DNS server schema

Discussion in 'Installation/Configuration' started by variable99, Oct 5, 2023.

Page 1 of 2
  1. variable99

    variable99 Member

    I have this setup:

    NS1 server A (DNS only) - 192.168.9.1
    NS2 server B (DNS only) - 192.168.9.2

    Web server C - 192.168.9.3
    Web server D - 192.168.9.4
    Web server E - 192.168.9.5

    I guess NS1 and NS2 should be slaves and "Web servers" should be masters? How to implement this with ISPConfig 3 install script? Does the DNSSEC would work in such setup?
     
    variable99, Oct 5, 2023
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you use ISPConfigs internal dns mirroring, the DNSSEC will not work. But that#s not a real issue as all you have to do is to not enable mirroring between server ns1 and ns2 and use secondary DNS zones in ISPConfig DNS manager instead.
     
    till, Oct 5, 2023
    #2
    ahrasis likes this.
  3. variable99

    variable99 Member

    So... this is not possible to setup?
     
    variable99, Oct 5, 2023
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This is possible to setup. You just shall not turn on automatic mirroring when you want to use DNSSED. You use secondary DNS records instead.
     
    till, Oct 5, 2023
    #4
  5. variable99

    variable99 Member

    Ok. Than I setup dns servers as dns only. Now what to do on web servers? Add ns1 and ns2 as secondary?
     
    variable99, Oct 5, 2023
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not related to DNS. if you want to use them as mirrors, then set them up as mirrors, if you want to use them as separate servers, then you set them up as separate servers. But be aware that mirror setups are not always that easy as they require shared storage or syncing for web files.

    Not sure what you mean with that. DNS servers are DNS servers, you set them up as DNS servers during install. There is no difference if a DNS server hosts a primary or secondary zone.
     
    till, Oct 5, 2023
    #6
  7. variable99

    variable99 Member

    Well, I'am trying to go away from hestiacp to ispconfig. In hestiacp i have setup like this:

    Ns1 and ns2 is slave bind dns servers.
    Web servers is 'masters'. So, when I add record to web server 1 it is transfered to ns1 and from ns1 it is transfered to ns2.

    So, when I add dns record to web server side it seemingly mirrors records to slaves.
    This is done by bind rndc. Ispconfig utilize mysql for record storage, it is a lot harder to think schema how dns should work.

    I guess there is users with many ispconfig servers, wondering how they do with dns...
     
    variable99, Oct 5, 2023
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case. ISPConfig has an internal MySQL database, which is not accessed by BIND in any way. BIND stores its records in zone files, which are written by ISPConfig.

    Not really, it works exactly as on any BIND DNS system. I've explained it already in post #2. But the setup is also explained in the ISPConfig multiserver tutorials.

    See post #2. You have two options:

    a) ISPConfig internal MySQL-based mirroring, this does not support DNSSEC though.
    b) Bind's internal mirroring, this supports DNSSEC, and is done by creating a secondary zone, which then does all mirroring incl. DNSSEC keys automatically for all records of that zone

    ISPConfig supports both methods equally.
     
    till, Oct 5, 2023
    #8
    variable99 likes this.
  9. variable99

    variable99 Member

    Could tou please put some basic steps what should I do with given servers? Than it would be easier to imagine tasks :)
     
    variable99, Oct 5, 2023
    #9
  10. variable99

    variable99 Member

    Nevermind, I found debian 10 multiserver setup guide. Noice!
     
    variable99, Oct 5, 2023
    #10
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The setup for Debian 11 and 12 is basically the same, as the auto-installer supports all Debian versions up to Debian 12.
     
    till, Oct 5, 2023
    #11
    variable99 likes this.
  12. variable99

    variable99 Member

    Ok. Today I have made few tests and I have few questions.
    From page https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/6/ there is text:
    This is not acceptable, because I add DNS records via API. Than I tried to edit default DNS template and set it like this:

    Code:
    [ZONE]
origin={DOMAIN}.
ns={NS1}.
mbox={EMAIL}.
refresh=7200
retry=540
expire=604800
minimum=3600
ttl=3600
xfer=192.168.9.2
also_notify=192.168.9.2
dnssec_wanted=N
dnssec_algo=ECDSAP256SHA256

[DNS_RECORDS]
A|{DOMAIN}.|{IP}|0|3600
A|www|{IP}|0|3600
A|mail|{IP}|0|3600
NS|{DOMAIN}.|{NS1}.|0|3600
NS|{DOMAIN}.|{NS2}.|0|3600
MX|{DOMAIN}.|mail.{DOMAIN}.|10|3600
TXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600
    Please notice xfer and also_notify lines. These lines should setup DNS transfer from NS1 to NS2. Why this is not working? At the moment I don't care about DNSSEC.
     
    variable99, Oct 6, 2023
    #12
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    That's great, because it is very easy to add the master and slave zone via API. So you have the special case where there are no downsides at all, and you have full DNSSEC support, too. Doing this via API makes it the opposite of unacceptable, it makes it very easy and straight forward. You just don't seem to know how BIND zone transfers work, they are not ISPConfig specific in any way. I recommend reading the BIND manuals if you like to get a better understanding of how BIND zone transfers work and what master and slave zones in BIND are.

    First, you do not need also_notify in case you have the DNS servers are listed as NS records in the zone. So remove that or set it to an empty string. Then you must ensure that you do not have mirroring enabled in ISPConfig under System > Server services for the second DNS server. The third step is, that you add a slave DNS zone in ISPConfig on ns2 after you added the primary zone on ns1. The mirroring will then happen in the background automatically then incl. DNSSEC. And as you use the API later, adding primary and secondary zone happens fully automated via API then.
     
    till, Oct 6, 2023
    #13
  14. variable99

    variable99 Member

    Regarding API. I should do this?
    1. dns_templatezone_add
    2. dns_slave_add
    #2 is not documented in examples, also not mentioned in .html documents. Could you provide rough example of parameters for dns_slave_add ?
     
    variable99, Oct 6, 2023
    #14
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    You can use that function, or you can use API functions to add the various records directly and not use a template.

    The $params array of a function is always the database table fields of the matching table (in this case, the table dns_slave) minus the sys_* fields and minus the primary id column, so in this case, $params contains:

    Code:
      `server_id` int(11) NOT NULL default '1',
  `origin` varchar(255) NOT NULL DEFAULT '',
  `ns` varchar(255) NOT NULL DEFAULT '',
  `active` enum('N','Y') NOT NULL DEFAULT 'N',
  `xfer` TEXT NULL,
     
    till, Oct 6, 2023
    #15
  16. variable99

    variable99 Member

    Thanks Till for patience.
     
    variable99, Oct 6, 2023
    #16
  17. variable99

    variable99 Member

    One last question: latter, when I would like to add more web servers, what should I do to add the same ns1 and ns2 servers to them? Because now when I tested, ispcnfig3_AI script nicely asked if I want to join those NS servers to existing multiserver setup.

    As the time pass, I will be adding more "web server" type of servers and currently have no clue how to add previously created NS servers. Schema would be like this:

    web server 1 -> NS1, NS2
    web server 2 -> NS1, NS2
    web server X -> NS1, NS2
     
    variable99, Oct 6, 2023
    #17
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    The AI script does not ask you to join a NS server. The AI script asks you to join a ISPConfig master server. The master server is not an NS server. The master server is the server that runs the ISPConfig GUI and has server_id = 1, the master server might provide some services like DNS or web or mail, but on larger setups you typically set up a master server that runs just ISPConfig GUI without providing any other services. So web servers and NS servers are not related to each other, you can have as many web servers and NS servers as you like in an ISPConfig multiserver setup. You can also use ISPConfig DNS servers for web servers without ISPConfig and you can use ISPConfig web servers also for sites that do not use ISPConfig for DNS, of course.
     
    till, Oct 6, 2023
    #18
  19. variable99

    variable99 Member

    P.S. Field in DNS template:
    xfer=192.168.9.2
    also_notify=192.168.9.2
    is mandatory. Because without those field properly filled DNS records fail to transfer with error (IPs changed to 127.0.0.1 for anonymity):
     
    variable99, Oct 6, 2023
    #19
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    The log you posted is about missing xfer. It is not about also_notify. I said above that you can remove also_notify and not to remove xfer. You can look this up in BIND manual btw:

    https://www.zytrax.com/books/dns/ch7/xfer.html#also-notify

    as you can see, BIND will automatically notify all systems mentioned as NS records and therefore you do not need also_notify there, you just need xfer.
     
    till, Oct 6, 2023
    #20
Page 1 of 2

Share This Page