DirectSlave - solution to add and remove zones on slave without DirectAdmin

Arieh said:
I don't know if CentOS 7 or Debian 8 may require an updated script.
Click to expand...

On centos 7 have many problem, but i have multiplatform porting daemon on c++. Work fine. Im sharing him after small refactoring. If someone need faster please write me to pm.
 
There should be an init script i created in this thread, just look for it and install it on your box, once you have the init script you can set your system to startup the process on boot.

Regards
 
My external nameserver running directslave has been working great except for one thing: it started refusing ALL requests.

I fixed it by adding the following to /etc/bind9/named.conf.options to stop getting constant DNS lookup REFUSED messages:

allow-query { any; };
allow-query-cache { any; };

...but that's not in the directslave documentation so I'm not sure quite what I've done wrong.

Can someone confirm whether the "allow" config option determines what ip addresses can connect to push domain zone changes, or if it's the ip ranges that can connect to do DNS lookups?

Thanks!

Here's my config:

background 0
server_type HTTP
host x.x.x.x (my ip addresss)
port 2222
sslport 2224
ssl on
ssl_cert /usr/local/directslave/ssl/server.crt
ssl_key /usr/local/directslave/ssl/server.key

debug 1
uid bind
gid bind

pid /usr/local/directslave/run/directslave.pid
access_log /usr/local/directslave/log/access.log
error_log /usr/local/directslave/log/error.log
action_log /usr/local/directslave/log/action.log

named_workdir /etc/namedb/secondary
named_conf /etc/namedb/directslave.conf
retry_time 1200
rndc_path /usr/sbin/rndc

allow 0.0.0.0/0
authfile /usr/local/directslave/etc/passwd
 
http://www.zytrax.com/books/dns/ch7/queries.html#allow-query

I think you might want to remove that allow-query-cache { any; }; as it may make your server a recursive one.

allow-query { any; }; seems to be the internal default; so it shouldn't hurt but also shouldn't be needed to configure (I don't have allow-query at all). Perhaps you have it defined elsewhere as well.

To simply put it, allow-query defines who may send your server any queries at all. So a client asking your server about a domain you host, that's a query. So everyone should be allowed.

But that allow-query-cache seems to be a different story.


To specify the IPs that can transfer records to your slave, you have allow-transfer.

allow-transfer { x.x.x.x; };

Or, multiple masters:

allow-transfer { x.x.x.x; y.y.y.y; };

Where x and y are of course IP addresses.

Thats about the only custom line I got configured on my directslave bind. Apart from hiding the version.

version "0";
 
Thanks Arieh.

You may have given me a clue as to what has gone wrong in the setup.

My /etc/namedb/secondary/named.conf file is always empty. Is directslave supposed to be adding some options in there? Should I be adding config options there?

I'm still confused as to whether DirectSlave should fully work if I follow the install instructions or whether I'm expected to add some additional options such as allow-query { any; }; into /etc/namedb/secondary/named.conf or directly into /etc/bind9/named.conf.

Thanks!
 
There shouldn't be a named.conf in secondary.

In /etc/bind/ or /etc/namedb/ depending on your setup I suppose, there should be all the configs.

My named.conf contains this

Code: 
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/directslave.conf";

/etc/bind/named.conf.options:
Code: 
options {
        directory "/var/cache/bind";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

        version "0";
        allow-transfer { my_ips_here };
};

Code: 
root@vps:/etc/bind# ls -al
total 244
drwxr-sr-x  3 root bind  4096 Jun 26 13:38 .
drwxr-xr-x 79 root root  4096 Jun 26 13:38 ..
-rw-r--r--  1 root root  2389 Sep  3  2015 bind.keys
-rw-r--r--  1 root root   237 Sep  3  2015 db.0
-rw-r--r--  1 root root   271 Sep  3  2015 db.127
-rw-r--r--  1 root root   237 Sep  3  2015 db.255
-rw-r--r--  1 root root   353 Sep  3  2015 db.empty
-rw-r--r--  1 root root   270 Sep  3  2015 db.local
-rw-r--r--  1 root root  3048 Sep  3  2015 db.root
-rw-r--r--  1 bind bind 78330 Jun 20 06:27 directslave.conf
-rw-r--r--  1 bind bind 71693 Dec 30 02:22 directslave.conf.old
-rw-r--r--  1 root bind   501 Nov 19  2015 named.conf
-rw-r--r--  1 root bind   490 Sep  3  2015 named.conf.default-zones
-rw-r--r--  1 root bind   165 Sep  3  2015 named.conf.local
-rw-r--r--  1 root bind   988 Nov 20  2015 named.conf.options
-rw-r-----  1 bind bind    77 Nov 19  2015 rndc.key
drwxr-sr-x  2 bind bind 24576 Jun 20 06:27 secondary
-rw-r--r--  1 root root  1317 Sep  3  2015 zones.rfc1918

the secondary folder only contains all .db files.

directslave.conf contains all zone definitions who include the .db files.
 
Arieh said:
There shouldn't be a named.conf in secondary.

In /etc/bind/ or /etc/namedb/ depending on your setup I suppose, there should be all the configs.
Click to expand...

That's where the DirectSlave readme is very confusing. It says there should be:

Code: 
named_conf /etc/namedb/secondary/named.conf - file to add/remove entries for
                                transferred zones. This is not main named.conf,
                                just include from main named.conf

and...

Code: 
Okay, I hope, you understand all of this. For one of final steps, you need to include
DirectSlave named.conf to you main named.conf, add entry

include "/etc/named/secondary/named.conf"

I'm wondering if options are now supposed to be stored in /etc/named/secondary/named.conf but this hasn't been made clear in the README. Also still not sure if DirectSlave is supposed to work out of the box when following the README or whether it will always still require additional bind named.conf config entries for allow-transfer {}, allow-query {} etc.
 
Well is just a matter of fille name, it can be called named.conf in another folder, that's confusing because of the file name, but is correct.

Regards
 
I think that README is just outdated. I've installed this a year ago so I don't remember all the details, but I don't believe I had to create and include many files. It did most work by itself. Check /usr/local/directslave/etc/directslave.conf and see what is configured at named_conf. And if you just run it, see what happens. Check if that named_conf is being included in your bind's main named.conf

allow-transfer {}, allow-query {} should not be necessary I believe

in your /etc/named do

grep -r -i "allow-query"

See if more than the one you configured shows up. I don't have it at all.
 
Well is actually just one file to include :)

Anyway, the allow-trasnfer is necessary on the DA server side with the IP(s) of the DirectSlave.
It is also necessary the also-notify on the DA server side with the same IP(s).

Regards
 
Hi.
I followed all the instructions on CentOS 6 and I have the following:
- service named is running
- service directslave is running
- i set up permissions to root:named
- when I run in background mode I can see that zones are being transfered

*** hidden ***
Click to expand...

When I run na DA-master:
echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue
Click to expand...
on DS-slave I see
Jul 18 10:21:52 ns1 named[2685]: received control channel command 'reload'
Jul 18 10:21:52 ns1 named[2685]: loading configuration from '/etc/named.conf'
Jul 18 10:21:52 ns1 named[2685]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jul 18 10:21:52 ns1 named[2685]: using default UDP/IPv4 port range: [1024, 65535]
Jul 18 10:21:52 ns1 named[2685]: using default UDP/IPv6 port range: [1024, 65535]
Jul 18 10:21:52 ns1 named[2685]: sizing zone task pool based on 6 zones
Jul 18 10:21:52 ns1 named[2685]: reloading configuration succeeded
Jul 18 10:21:52 ns1 named[2685]: reloading zones succeeded
Click to expand...
x number of domains

In /etc/named/directslave.conf I see
zone "anotherdomain.com" { type slave; file "/etc/named/secondary/anotherdomain.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "da.poltel.com" { type slave; file "/etc/named/secondary/da.e-poltel.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "e-poltel.com" { type slave; file "/etc/named/secondary/e-poltel.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "newdomain.com" { type slave; file "/etc/named/secondary/newdomain.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "noweczka.pl" { type slave; file "/etc/named/secondary/noweczka.pl.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "testdomain.com" { type slave; file "/etc/named/secondary/testdomain.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
Click to expand...

But my zones are not being created. /etc/named/secondary/named.conf remains empty and there are to .db files in /etc/named/secondary
I set /etc/named in chmod -R 755 and chown -R root:named as in /usr/local/directslave/etc/directslave.conf

Why are zones not being created?
 
Last edited by a moderator:
Have you set
allow-transfer { IP1; IP2; };
also-notify { IP1; IP2; };

In your named.conf on the DA Server?
Have you restarted named?

Regards
 
@Timon-TNT,

I've modified your post, as you posted admin's password in it. You are highly adviced to change admin's password on your server(s).

It could be easily retrieved from this part (via base64 decoding):

Code: 
                                     'request_headers' => [                                                            [
                                                              'Authorization',
                                                              'Basic *** SECRET *** '
                                                            ],
                                                            [
                                                              'Content-Length',
                                                              '775'
                                                            ]
                                                          ],
 
Yes.
DA is set properly. I can see in background mode that all the headers are being received. And /etc/named/directslave.conf recevies config:
zone "anotherdomain.com" { type slave; file "/etc/named/secondary/anotherdomain.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "da.poltel.com" { type slave; file "/etc/named/secondary/da.e-poltel.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "e-poltel.com" { type slave; file "/etc/named/secondary/e-poltel.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "newdomain.com" { type slave; file "/etc/named/secondary/newdomain.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "noweczka.pl" { type slave; file "/etc/named/secondary/noweczka.pl.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
zone "testdomain.com" { type slave; file "/etc/named/secondary/testdomain.com.db"; masters { 79.100.100.100; }; max-retry-time 1200; min-retry-time 1200; };
Click to expand...

Just /etc/named/secondary/ is empty with empty /etc/named/secondary/named.conf file
Permissions are set to: chmod -R 755 and chown -R root:named
 
Last edited:
This works in 2 different connections, 1 being DA <> DS, and the other being Bind <> Bind (through AXFR).

DA <> DS seems to be working, but Bind is supposed to create and fill the actual .db files. That's not happening at the moment.

In your DA bind's named.conf.options you should have:

Code: 
        notify yes;
        allow-transfer { your.slave.ip.address; };
        also-notify { your.slave.ip.address; };

-cut-
 
Last edited:
Arieh, are you sure is needed the slave's bind named.conf change?

I don't have that change and everything is working fine on my side ;)

Regards
 
Nothing changed.
But just to make sure I'm changing /etc/named.conf.
File /etc/named/secondary/named.conf is still empty.
 
Why you should need /etc/named/secondary/named.conf if you already sayd that the /etc/named/directslave.conf is getting the files, that's the file you need to include in your main named.conf if that's the file that get filled by DS.

Regards
 
You must log in or register to reply here.
Back
Top