Setting up your own name service (DNS) with ISPConfig
Internet works with IP numbers and to get from a domain name to its IP number address the Domain Name System DNS is used. You can set up your own name service or use, for example, your hosting provider's name service. Either way, you set up a mapping from Fully Qualified Domain Name to an IP number. For example, FQDN mail.howtoforge.com has address 220.127.116.11.
This tutorial uses domain name xyzzy.tld. Host Name is a name given to a host, for example, foobar. Combining hostname and domain name gives Fully Qualified Domain Name FQDN, for example, foobar.xyzzy.tld.
If the domain is to be used outside your own organization, the domain must be registered. The registrar asks for two name servers. At least some registrars allow registering first and name servers can be given later, maybe up to one month later. But the registrar threatens to revoke your domain name unless it gets two working name servers.
If you want to run your own name servers, you need two name server hosts. If you have only one host, you can set it up to run websites, e-mails, database etc. and name service, but then the second name server must be arranged somehow.
If you provide name service only inside your own organization, you do not need to register the domain and can have only one name server.
The ISPConfig part of this tutorial assumes a multiserver setup has been installed, with one host with everything but name service, and two hosts for name service. Three hosts altogether. The host names are web, ns1, and ns2. You can use only two hosts if web runs also name service and the other hosts is also name server.
Name service has records, several kinds. Set A-records to the IP number of your hosts. If IPv6 is used, it is AAAA-record. If you have three hosts, set up three A records. Set two NS records to the name server hostnames.
Collect the needed information like so:
|host or domain||IP address||Used for|
|xyzzy.tld||192.168.260.71||web page address|
1.1 Using ISPConfig 3.x
Install the three hosts and ISPConfig on them using multiserver setup. I used Debian GNU/Linux 9.5 and ISPConfig 3.1.12 when testing this tutorial.
If you plan to have several domains, it is easier to set up DNS Templates. See ISPConfig manual chapter 18.104.22.168 Templates. Here only one domain is added so templates are not used.
Go to DNS tab and press "Add new DNS zone manually". This zone is the configuration file for your domain, you can consider it is more or less the same thing as the domain you want to use.
The screenshots show how to fill the DNS zone form. If you are setting up this zone for a customer, enter the customer in the form. You can leave it empty if you set this zone for yourself or do not want to create customers in ISPConfig.
Save and go to the Records tab.
In the Records tab, add records by pressing the green button for the desired record. For example, to get A record press the green button with A. When writing FQDN hostnames, remember to add dot character "." at end of the name. Some fields in the ISPConfig DNS forms need it to create a correctly working name service entry. It is easier to write it always than to remember where it is not needed.
You can add more records if you want.
The red ball with a number at top of ISPConfig Panel window shows saving to disk is in progress. The number shows how many records are still to be written. Wait two minutes or until the red ball disappears before testing, otherwise you may be testing the old setups.
If you need more name servers, or maybe you had only one host where you installed ISPConfig, you can add hosts to the ISPConfig setup. For hosts that run only name service, even a small host is sufficient. If you can install Linux and ISPConfig on the host and it has a static IP address you can use it as a name server. You can run it in your office or home, but the static IP address may be hard to get or costly. Hosting providers have small and cheap offerings, and you can get that static IP address. You can set up an ISPConfig multiserver setup, where one host is somewhere and the other host is somewhere else.
If you are confused, read the ISPConfig manual.
1.2 Using Providers name service
Skip this if you already used ISPConfig to set up name service.
If your hosts are on a hosting provider, they probably offer DNS service for their hosting customers. Or you may find a DNS service provider.
On how to use those services, it is difficult to give precise advice. Probably every provider has a different system. However, all of them need you to input the info you gathered in the table at the beginning.
Read the previous chapter and adapt to your provider's input form.
The hosting provider or DNS provider is most likely running a set of name servers, and all DNS customers use those. The name servers are probably named ns1.yourprovider.com, ns2.yourprovider.com. The provider may offer glue records, so your name servers show up named as ns1.xyzzy.tld, ns2.xyzzy.tld instead. Examine your provider's instructions if glue records are available and how to use them.
Remember to check the name service is now working correctly. Log in to ns1 or ns2 host and start testing. This example is running on Debian GNU/Linux 9.5 Stretch, my guess is Ubuntu is pretty much the same. Other operating systems may be different. If testing on windows, it does not have host command, use nslookup instead.
[email protected]:~# host web.xyzzy.tld 192.168.250.73 Using domain server: Name: 192.168.250.73 Address: 192.168.250.73#53 Aliases: web.xyzzy.tld has address 192.168.250.71 [email protected]:~#
The above test shows name server used is 192.168.250.73 and it resolves name web.xyzzy.tld to IP number 192.168.250.71, which is what we want in this case. Testing it like this is useful because
- host command tests name service, if you ping host name it may look up first in /etc/hosts file and thus may not test name service at all.
- the IP number in host command after FQDN is the name servers address where the query is sent. This way we are sure we are testing the name server we just set up.
- IP number is used for name server instead of host name, since if name service is not working the name may not resolve to the intended IP number, so better to use the IP address directly.
Check other host names you set up in similar way.
- If returned IP address is wrong, go correct it
- If not found, check spelling
- If not found, check dot at end of FQDN in ISPConfig where you wrote the names
- If "connection timed out, no servers could be reached": the name server is not running or network connection is lost. Check network with pinging IP number, for example. Check the host is running. Check the name service is running, on Debian and Ubuntu with
systemctl status bind9.service.
- If all the above fail to get a working name service, go to chapter Tools.
Check the zone info, especially the name servers, like this:
[email protected]:~# dig @192.168.250.73 xyzzy.tld ; <<>> DiG 9.10.3-P4-Debian <<>> @192.168.250.73 xyzzy.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64352 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;xyzzy.tld. IN A ;; ANSWER SECTION: xyzzy.tld. 3600 IN A 192.168.250.71 ;; AUTHORITY SECTION: xyzzy.tld. 3600 IN NS ns1.xyzzy.tld. xyzzy.tld. 3600 IN NS ns2.xyzzy.tld. ;; ADDITIONAL SECTION: ns1.xyzzy.tld. 3600 IN A 192.168.250.73 ns2.xyzzy.tld. 3600 IN A 192.168.250.75 ;; Query time: 0 msec ;; SERVER: 192.168.250.73#53(192.168.250.73) ;; WHEN: Fri Aug 10 15:41:53 EEST 2018 ;; MSG SIZE rcvd: 122 [email protected]:~#
Dig gets the name server it sends the query to from the @-parameter. Put the IP number of name server there.
If dig shows the NS records correctly and the correct IP numbers for name servers in A records, then things are looking good.
Now do the above test using the other name server, you do not need to log in to ns2 just run the commands again but use the other servers IP number. This is to make sure also the other name server is working as it should.
You can test further by setting your workstation to use these new name servers you have set up. You need to change DNS servers on your workstation, look it up how to do it for your operating system in manual or from the Internet. In Linux you can edit file /etc/resolv.conf. In Windows it is in Network settings (same place where you set up obtaining IP address automatically).
1.4 Reverse name service
Skip this if you do not need reverse name service (the PTR records).
Reverse name service resolves the name when given IP address. It is the reverse operation of the usual name service.
If you set up name service internal to your organization, you can set up reverse name service in the same name servers. When using ISPConfig, first create the reverse zone and then create PTR-records in that zone for each IP number you have.
If the reverse name service must work from public Internet, then you can not use your own name server since it most likely is not authoritative name server for the IP reverse zone. If it is, you should know it. Contact your service provider or the company that gave you your IP numbers, ask them to set up reverse name service. Tell them the PTR records you need, or find out how to use the web user interface hosting company probably provides for using reverse name service.
To setup reverse name service with ISPConfig, create the DNS Zone for the reverse service, it must be named with the first three octets of the IP number in reverse order with ".in-addr.arpa" added at the end. In this case the IP numbers are from subnet 192.168.250/24, so the reverse zone is named 250.168.192.in-addr.arpa. Remember to add also NS records to the reverse zone.
In that reverse zone, create PTR records like so:
Testing is easy with the host command, like so:
[email protected]:~# host 192.168.250.71 192.168.250.73 Using domain server: Name: 192.168.250.73 Address: 192.168.250.73#53 Aliases: 22.214.171.124.in-addr.arpa domain name pointer web.xyzzy.tld.
It is possible to set up many PTR records for the same IP number. Then the reverse query returns all of them. You may not want this, so do not do it unless you know what you are doing.
If you set up a mail server, for example, mail.xyzzy.tld, you need to set the PTR record since most mail servers check the sending IP number resolves to the hostname the mail server uses.
If you suspect name service has not started, check with
systemctl status bind9.service
If it shows "Active: active (running) …" then name service is working. Do not care about possible "network unreachable resolving … AAAA" -lines, if you get them it means you do not have IPv6 network available.
If name service is running but testing with host command does not return answers, it may be the zone file is faulty. Use named-checkzone if bind does not accept the zone. The faulty zone file is (On Debian GNU/Linux) in /etc/bind/pri<name of zone>.err file, that is .err added to the end of the filename. Check like so:
[email protected]:~# named-checkzone 250.168.192.in-addr.arpa /etc/bind/pri.250.168.192.in-addr.arpa.err zone 250.168.192.in-addr.arpa/IN: has no NS records zone 250.168.192.in-addr.arpa/IN: not loaded due to errors. [email protected]:~#
Repair the errors, in ISPConfig if you set it up using ISPConfig Panel.
There may be errors in the log file, stop and start name service and see what is in file /var/log/syslog. For example with
grep named /var/log/syslog
There are websites that check your name service setup, you can use Internet search engines to find them. I know of zonecheck.org, mxtoolbox.com, zonemaster.net.
1.6 Getting help
If asking for help on the forum, hiding the domain name makes helping difficult. If you reveal what the domain is, it is easy to check the setup and give advice if something is wrong. If you can not reveal the domain name publicly and using this Tutorial and documentation from the Interwebs does not help, find someone you can trust with your domain name and who knows name service, then ask that person for help with your domain.
1.7 Registering a domain
When your name service works OK for your zone, you can register it, or if it was already registered previously you can now add name servers to the registration and the domain is available from the Internet, after 4 – 48 hours while the name service information travels around the world.
If you register xyzzy.tld and it has name server ns1.xyzzy.tld, you give IP numbers for name servers instead of hostnames. If you only give the host name ns1.xyzzy.tld, how is the name server to be found? Only place where the IP number is available is on ns1.xyzzy.tld but how to access it without knowing the IP number? Another way to resolve this dilemma is to use glue records (see previously), then you can use names instead of IP numbers for your name servers.
When you register another domain plugh.tld, you can give name servers as host names ns1.xyzzy.tld and ns2.xyzzy.tld since the xyzzy.tld domain is already well registered and the nameservers are known.