Friday, 11 January 2008

Set up a secondary Domain Name Server with bind9 on a ubuntu linux

On my spare time, I manage the technical subjects of a small webagency i've created with a friend when I was in my second year of Engineer school. It's named 123monsite.com.

Tonight I dig the secondary (slave) DNS server subject. Until now, we used a DNS server from our registar as DNS backup.

But as we grow, we need more servers and a secondary DNS of our own is becomming handy.

We've rent a dedibox from the free.fr ISP (a server for 30€/month : via 2Ghz, 2Go Ram, 160Go HDD, 5Go of monthly backup).

I choosed ubunty feisty server (7) among all OS available (many linux flavour and some windows)

So here is how I set up my secondary domain name server on my ubuntu server with bind9.


Let's say the domain of the primary name server is ns0.primarydomain.com (80.1.1.1)
The secondary will be : ns1.primarydomain.com (80.2.2.2)

And the domaine we'll want to be handle by both servers is myDomain.com (90.9.9.9).


Give your secondary server a domain name



The primary domain primarydomain.com can't be handled by your master dns server itself (ns1.primarydomain.com). It must be another DNS server that handle it (usually your registars DNS servers).

So, go to the registar web interface of your primarydomain.com,

and add a new A record like :

ns1 A 80.2.2.2

so that ns1.primarydomain.com points to 80.2.2.2

(replace the IP by the IP of your secondary server)

This modification may take up to 48 hours depending on which gtld (com/net/org) or tld(fr/uk/de) you are. It can be very quick on tld and biz/info gtld.

Once it is done, you need to be sure that your server reverse dns is correct.
That is : the mean to get the name of a server from it's IP. It's very important as without the reverse dns entry, you're server will be declared as a spam server by most mail server (a server with an ip but no domain is very suspicious).

You need to contact your registar in order to know how to do that.
I'm currently trying to achieve that, a zone check still give me a warning about no reverse dns for the slave DNS server.

Slave server : Update the server & install Bind9



serveur update : (don't know why, but sudo is not enough, need to swicth to root to do this)
sudo su -
apt-get update; apt-get upgrade;exit;

bind9 install :
sudo apt-get install bind9


Ensure that both servers are reachable on port 53 tcp & udp



In order your secondary server duplicates the myDomaine.com zone and that the zone can be reached by clients who wants the ip of the myDomain.com, you need to have the tcp & udp port 53 open.

to check you can use nmap (from a machine which is not behind a firewall that restrict outgoing communication) :

sudo nmap -sU -O -p 53 ns0.primarydomain.com;
sudo nmap -sU -O -p 53 ns1.primarydomain.com;


It should display something like this :

root@ns1:/usr/local/bin# nmap -sU -O -p 53 ns0.primarydomain.com                            
                                                                                       
Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-31 00:43 CET                         
Interesting ports on ns0.primarydomain.com (XX.YY.ZZ.WW):                                  
PORT   STATE         SERVICE                                                           
53/udp open|filtered domain                                                            
Too many fingerprints match this host to give specific OS details                      
                                                                                       
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ 
Nmap done: 1 IP address (1 host up) scanned in 3.92 seconds                            

53/udp is open

Edit your slave /etc/bind/named.conf



edit the secondary server /etc/bind/named.conf file and add at the end of the file

zone "myDomain.com" {
     type slave;
file "myDomain.com.backup";
masters { 80.1.1.1; };
};


  • type slave; indicates it's a secondary(slave) server
  • file "myDomain.com.backup"; indicates where should the replicated zone be stored on the file system. In this case, it would be /etc/bind/myDomain.com.backup
  • masters ip; indicates what is the ip of the master server



On the master server : Restrict the domain replication to your secondary DNS server and edit your myDomain.com zone file



You may restrict which IP are allowed to duplicate your zones from the master server.

On your master server, on each zone you can add

zone "myDomain.com" {
type master;
file "masters/myDomain.com";

 allow-transfer {
127.0.0.1; //localhost
80.2.2.2; //my secondary DNS
80.4.4.4;//registar secondary DNS
};
};


If you used one of your registar DNS server as a backup, you can add its ip in the list so you'll have 2 backup servers.

Now, you need to add ns1.primarydomain.com as a valid secondary name server.

So edit your zone file on the master server, (mine are in /etc/masters/myDomain.com)

update your serial number with the current date reversed + the number of update of the day on 2 digits :

2008011101

$TTL 86400
@                       IN SOA   ns0.primarydomain.com. postmaster.primarydomain.com. (
2008011101; serial number
7200 ; 21600 refresh
900 ; 3600 retry
3600000 ; expire
86400 ; minimum

; name servers
; ----------------
IN NS    ns0.primarydomain.com.
IN NS    ns1.primarydomain.com.
IN NS    ns.registardomain.com.



Don't forget the ending dot on each domain !!

This tells that the domain is relative to the root servers and not relative to the machine domain name.

if you forgot the ending dot on ns1.primarydomain.com, named will use the following domain :

ns1.primarydomain.com.theCurrentServerDomainName.com

instead of

ns1.primarydomain.com


Before reloading named check the named.conf and your myDomain.com zone syntax

named-checkconf /etc/bind/named.conf
named-checkzone myDomain.com /etc/masters/myDomain.com
zone myDomain.com/IN: loaded serial 2008011202
OK

This command named-checkconf should run silently (ie, if everything is OK, nothing is printed on the screen, otherwise, there's a problem.)

Reload named on both server



/etc/init.d/bind9 reload


now /var/cache/bind/myDomain.com.backup should be the same as your zone file on the master server.

and in your log file, you should see this :

tail -f /var/log/syslog
...
Jan 13 06:13:29 sd-3393 named[3885]: loading configuration from '/etc/bind/named.conf'
Jan 13 06:13:29 sd-3393 named[3885]: no IPv6 interfaces found
Jan 13 06:13:29 sd-3393 named[3885]: zone myDomain.com/IN: Transfer started.
Jan 13 06:13:29 sd-3393 named[3885]: transfer of 'myDomain.com/IN' from 80.1.1.1#53: connected using 80.2.2.2#48850
Jan 13 06:13:29 sd-3393 named[3885]: zone myDomain.com/IN: transferred serial 2008011201
Jan 13 06:13:29 sd-3393 named[3885]: transfer of 'myDomain.com/IN' from 80.1.1.1#53: end of transfer
Jan 13 06:13:29 sd-3393 named[3885]: zone myDomain.com/IN: sending notifies (serial 2008011201)



Now the zone is replicated.
But, whenever you'll restart your named server, the named server will send a 'notify' to itself to check whether the zone is up to date or not.

The problem is that currently your named server is not allowed to notify itself.
And if you run a service bind9 restart (or /etc/init.d/bind9 restart) you'll get this in the /var/syslog

Jan 18 03:55:57 sd-3393 named[21952]: shutting down: flushing changes
Jan 18 03:55:57 sd-3393 named[21952]: stopping command channel on 127.0.0.1#953
Jan 18 03:55:57 sd-3393 named[21952]: no longer listening on 80.2.2.2#53
Jan 18 03:55:57 sd-3393 named[21952]: no longer listening on 127.0.0.1#53
Jan 18 03:55:57 sd-3393 named[21952]: exiting
Jan 18 03:56:00 sd-3393 named[22062]: starting BIND 9.3.4 -u bind
Jan 18 03:56:00 sd-3393 named[22062]: found 1 CPU, using 1 worker thread
Jan 18 03:56:00 sd-3393 named[22062]: loading configuration from '/etc/bind/named.conf'
Jan 18 03:56:00 sd-3393 named[22062]: no IPv6 interfaces found
Jan 18 03:56:00 sd-3393 named[22062]: listening on IPv4 interface eth0, 80.2.2.2#53
Jan 18 03:56:00 sd-3393 named[22062]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 18 03:56:00 sd-3393 named[22062]: command channel listening on 127.0.0.1#953
Jan 18 03:56:00 sd-3393 named[22062]: zone 0.in-addr.arpa/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: zone 127.in-addr.arpa/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: zone 255.in-addr.arpa/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: zone myDomain.com/IN: loaded serial 2008011203
Jan 18 03:56:00 sd-3393 named[22062]: zone localhost/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: running
Jan 18 03:56:00 sd-3393 named[22062]: zone myDomain.com/IN: sending notifies (serial 2008011203)
Jan 18 03:56:00 sd-3393 named[22062]: client 80.2.2.2#33392: received notify for zone 'myDomain.com'
Jan 18 03:56:00 sd-3393 named[22062]: zone myDomain.com/IN: refused notify from non-master: 80.2.2.2#33392


To correct this, edit your /etc/bind/named.conf.options and add before the ending };

the folling :

allow-notify { 80.2.2.2; };


Don't forget to replace the ip by your slave server IP.

Now restart named and you should see the following :

Jan 18 03:57:03 sd-3393 named[22062]: shutting down: flushing changes
Jan 18 03:57:03 sd-3393 named[22062]: stopping command channel on 127.0.0.1#953
Jan 18 03:57:03 sd-3393 named[22062]: no longer listening on 80.2.2.2#53
Jan 18 03:57:03 sd-3393 named[22062]: no longer listening on 127.0.0.1#53
Jan 18 03:57:03 sd-3393 named[22062]: exiting
Jan 18 03:57:06 sd-3393 named[22117]: starting BIND 9.3.4 -u bind
Jan 18 03:57:06 sd-3393 named[22117]: found 1 CPU, using 1 worker thread
Jan 18 03:57:06 sd-3393 named[22117]: loading configuration from '/etc/bind/named.conf'
Jan 18 03:57:06 sd-3393 named[22117]: no IPv6 interfaces found
Jan 18 03:57:06 sd-3393 named[22117]: listening on IPv4 interface eth0, 80.2.2.2#53
Jan 18 03:57:06 sd-3393 named[22117]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 18 03:57:06 sd-3393 named[22117]: command channel listening on 127.0.0.1#953
Jan 18 03:57:06 sd-3393 named[22117]: zone 0.in-addr.arpa/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: zone 127.in-addr.arpa/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: zone 255.in-addr.arpa/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: zone myDomain.com/IN: loaded serial 2008011203
Jan 18 03:57:06 sd-3393 named[22117]: zone localhost/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: running
Jan 18 03:57:06 sd-3393 named[22117]: zone myDomain.com/IN: sending notifies (serial 2008011203)
Jan 18 03:57:08 sd-3393 named[22117]: client 80.2.2.2#33392: received notify for zone 'myDomain.com'
Jan 18 03:57:08 sd-3393 named[22117]: zone myDomain.com/IN: notify from 80.2.2.2#33392: zone is up to date



Now let's say you have a second domain mySecondDomain.com handled by your DNS master server.

If you add
IN NS ns2.primarydomain.com

to the mySecondDoman.com zone file on the master server without have updated your named.conf on the slave DNS server (ns2.primarydomain.com),

you'll get in the /var/syslog of your slave DNS server the following message

Jan 18 04:43:59 sd-3393 named[22117]: client 80.1.1.1#49917: received notify for zone 'mySecondDomain.com': not authoritative


It's says you're not authorative because the zone mySecondDomain.com is not yet configured in your slave named.conf.

Add it exactly like the first domain, reload, and it's done.


If you manage loads of domain (like I do, 153 domains as of today !) with your master DNS Server, in the SLAVE /var/log/syslog you may find some messages like this :

Jan 18 05:06:48 sd-3393 named[22117]: zone myDomainXXXX.com/IN: zone transfer deferred due to quota


Don't panick, it just tell that the transfer of this zone is delayed because the slave server will transfer only 10 (the quota) zone at one time.

The transfer will be retryed later, check the later in the log file, you'll see the transfer.

Problems



On my first try, I made a try with primarydomain.com which is the domain of the master DNS server (which is silly if you think twice about it ;o).

I got the following message :
zone primaryDomain.com/IN: refresh: non-authoritative answer from master 80.1.1.1#53 (source 0.0.0.0#0)


Which is correct. the primaryDomain.com is handled by your registar DNS and it cannot be authorative for itself. The authorative server for primaryDomain.com is the registar DNS server.

So I tryed with another domain my primary DNS server handle (myDomain.com) and it works.

I've read that this error often occurs when :

  • you're editing the wrong named.conf file. Try to run ' sudo service bind9 stop;sudo named -g' The third line will show you the configuration file used
  • You're running two copy of named (ps -edf | grep named)
  • The zone file on the master server has a problem, check the zone syntax with named-checkzone as shown above



Documentation :

4 comments:

Szemy said...

Thanks !! :)

good how to! :)

Tono Riesco said...

my God... 2 days looking the documentation of Bind, looking all posts around the web...everything about a problem with master -> slave and you solved the problem!!!

Thank you very much!

Admin

Manson Thomas said...

Yeah, the learning curve can be slow to go up!

quydo x said...

thank you, bro :D