Multiserver-Setup - Problems with DNS-Server

Discussion in 'Installation/Configuration' started by Rabenkind, Feb 22, 2018.

  1. Rabenkind

    Rabenkind Member

    apart from my problems when importing a Zone file there are also other problems.

    1) Master-Slave replicants
    When having many DNS-Servers where one is the Master and two are the Slaves there is no easy option for defining those.
    First you have to define the servers who you want to replicate to in the main menu and then you need to add two entries in the Secondary DNS-Zone section. However they only replicate if you start and stop bind manually on the Master server. (I don't know why this doesn't work automatically.) When using a slave server that is not running with ISPConfig and you use the ISPConfig as a Master you have to do this as well. maybe this is a bug?

    2) Trusted acl's
    normally the trustes acl's would go into the named.conf.local however that is totaly overwritten by ispconfig. putting it in the named.conf.options works - is this update-safe?

    3) add replicate servers in webinterface
    When you use the field for adding servers you want to replicate to you get displayed a list of ALL Servers (not only DNS-Servers) klicking on one will add it to the field - then you type a comma and try to add a second server - and the first entry gets changed ...
    I have two problems with this.
    a) this field should only list DNS-Servers ... everything else makes no sense.
    b) klicking on a second server should add the second server - not change the first entry (there are sanity checks nonteless so you can check for duplicates AND add a second entry.)

    4) Main Menu "DNS"
    usability problems.
    a) when you click on "DNS" in the main-navigation you get a list of all DNS entries. Good.
    b) when you are somewhere inside the menu you have to click on DNS to get back to the list wich is the 4th entry on the left-side which is somewhat painfull because we always click the topmost item to get to the main list ... but maybe that is just my company...

    thanks for your answers.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The opzpn is so easy that you did not seem to have recognized it. Go to system > server services, click on the first mirror, select the master in the 'is mirror of'f field, click save. Then do the same with the second mirror, the thirs mirror and so on, ispconfig is not limited in the number of dns mirrors, you can have dozens or even hundreds of mirrors and all the mirroring happens in the background automatcally.

    No, you never do that for an iSPConfig mirror. slave zones are not used at all in mirroring with ISPConfig. This option exists for the sole reason to be able to provide slave dns service for non ispconfig masters.

    Yes, the options file is for custom changes of the gloval config.

    Replication is not limited to dns, so all servers have to show up there.

    I explained above how replication works.
     
  3. Rabenkind

    Rabenkind Member

    interesting ... seems I got it partly wrong ...
     
  4. Rabenkind

    Rabenkind Member

    ok,
    I removed one of my ISPConfig DNS servers from the line where to allow zone transfers to. Then I removed it from the secondary dns-zone. Then I made the removed server as a mirror of the master dns server and saved it. then i restarted bind on the master server. I suppose the zone files should go to /etc/bind/slave/ on the mirror. but there are none.

    EDIT: They are in /etc/bind/ but they have an .err at the end of each file...
     
    Last edited: Feb 22, 2018
  5. Rabenkind

    Rabenkind Member

    Am I reading this correct? Zone transfers can go any server not only DNS servers?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    No, that's not what shall happen.

    1) Go to System >Server services, click on the secondary server and select the primary server in the 'is mirror of' field.
    2) Go to the dns manager, create a new primary dns zone on the master server, it does not matter if you use the wizard or not.
    3) Wait a minute (until the red dot in the upper menu disappaered. Bow query your dns servers for the zone:

    dig @ns1.yourdomain.tld otherdomain.tld
    dig @ns2.yourdomain.tld otherdomain.tld

    and you will see that both servers respond with the correct zone data automatically. You can have dozens or hundreds or mirrors, this does not matter for ispconfig, they will all get updated and configured automatcally.

    That's not about DNS only. Any service can get mirrored to any other server. E.g. I have a customer that mirrors more than 16 000 mailboxes like this on a 6 node ISPConfig server and that's not the limit, just the amount of mailboxes he hosts at the moment and when his setup grows, he simply adds another mirror.
     
  7. Rabenkind

    Rabenkind Member

    Ok, so far this seems to be working. I am just a bit confused about "adding another mirror" ... we are speaking of mirros in terms of "slaves/copies" right? So when one goes down the other has all the data needed for functioning without incident? or not?

    EDIT Sorry. this is not working. on my mirror I have files in /etc/bind/ that look like pri.domain.tld.err whlie on the master they are looking like pri.domain.tld .
    I also get a non authoritive answer with nslookup.
     
    Last edited: Feb 22, 2018
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Mirroring means that several servers have the same config, this can be used for different kinds of setups. One use case is a hot standby system like you mentioned it. One of the most simple use cases is a dns mirror like you set it up now. Another use case is to scale a web server or mail server setup like in my example where 6 servers provide 16 thousand mailboxes and each mailbox is accessible on each of the six servers, in front of such a setup you have a load balancer. The mail client connects to the load balancer and the load balancer connects then to one of the six mirrored nodes. This allows you to shut down single nodes for maintenance without affecting the overall setup. The actual email data is stored in a storage area network where all nodes connect to.
     
  9. Rabenkind

    Rabenkind Member

    Ok, what you need as an ISP are a minimum of two nameservers (three recomended) so this needs to be an answering DNS-Server not just a standby.

    I suppost it would work as soon as I find out why it produces files that end with .err
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    What you configured is an answering DNS slave server of course and if you add 3, 5 or 100 does not matter at all, they are all installed in the exact same way as ns2 and will mirror all changes from ns1 automatically.

    A .err file gets written when BIND rejected your zone file. Common mistakes are that users forget t ADD A-Records for the ns records or similar things. Either look at the zone file directly if you are familiar with BINF zonefile syntax or use the named-checkzone command to get the exact error message from BIND directly.
     
  11. Rabenkind

    Rabenkind Member

    We are working with bind since 1997, never had any problems with our files.
    Since Nameservers are publically known, I am allowed to post an example here.

    Original file from a working bind nameserver which we exported to import it in ISPConfig:
    Code:
    $ORIGIN .
    $TTL 800    ; 13 minutes 20 seconds
    rabenkind.at        IN SOA    ns.innonet.at. administrator.innonet.at. (
                    2018021300 ; serial
                    3600       ; refresh (1 hour)
                    1800       ; retry (30 minutes)
                    604800     ; expire (1 week)
                    1800       ; minimum (30 minutes)
                    )
                NS    ns1.innonet.at.
                NS    ns2.innonet.at.
                NS    ns3.innonet.at.
                MX    10 1aamx1.innonet.at.
                TXT    "v=spf1 mx:1aamx1.innonet.at ~all"
    $ORIGIN rabenkind.at.
    imap            CNAME    1aamx1.innonet.at.
    localhost        A    127.0.0.1
    mail            CNAME    1aamx1.innonet.at.
    pop            CNAME    1aamx1.innonet.at.
    smtp            CNAME    1aamx1.innonet.at.
    www            A    185.143.180.120
                AAAA    2a07:3740:b98f:180::120
    File after getting it working with ISPConfig: (Note: this file works)
    Code:
    $TTL        800
    @       IN      SOA     dns189.innonet.at. administrator.innonet.at. (
                            2018022203       ; serial, todays date + todays serial #
                            3600              ; refresh, seconds
                            1800              ; retry, seconds
                            604800              ; expire, seconds
                            1800 )            ; minimum, seconds
    ;
    
    localhost 3600 A        127.0.0.1
    www 800 A        185.143.180.120
    rabenkind.at. 800      AAAA        2a07:3740:b98f:180::120
    imap 800      CNAME        1aamx1.innonet.at.
    mail 800      CNAME        1aamx1.innonet.at.
    pop 800      CNAME        1aamx1.innonet.at.
    smtp 800      CNAME        1aamx1.innonet.at.
    rabenkind.at. 800      MX    10   1aamx1.innonet.at.
    rabenkind.at. 3600      NS        ns1.innonet.at.
    rabenkind.at. 3600      NS        ns2.innonet.at.
    rabenkind.at. 3600      NS        ns3.innonet.at.
    rabenkind.at. 800      TXT        "v=spf1 mx:1aamx1.innonet.at ~all"
    
    file on the mirror (which does not work)
    Code:
    $TTL        800
    @       IN      SOA     dns189.innonet.at. administrator.innonet.at. (
                            2018022203       ; serial, todays date + todays serial #
                            3600              ; refresh, seconds
                            1800              ; retry, seconds
                            604800              ; expire, seconds
                            1800 )            ; minimum, seconds
    ;
    
    localhost 3600 A        127.0.0.1
    
    when replicating it with the way i told in 1) it gets replicated into /etc/bind/slave/ and looks like this: (Working but encoded)
    Code:
    ^@^@^@^B^@^@^@^AZ~O^Q�^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@e^@^A^@^F^@^@^@^@^C ^@^@^@^A^@^N    rabenkind^Bat^@^@A^Fdns189^Ginnonet^Bat^@^Madministrator^Ginnonet^Bat^@xH~S:^@^@^N^P^@^@^G^H^@  :[email protected]^@^@^G^H^@^@^@4^@^A^@^\^@^@^@^@^C ^@^@^@^A^@^N       rabenkind^Bat^@^@^P*^[email protected]�~O^[email protected]^@^@^@^@^@^@^A ^@^@^@E^@^A^@^P^@^@^@^@^C ^@^@^@^A^@^N    rabenkind^Bat^@^@! v=spf1 mx:1aamx1.innonet.at ~all^@^@^@X^@^A^@^B^@^@^@^@^N^P^@^@^@^C^@^N      rabenkind^Bat^@^@^P^Cns1^Ginnonet^Bat^@^@^P^Cns2^Ginnonet^Bat^@^@^P^Cns3^Ginnonet^Bat^@^@^@^@9^@^A^@^O^@^@^@^@^C ^@^@^@^A^@^N   rabenkind^Bat^@^@^U^@
    ^F1aamx1^Ginnonet^Bat^@^@^@^@<^@^A^@^E^@^@^@^@^C ^@^@^@^A^@^S^Dimap     rabenkind^Bat^@^@^S^F1aamx1^Ginnonet^Bat^@^@^@^@<^@^A^@^E^@^@^@^@^C ^@^@^@^A^@^S^Dmail  rabenkind^Bat^@^@^S^F1aamx1^Ginnonet^Bat^@^@^@^@;^@^A^@^E^@^@^@^@^C ^@^@^@^A^@^R^Cpop   rabenkind^Bat^@^@^S^F1aamx1^Ginnonet^Bat^@^@^@^@<^@^A^@^E^@^@^@^@^C ^@^@^@^A^@^S^Dsmtp  rabenkind^Bat^@^@^S^F1aamx1^Ginnonet^Bat^@^@^@^@,^@^A^@^A^@^@^@^@^C ^@^@^@^A^@^R^Cwww   rabenkind^Bat^@^@^D�~O�x
    
    and the same file replicateing to a bind slave nameserver:
    Code:
    $ORIGIN .
    $TTL 800        ; 13 minutes 20 seconds
    rabenkind.at            IN SOA  dns189.innonet.at. administrator.innonet.at. (
                                    2018022204 ; serial
                                    3600       ; refresh (1 hour)
                                    1800       ; retry (30 minutes)
                                    604800     ; expire (1 week)
                                    1800       ; minimum (30 minutes)
                                    )
    $TTL 3600       ; 1 hour
                            NS      ns1.innonet.at.
                            NS      ns2.innonet.at.
                            NS      ns3.innonet.at.
    $TTL 800        ; 13 minutes 20 seconds
                            MX      10 1aamx1.innonet.at.
                            TXT     "v=spf1 mx:1aamx1.innonet.at ~all"
                            AAAA    2a07:3740:b98f:180::120
    $ORIGIN rabenkind.at.
    imap                    CNAME   1aamx1.innonet.at.
    $TTL 3600       ; 1 hour
    localhost               A       127.0.0.1
    $TTL 800        ; 13 minutes 20 seconds
    mail                    CNAME   1aamx1.innonet.at.
    pop                     CNAME   1aamx1.innonet.at.
    smtp                    CNAME   1aamx1.innonet.at.
    www                     A       185.143.180.120
    
    Can you please tell my how to get the mirroring working? and what ISPConfig is rejecting exactly?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    I explained already what you should do, see #6. And do not add a slave zone as this will stop replication as you can see on your server and replication will fail until this slave zone is fully removed from the server as BIND can noz have the same zone twice on a server. As a side note, recent bind versions encrypt files, but this does not matter as this kind of replication is not used on ISPConfig servers anyway. Regarding .err files, use the named-checkzone tool from BIND.

    And I did not say your BIND files are wrong, bind supports a large number of different ways to write files and the way you used by not specifying the host part at the beginning of a line is not used nor supported by ISPConfig.
     
  13. Rabenkind

    Rabenkind Member

    I posted the contents of a file that ISPConfig writes (Block2) and does not replicate (Block3) (That was your solution see #6 which clearly is not working )and your solution is to
    Cearly this is a replication issue. Because block 2 works AND does get replicated outside ISPConfig (Block5)
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    I told you how to properly setup the migration an I told you that it might be that bind fails when there are artifacts from your wrong attempt to use secondary bind zones. And there are also other options to debug things as described in the FAQ: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ I will not copy all the text from above and your other threads, I'm sure you are able to scroll up and read it again yourself and you can rest assured that this works really well. If you are not able to install it properly yourself, then contact Florian from ISPConfig business support to get a quote that he installs the system for you.

    You can reach Florian here:
    http://www.ispconfig.org/get-support/?type=ispconfig
     
  15. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    @Rabenkind I know that DNS replication is working as it is used on so many servers using ISPConfig without problems. If your configuration fails then it is at some point either a server configuration error or a user operating error.
    If you cannot get it working, you should use a business supporter as till suggested. He already offered you more free support than he'd needed (and I'd have done).
     
  16. Rabenkind

    Rabenkind Member

    My CTO already contacted ISPConfig for business support.
    Sysadmins of major companies warned me not to use ISPConfig but I gave it a try nontheless. We purchased the manual we read all the examples and some things are *so well* documented that I sit here im spare time trying to figure out how to get it to work. Till, thank you very much for your help (I appreciate you trying).
     

Share This Page