View Single Post
  #1  
Old 1st April 2006, 16:35
ppettigrew ppettigrew is offline
Junior Member
 
Join Date: Apr 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Pri & Slave DNS HOWTO (FC4)

Hi,

As a small token of thanks for using ISPConfig, I hope this HOWTO will help others solve an issue that had our team stumped for too long. Searching the posts here and google confirmed we were far from alone - but there was no single answer.....until now ;-)

The Issue - "failed while receiving responses: permission denied" error showing up in /var/log/messages on our Slave DNS server

The Setup - 1x Perfect FC4 ISPConfig setup as the Pri DNS and hosting server; 1x Perfect FC4 ISPConfig setup (offsite and via a different comms link) as a slave / secondary DNS

The outcome - allows you to create sites/DNS on the Pri server, and a Slave DNS record on the Sec server, and the Sec server's DNS records will be automatically kept in synch thereafter.

The recipie..........


This assumes you have completed your ISPConfig installations on the 2x servers per the Perfect FC4 instructions.

We will be making some changes to each of the servers below, and then make "some changes" in ISPConfig DNS entries via the ISPConfig web interface to force the update of /etc/named.conf with the template values below....

Substitute your IP addresses, as below are not real
- 222.333.444.01 = Pri
- 222.333.555.02 = Slave

On each server, edit the following file with the content laid out respectively below:
# vi /root/ispconfig/isp/conf/named.conf.master

=============================================
ns1 / Primary
=============================================
options {
pid-file "/var/named/chroot/var/run/named/named.pid";
directory "/var/named/chroot/var/named";
auth-nxdomain no;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;

// Closed DNS - permits only local IPs to issue recursive queries
// remove if an Open DNS required to support all users
// or add additional ranges
// allow-recursion {192.168.3.0/24;};
allow-recursion { localhost; };

// when zone information changes, NOTIFY messages are sent from
// zone masters to the slaves defined in the NS records for
// the zone
notify yes;

// Allow transfer (copy) from following slave DNS server(s)
allow-transfer {
222.333.555.02;
};
};

=============================================
ns2 / Slave
=============================================
options {
pid-file "/var/named/chroot/var/run/named/named.pid";
directory "/var/named/chroot/var/named";
auth-nxdomain no;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;

// Closed DNS - permits only local IPs to issue recursive queries
// remove if an Open DNS required to support all users
// or add additional ranges
// allow-recursion {192.168.3.0/24;};
allow-recursion { localhost; };

// Allow notifies from our master DNS server
allow-notify { 222.333.444.01; };

// Disable all zone transfer requests (this is just a slave server)
allow-transfer { "none"; };

// NB - need to add the slaves/ prefix to the named_slave
// DYNAMIC BLOCK below, otherwise will get permission issues
// on the slave server in /var/log/messages such as this:
// failed while receiving responses: permission denied
};



<!-- BEGIN DYNAMIC BLOCK: named_slave -->
zone "{DOMAIN}" {
type slave;
file "slaves/sec.{DOMAIN}";
masters { {MASTERS}; };
};
=============================================

You can check the changes have propogated, by looking on each server at the following file (nb - do not edit this file directly)
# vi /etc/named.conf

Hope this helped others and congratulations to all in the ISPConfig community. Great application!

Cheers,

Paul
Reply With Quote
Sponsored Links