DNSs - configuring correctly

Discussion in 'Installation/Configuration' started by Entangled, Apr 23, 2017.

  1. Entangled

    Entangled Member


    I upgraded from 3.0.x to 3.1 yesterday.

    Only the NS1 DNS shows in the Client Limits DNS servers and in the Default Secondary DNS Server pull down. The NS2 DNS doesn't show up anywhere and I am not sure why.

    What is the Secondary DNS used for and how does it differ from the 'Is mirror of Server' checkbox?

    On the DNS-Zones page, both NS1 and NS2 are in the Server pulled and of course there are no Zones for NS2.

    The NS1 /etc/named.conf.local has:

    zone "entangledweb.com" {
    type master;
    allow-transfer {;};
    file "/var/named/pri.entangledweb.com";

    And the NS2 /etc/named.conf.local has:

    zone "entangledweb.com" {
    type master;
    allow-transfer {;};
    file "/var/named/pri.entangledweb.com";

    So both NS1 and NS2 are "master" and they both allow-transfer from the same IP which is the IP for NS2. This can't be right.

    How do I make NS2 slave for NS1 for some domains and make NS1 the slave for NS2 for the other domains wouldn't this spread the load between the DNSs?

    I would appreciate any advice in setting up my current 2 DNSs correctly with the possibility to adding 2 additional DNSs in the future.

    Thank you,

  2. iNet Specialists

    iNet Specialists New Member

    You can read "Secondary DNS" as being a "slave zone" for bind (named). The Secondary DNS entries in ISPConfig will create something like the following for each entry in the /etc/named.conf.local file...
    zone "domain.tld" {
      type slave; # Signifying the SLAVE zone
      masters {;}; # The IP address of the Master DNS Server in the SOA record
      allow-transfer {;}; # The IP address of the Slave DNS Server (one of the NS records)
      file "/var/named/slave/sec.domain.tld";
    This type of configuration will cause BIND to regularly query the Master DNS server in the SOA record for changes to this zone based on the settings in the SOA record.
    The 'Is a mirror of' drop down selection method is a quick and dirty way to copy an entire Master DNS server's functionality by making Server 2 copy its database entries in ISPConfig from the database entries for Server 1. This method effectively makes Server 2 a Master DNS server for the same "zones" that Server 1 has. However, Server 2 does NOT query Server 1 for those zones, and Server 2 is NOT a slave of Server 1. It gets the information from the database and has the same /etc/named.conf.local entries as Server 1 does.
    Note: 'allow-transfer' identifies the server 'to whom' the records may be transferred (not the 'from' server). As you can see in the 'type slave' zone, there is a 'masters' entry for the 'from server'.
    Actually, because the zone is of 'type master', it is the 'allow-transfer' entry that isn't quite right. It has no effect for the master if there are no slaves, which there are not because both servers are masters. That is OK for small deployments where you are only supporting redundancy of records for a limited number of DNS zones.
    First, the HOW...
    NS1 is the Master DNS Name Server. All 'zones' are created with it as the 'server'. The IP addresses of any Slave DNS Name Servers should be listed in 'allow transfer', as well as in 'also notify'. The 'allow transfer' entries will tell the Master that when one of thes IPs asks for the updated record, give it to them. The 'also notify' tells the Master that when the record is updated, tell these IPs and give them the update. Otherwise, the slaves will only ask for the update when the SOA record gets old enough.
    Now for the slaves...
    NS2 is one slave out of many possible. It is NOT setup using the 'Is mirror of server' drop down. Instead it is configured using the 'Secondary DNS' (or slave zones) feature. The master server is the IP address of NS1, and that is all.
    NOW, how to 'share the load'...
    It is the number of DNS Servers (i.e. NS records) and the requesting clients that 'spread the load'. You cannot effectively control which DNS Server receives a request for a given record unless there is only a single DNS server for each zone. And that would make redundancy a moot point since most registrars require at least 2 DNS servers.
    What you can do (and should do) is operate a single master DNS server with multiple slave DNS servers spread to different geographical areas. If (or when) DNS queries get to be a load on the server(s), then add a new NS for the busiest domains.
    Creating each Slave DNS Server is easy, once you have the first slave. Just create a new DNS server and set it up using the 'Is a mirror of server' (and enter the first slave). Just remember to add the IP address to the master 'allow transfer' and 'also notify' lists.

Share This Page