DirectSlave - solution to add and remove zones on slave without DirectAdmin

[urgido]

I was able to run it on Almalinux 9 but I can't get save the zones on db files, as I saw on the logs the API call command is executed but I am curious if this scripts has the latest DA API on it's code. Does anybody has used it on the last year?

FYI: There is no erros at the moment of save zones in named.conf

 

[Richard G]

I'm still running it, but on Alma 8, not on 9 due to an issue with ipv6 on the Contabo Alma 9 image.

 

[jordivn]

I was able to run it on Almalinux 9 but I can't get save the zones on db files, as I saw on the logs the API call command is executed but I am curious if this scripts has the latest DA API on it's code. Does anybody has used it on the last year?

FYI: There is no erros at the moment of save zones in named.conf

I'm running DirectSlave succesfully on Arch Linux

 

[urgido]

I'm still running it, but on Alma 8, not on 9 due to an issue with ipv6 on the Contabo Alma 9 image.

Yeah, I am testing it on contabo. I have my own servers at El Plano, Texas, then I am using contabo just for dns clustering.

What OS are you using?
Thanks!

 

[urgido]

I'm running DirectSlave succesfully on Arch Linux

Thanks for the tip!!

 

[Richard G]

What OS are you using?

I already stated that:

running it, but on Alma 8

So Almalinux 8.

Also for DNS clustering.

 

[urgido]

Finally, got it over Almalinux 8.

On my case to get it worked I had to disable SElinux on DS server.

 

[Richard G]

That might be the case. I never use SElinux.

 

[2webmen]

Ok got latest DirectSlave running on Debian 12
here is a gist, may it help someone, its not perfect but it worked

Install DirectSlave on Debian 12 for DirectAdmin

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

Biggest issue was AppArmor preventing bind user to write to any other dirs than the specified ones in /etc/apparmor.d/usr.sbin.named resulting in the directslave.inc file to be written but not the named.db' s of each host

 

[apopovski]

Running almalinux 9.5 with disabled selinux still having the same problem with zones not created. Directslave named.conf is updated, connection is established but transfer is refused. Besides following error no other error exists.

zone domain.com/IN: Transfer started.
Dec 23 13:17:34 ns2.XXX.XXX.XXX named[1529]: transfer of 'domain.com/IN' from ns1.mol.com.mk#53: connected using ns2.xxx.xxx.xx#56053
Dec 23 13:17:34 ns2.XXX.XXX.XXX named[1529]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Dec 23 13:17:34 ns2.XXX.XXX.XXX named[1529]: resolver priming query complete
Dec 23 13:17:34 ns2.XXX.XXX.XXX named[1529]: transfer of 'domain.com/IN' from ns1.xxx.xxx.xxx#53: failed while receiving responses: REFUSED

Any idea suggestion to try to resolve the issue?
Thank you

 

[Richard G]

Any idea suggestion to try to resolve the issue?

Hve you checked all the permissions and owners? Like the named directory in /etc should be:
drwxr-x--- 3 root named 4.0K 2024-08-20 00:36 named

and the /etc/named/secondary directory:
drwxr-xr-x 2 named named 12K 2024-12-23 04:05 secondary

because a "refused" seems like a permission problem.
Is that part of the log from your sending server or from your DS server?

 

[Richard G]

transfer of 'domain.com/IN' from ns1.mol.com.mk

Maybe wrong configuration or nameserver not synchronised yet? Because you don't have an ns1, the first NS is called dns.mol.com.mk and not ns1.
Not sure if that could cause issues, but you should fix that.

Also, port 53 needs to be open on your NS2. It's closed so that's why the connection is refused.

 

[apopovski]

Hello Richard,

Thank you very much for suggestions and help. Please ignore that dns.mol.com.mk. I renamed the error log displayed for easier explanation as ns1 as master and ns2 as slave. The above error log is from DS server from ns2 and port 53 is opened. Currently I disabled also selinux as written above for AL8 working setup.

[root@ns2 ]# sudo ss -tulpn | grep LISTEN
tcp LISTEN 0 128 0.0.0.0:8616 0.0.0.0:* users("sshd",pid=800,fd=3))
tcp LISTEN 0 4096 127.0.0.1:953 0.0.0.0:* users("named",pid=825,fd=53))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users("named",pid=825,fd=64))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users("named",pid=825,fd=62))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users("named",pid=825,fd=60))
tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users("named",pid=825,fd=58))
tcp LISTEN 0 128 [::]:8616 [::]:* users("sshd",pid=800,fd=4))
tcp LISTEN 0 10 [::1]:53 [::]:* users("named",pid=825,fd=70))
tcp LISTEN 0 10 [::1]:53 [::]:* users("named",pid=825,fd=71))
tcp LISTEN 0 10 [::1]:53 [::]:* users("named",pid=825,fd=72))
tcp LISTEN 0 10 [::1]:53 [::]:* users("named",pid=825,fd=73))

Folder /etc/named
drwxr-x---. 3 root named 23 Dec 22 11:32 named

Folder /var/named/slaves
drwxrwx---. 2 named named 6 Oct 3 07:25 slaves

I have set the above as working directory instead of /etc/named/secondary inside directslave.conf. I also had it as mentioned but while trying to figure the issue currently I am with settings for working directory under /var/named/slaves.

The include works and the directslave works the named.conf get populated with zone info but the permission is for zone file transfer. Connection is establish but transfer is refused. It looks like authorization issue of the communication between the two bind the one from DA and DS just that as far as I have read there is no need of setting up master slave options in the bind configuration since DA and DS comminicate based on DA protocols.

Thank you again for the help.

update: I just tried with default setting secondary under /etc/named the issue is the same.
drwxr-xr-x. 2 named named 6 Dec 23 09:25 secondary

 

[Richard G]

from ns2 and port 53 is opened.

No it's still not.

[root@server26: ~]# telnet ns2.mol.com.mk 53 
Trying 212.110.95.4...
telnet: connect to address 212.110.95.4: Connection refused

 

[apopovski]

No it's still not.

[root@server26: ~]# telnet ns2.mol.com.mk 53
Trying 212.110.95.4...
telnet: connect to address 212.110.95.4: Connection refused

Let me check it was opened, I checked from couple of external servers. Something changed.

 

[Richard G]

If it's open in your firewall, it might still be refused by your /etc/named.conf on the Directslave server.
Check these lines in the /etc/named.conf file:

        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };

Also protect it from abuse:

        allow-recursion { localnets; localhost; };
        allow-notify { 12.34.56.78; };
        allow-transfer { none; };
        allow-query     { any; };

ofcourse change the allow-notify ip to your DA server ip.

 

[apopovski]

If it's open in your firewall, it might still be refused by your /etc/named.conf on the Directslave server.
Check these lines in the /etc/named.conf file:

        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };

Also protect it from abuse:

        allow-recursion { localnets; localhost; };
        allow-notify { 12.34.56.78; };
        allow-transfer { none; };
        allow-query     { any; };

ofcourse change the allow-notify ip to your DA server ip.

I believe its all good on that part
options {
listen-on port 53 { 127.0.0.1; 176.9.117.123;176.9.117.108;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { "trusted";};
allow-recursion {"trusted"; 212.110.95.0/24;};
allow-transfer { "trusted"; 176.9.117.123; 176.9.117.108;};
allow-query-cache { "trusted";};

I am kind of lost with almalinux 9 and the firewall settings. I cant do a simple thing opening a port. It was opened but now its close and I dont know what i did . As far I have read now in almalinux 9 there are now 3 options how to configure port adding firewalld, iptables, nftables. I have opened on firewalld :
[root@ns2 etc]# firewall-cmd --list-ports
53/tcp 2222/tcp 8616/tcp

for iptables I tried adding port and port is added but I cannot save it to remain after reboot. Tried saving command but says use systemctl to save and there is no option under systemctl. Undr /etc/sysconfig there is no iptables file for the rules.

for nftables I am not sure if almalinux 9.5 is using them or is using iptables although based on the below it seems that nftables are used not iptables..
root@ns2 etc]# ps -ax |grep iptables
1408 pts/0 S+ 0:00 grep --color=auto iptables
[root@ns2 etc]# ps -ax |grep nftables
1411 pts/0 S+ 0:00 grep --color=auto nftables
[root@ns2 etc]# lsmod | grep -E "^nft_|^iptable_"
nft_counter 12288 1
nft_compat 24576 0
nft_fib_inet 12288 1
nft_fib_ipv4 12288 1 nft_fib_inet
nft_fib_ipv6 12288 1 nft_fib_inet
nft_fib 12288 3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet
nft_reject_inet 12288 6
nft_reject 12288 1 nft_reject_inet
nft_ct 24576 7
nft_chain_nat 12288 3

In short let me waist few hours on opening a port . Thank you again for the help.

 

[Richard G]

I believe its all good on that part

In fact it's not.

listen-on port 53 { 127.0.0.1; 176.9.117.123;176.9.117.108;};
listen-on-v6 port 53 { ::1; };

I would use the settings I gave. I don't know how many ip's that DS server has, but just use "any" as stated in my example.
Same for the ipv6, because you don't want it only to listen on localhost, that makes it unreachable from external.

allow-query { "trusted";};
allow-recursion {"trusted"; 212.110.95.0/24;};

Also wrong. Because it's your ns2, so every system should be able to query your NS2, so do not use trusted there, use any like in my example otherwise you can be sure for example that Letsencrypt will give issues. When using multiple nameservers, they all should be accessible for normal query's from outside.

As for the "allow-recursion" part, you don't need to use your DA server there, there is no recursion required from that system other then localhost and localnets.
I even have that "localhost, localnets" on all my servers and we run our own DNS on all servers. So I would change that one too.

I don't use the query-cache statement, you can remove that and leave it default, that's best.

It was opened but now its close

Yes because of your named.conf as far as I can see, you refused connections on the listen-on port xx statements.

As for the firewall, why make life difficult? Just install CSF on that Directslave server. I've done it too, makes life a lot easier and opening ports too.
For example my in and out tcp rules in csf.conf on the DS server are:
TCP_IN = "22,53,853,80,443,2222,2224"
outgoing
TCP_OUT = "22,23,25,53,853,80,113,443,2222,2224"
next to that on both I've got another port which is not mentioned here but is in fact used for SSH. I leave the 22 here open as honeypot, can't be used anyway because nothing is running on it.

UDP_IN = "20,21,53,853,80,443,2222,2224"
UDP_OUT = "20,21,53,853,113,123,2222,2224"

Same for ipv6:
# Allow incoming IPv6 TCP ports
TCP6_IN = "22,53,853,80,443,2222,2224"

# Allow outgoing IPv6 TCP ports
TCP6_OUT = "22,23,25,53,853,80,113,443"

# Allow incoming IPv6 UDP ports
UDP6_IN = "20,21,53,853,80,443"

# Allow outgoing IPv6 UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP6_OUT = "20,21,53,853,113,123"

Installing CSF manually is very easy to do and then you don't have to bother with Almalinux 9 nftables stuff.

 

[apopovski]

Port is now opened but still refused for zone file.

 

[apopovski]

Port is now opened but still refused for zone file. The port was opened after your suggestions in named.conf. Let me see what else you suggested and i will get back.