multiserver rebuild

Hey,
## Please be aware - i was using a draytek router - vigor 2865##
https://www.draytek.com/about/security-advisory/
https://www.bleepingcomputer.com/ne...itical-flaws-in-over-700-000-exposed-routers/
I have had about 7 instances of a DDOS attack where they (hacker or bot net) took contorl of my router to send off 1 ip 760millions emails, and i had 16 static ip's.., and the router was the issue, now on a shelf unplugged. each time the attack happened i isolated my physical network switch and unplugged it, isolated internal network as well. - watch out if you have one of these devices.
####
I have rebuild the system using multiserver, pfsense+ on a dell poweredge 710 blade server with pro support.
an issue i see on my setup is:-
all servers are using a 10.0.0.0/24 IP - i have 32 static external IP's
when adding a site to dns it shows internal server address ns1.domain -> 10.0.0.56, this then shows in dns, dnschecker.org and wont resolve obviously.
so.. is there a way to map or change the server address in dns records to replicate my external numbers? or do i have to change pfsense firewall DMZ setup from using virtual ip and nat?
or
can i get ispconfig dns to use a setting for its external ip..
or
update

Code:

/etc/hosts

for external IP's and change login account for the servers etc in phpmyadmin

dave

 

Hey Till, thanks for the reply.
Think im missing something here.
Section 1 of multiserver install -

My host where i buy domain, i added 2 nameservers mapping hostname and IP to my external IP's of each nameserver.
Section 2 states using internal numbers for panel.host..
Then on page 5 - name server, does not say anything about changing anything to map to external IP's for dns.

 

Internal ip's are only used for communication between your nodes.
They probably are set (by you during install) in /etc/hosts

Your DNS is for the public to be able to resolve anything related to your domainname.
So when adding an A or AAAA record in your DNS in ISPC you ALWAYS enter the EXTERNAL IP where the hostname should resolve to.
Because ofcourse the public can't do anything with your private ip's.
There is no translation anywhere when it comes to DNS, only /etc/hosts taking priority over dns queries should you be using your domainname for node hostnames too.

 

Yes, i have used 10.0.0.50 +
That i get about the Internal vs external ip and dns resolution.
On my previous build, the draytek used "IP routed subnet" and my servers were using external ips in the /etc/hosts on all nodes.
My dns section all shows the 10.0.0.0 range used for each server and not the external IP.
On this build using 10.0.0.0/24 in /etc/hosts, adding a domain to panel... and then specifically adding a dns record - it used to display the external ip used in the setup and didnt require me to type it in eg. . DNS -> Zones -> Domain.name -> Record -> IP-Address "12.12.12.12. IPV4 > ns1.domain.name"
So no, i would have to type the External IP of each server for all records, or redo IP on each node so each server uses external IP and each nodes /etc/hosts is also using external IP's - just like "IP ROUTED SUBNET"

 

I did do that.
It added to DNS records 10.0.0.57.
I altered the this to be the external IP of the server has the site.
This works.. but ns2 states 10.0.0.57.
I checked with DNS checker.org.
When ns1 answers it is the correct IP and when ns2 answers it stated 10.0.0.57.
I don't understand.. I follow that recipe to the letter.
What did miss

 

Lookup tlwebservices.co.uk It resolved as either 10.0.0.51 or 146.66.81.98 depending on which nameserver.
I used DNSchecker.org and mxtoolbox.com DNS checker.

#####updated
Just went to the registrar where I purchased the domain. Instead my mapping my nameserver to the external IP. I used their DNS and added A records for server hostnames. This worked.
This was different from naming my nameservers with the IP address and then adding my domain to my own DNS servers mapping to IP addresses, self replicating DNS me as the source of.
Now I have to login to them to add new server hostnames. Eg adding a new web server.

 

Your DNS has nothing to do with your local lan setup.
It doesn't matter if you have a routed subnet with external ip's on your nodes or using nat and ip's from a private range on your nodes.
The only thing that matters is that a dns request from the internet ends on the correct node, wether it by routing or by nat.

A and AAAA records always need to reflect an external ip, otherwise it is of no use to the one doing the dns request.
If both dns servers respond with different values then there's something wrong with the master-slave functionality.
For transfers and notification settings you should use the internal lan ip's.
I do hope you didn't make your slave dns a mirror of the master dns within ISPC?

 

Hey, I have cheked last few days and altered some things. Still have an issue with the following:
domain = tlsystems.co.uk
1. both nameservers report different SOA. not sure how to solve this.
2. according to "intodns.com" it states the mx server is 10.0.0.52. unless it is cached.
3. reverse mx A record - states 52.0.0.10. very odd as im not using that range..

 

Hey, no i didnt replicate them.
So i have to use the external IP's, got it. since the other day it works ok, different from previous. its all good.
thanks for reply.

 

Under DNS -> Zones -> Domain
I have ns record of external IP
Zone settings tab -> Allow Zone transfers to -> i have tried both the internal IP and the external IP - what is recommended??
Secondary DNS-Zones -> Domain -> NS2, client, their domain, NS1 external IP, allow = ns2 internal IP - again what should this be internal ip of external?

 

I assume NS1 and NS2 are on the same lan.
Then use internal ip's for zone transfers and notifications.
All A and AAAA records within your DNS zones need to be external ip's.

 

Thank Till,
To confirm for NS1 to NS2 replication
Zones -> Zone Settings -> Allow Zone transfers - I dont need to add anything here
The magic is here
Secondary DNS-Zone on NS2 - NS (IP-address)=Primary NS1, Allow = not used..

 

Till,
Does this relate to my issue?