingly. The RNDC command is run once / zone / slave server each time the zone is updated.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Updating the slave zones with RNDC is clear; that's done with an AXFR, and ISPConfig does this, too, by using auto notify. But RNDC has no direct command to create a slave zone; it just has commands to update zones. The question for me is how you create the initial slave zones. This is normally done by ISPConfig itself on the slave systems. Do you use catalog zones for this purpose in your setup?

    https://bind9.readthedocs.io/en/latest/chapter6.html#catalog-zones
    https://jpmens.net/2016/05/24/catalog-zones-are-coming-to-bind-9-11/
    https://kb.isc.org/docs/aa-01401
     
  7. Rick Simnett

    Rick Simnett New Member


    AFAIK, This single line added to the bind slave servers config seems to make it all work, and it is what allows rndc to create the new zones.

    options {
    ...
    allow-new-zones yes;
    };

    Other than this line of configuration, when we add a new master server, we also have to add the IP address of the new master to the bind configuration.

    controls {
    inet * port 953 allow { x.x.x.x; 127.0.0.1; } keys { "rndc-key-x.x.x.x"; };
    };

    After that, it just works.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Okay, thank you for the insights. The guides I found on that topic look way more complicated. The ISPConfig server part is completely modular and based on plugins and events. You can also have multiple plugins listening to the same event, like the DNS zone insert or update event. So, if only a few RNDC commands need to be issued for this, then such a plugin will be just a few lines of code.
     
  9. Rick Simnett

    Rick Simnett New Member

    I like simple. You mentioned a plugin. I have zero problems writing anything in PHP, so Im happy to write a plugin. Also gives me an opportunity to learn more about how to extend ispconfig in the future.

    I was looking at the development forum and looking for a list of existing events, a dev guide and maybe an example how to on building a plugin. Does this info exist?

    If not can you give me a "this is whats required" explanation of how to create a plugin and how to identify defined event hooks?

    Much appreciated. If I can get this working, Im happy to contribute the work to the project (if you want it).
     
    till likes this.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Sadly, not really :)

    I'll create a plugin stub for you where you have to fill in your custom code with a few notes on how to activate it. I'll try to do that on Monday.

    Sure, would be geat if you would contribute your code.
     
  11. Rick Simnett

    Rick Simnett New Member

    Ill keep an eye out for the stub. That will be very helpful.

    Enjoy your weekend, Till!
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Here is a plugin stub with some comments:

    PHP:
    <?php

    class x_bind_secondary_plugin {

        var 
    $plugin_name 'x_bind_secondary_plugin';
        var 
    $class_name  'x_bind_secondary_plugin';


        
    /*
             This function is called when the plugin is loaded
        */

        
    function onLoad() {
            global 
    $app;

            
    /*
            Register for the events
            */

            // SOA
            
    $app->plugins->registerEvent('dns_soa_insert'$this->plugin_name'soa_insert');
            
    $app->plugins->registerEvent('dns_soa_update'$this->plugin_name'soa_update');
            
    $app->plugins->registerEvent('dns_soa_delete'$this->plugin_name'soa_delete');

            
    // RR
            
    $app->plugins->registerEvent('dns_rr_insert'$this->plugin_name'rr_insert');
            
    $app->plugins->registerEvent('dns_rr_update'$this->plugin_name'rr_update');
            
    $app->plugins->registerEvent('dns_rr_delete'$this->plugin_name'rr_delete');

        }

        function 
    soa_insert($event_name$data) {
            global 
    $app$conf;
            
            
    // Get the zone
            
    $zone $data['new'];
            
            
    //* Get the records of the zone
            
    $records $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ?"$zone['id']);
            if(empty(
    $records) || count($records) == 0) return;
            
            
    /*
                Note: When a zone gets inserted it is empty (incomplete) and has no records yet,
                so there is likely nothing to do here. Better check in soa_update for changes of the zone.
            */

        
    }

        function 
    soa_update($event_name$data) {
            global 
    $app$conf;
            
            
    // get the zone
            
    $zone $data['new'];
            
            
    // Get the records of the zone
            
    $records $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ?"$zone['id']);
            if(empty(
    $records) || count($records) == 0) return;
            
            
    /*
                Note: This is called on each update of the zone. Adding a record also triggers
                an update as serial gets increased.
            */

        
    }

        function 
    soa_delete($event_name$data) {
            global 
    $app$conf;
            
            
    /*
                Note: Zone will already be deleted from the database and there will be no records anymore in the database.
                All details about the zone are available in $data['old'] array.
            */
            
            // get the zone
            
    $zone $data['old'];


        }

        function 
    rr_insert($event_name$data) {
            global 
    $app$conf;
            
            
    // Get the data of the soa and call soa_update
            
    $zone $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?"$data['new']['zone']);


        }

        function 
    rr_update($event_name$data) {
            global 
    $app$conf;

            
    // Get the data of the soa and call soa_update
            
    $zone $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?"$data['new']['zone']);

        }

        function 
    rr_delete($event_name$data) {
            global 
    $app$conf;

            
    // Get the data of the soa and call soa_update
            // In a single server setup the record in dns_soa will already be gone ... so this will give an empty array.
            
    $zone $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?"$data['old']['zone']);


        }

    // end class
    Save the file as /usr/local/ispconfig/server/plugins-available/x_bind_secondary_plugin.inc.php
    Then create a symlink /usr/local/ispconfig/server/plugins-enabled/x_bind_secondary_plugin.inc.php pointing to /usr/local/ispconfig/server/plugins-available/x_bind_secondary_plugin.inc.php to enable the plugin.

    Plugins are loaded in alphabetical order, by pretending x_ to the plugin name, we ensure that its always run after the original BIND plugin. So the zone has been added already in BIND when your plugin is run.

    One thing to note which makes it a bit difficult to set up DNS zones is the actions are all executed in order, so you first get an event for adding the zone, but it will not have any records at that time, then you get an event for each record that's added. The main culprit here is, you can not know for sure when the zone is finished as the plugin can not look into the future to know if the user might add another record. Just to keep that in mind when programming.

    Use debug mode https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ for development, this way you can e.g. use echo and print_r() in your code and see the results directly on the shell when calling server.sh.
     
  13. Rick Simnett

    Rick Simnett New Member

    Till,
    Thanks for this. I will digest this and see what I come up with. I've already jotted down a few thoughts to the process. Maybe you can assist.

    1. Is there somewhere int he ISPconfig where I can set the ips of the secondary dns servers, and their rndc keys and then load them via the app settings?? If not, I may have to create a module to store this data, so I can retrieve it when needing to sync the servers.

    2. Is there one single event that fires off after a zone is updated or deleted? I have to test this theory, but the command that I think triggers the refresh is this: (I was sniffing as we did a plesk zone update, and found it executing this)

    rndc -b <master dns ip> -s <slave_dns_ip> -p 953 -y rndc-key refresh <zone / domain> IN

    The way this works (assuming Im interpreting things right) is that this signals the slave nameserver to reload all of the zone info for that zone from the master. So it really only needs to execute once, after the zone is completely updated. Is there an event the fires after binds configuration is updated and it is reloaded?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer


    See here on how to add input fields to the ISPConfig GUI:

    https://forum.howtoforge.com/thread...nces-of-getting-it-integrated-upstream.92752/
    https://forum.howtoforge.com/threads/extend-email-mailbox-with-a-new-tab.92777/

    Zone update and zone delete are separate events, so you have to implement this command in both event functions.

    No, there is no specific event. See m plugin stub, it contains some comments. The events fire on config change. Alternatively and if its just a few line of change, implement it in the current BIND plugin where BIND gets reloaded and then make a merge request on our git system at git.ispconfig.org so we integrate the changes into the main code base.
     

Share This Page