Multi Server and Hidden Master

[jjma]

Am I right in thinking that the multi srver set up that is currently on the da system is not the same setup as a hidden master system?

I ask because I like the idea of running dns on DA but do not want it publically known i.e list the two other namervers as the primary and secondary dns servers.

All the best

Jon

 

[OxnardMontalvo]

Am I right in thinking that the multi srver set up that is currently on the da system is not the same setup as a hidden master system?

I ask because I like the idea of running dns on DA but do not want it publically known i.e list the two other namervers as the primary and secondary dns servers.

All the best

Jon

Jon,

No it's not a hidden master setup but it's easy enough to set one of those up. Jeff Lasman (one of the local demigods) has a HOWTO to get a hidden master setup going. I implemented it at a placed I worked last year and it worked like a charm. Unfortunately I can't seem to find a link to it but if you email him and ask him, he can probably tell you where to find it.

=C=

 

[jjma]

Thanks. I would love to get a hold of the script.

Jon

 

[OxnardMontalvo]

Good news and bad news.

Good news:
I found it. It's over at Jeff's site. http://www.nobaloney.net/downloads/dns-master2slave/DirectAdmin/

Bad news:
It's a closed Beta and that link just takes you to a form to fill out to request access.

=C=

 

[jjma]

Are you using the script in production even as it is a beta version - what current issues does the script have?

IS their a howto for the hidden master technique? Thank-you for the link

Jon

 

[OxnardMontalvo]

Hi,

I am not personally using it now. However, I implemented back in April for a company I was working for then. We have about 5 DA servers and each of them was setup as a hidden master with 2 public servers domain all the heavy lifting.

As I remember it, there were no known issues with the script at that time. After implementing, it ran flawlessly for 2-3 months before I left the company.

=C=

 

[jjma]

Hi,

I am not personally using it now. However, I implemented back in April for a company I was working for then. We have about 5 DA servers and each of them was setup as a hidden master with 2 public servers domain all the heavy lifting.

As I remember it, there were no known issues with the script at that time. After implementing, it ran flawlessly for 2-3 months before I left the company.

=C=

We're running DA without named at the moment on our servers and manually adding domains to our master and secondary dns servers. I see the hidden master technique being really useful and something we should change to. I have written out the steps I would take in my situation, if I were to set up a DA server to run as a hidden master and reorganise our dns setup. Please feel free to comment on what I might have missed(alot of the information I have taken from the forums):

1) Set the ns1 from the da interface to the hostname running da.
2) Set ns2 from the da interface to the first external nameserver .
3) SSh into da server and copy /usr/local/directadmin/data/templates/dns_ns.conf to:
/usr/local/directadmin/data/templates/custom/dns_ns.conf
4) Edit /usr/local/directadmin/data/templates/custom/dns_ns.conf with removing |NS1|=|DOMAIN| and adding |NS3|=|DOMAIN| so that it now looks like:

|NS2|=|DOMAIN|.
|NS3|=|DOMAIN|.

5) Add user namedftp to DA server and configure & install 'getzone.dns.sh' and add crontab (as per readme frm master2slave)
6) SSh to our current master dns server (NS2 in dns_ns.conf on da server), backup existing zone files and create namedftp on server and upload adddomains.pl, addmaster.sh,sortdomains.pl and getmaster2slave.dns.sh
7) Edit & Configure and test scripts.
8) Add DNS Master Server (./addmaster.sh <masterip>)
9) Test script (./getmaster2slave.dns.sh)
10) Complete the rest of the installation as per readme of master2slave.
11) Login to third server (NS3 in dns_ns.conf on da server) Follow steps 6 - 10 again.

I hope that this makes the following setup where you have the DA as hidden master and two external dns servers slaving from it:

Any feedback welcome...

Jon

 

[nobaloney]

Yes, we need to take master2slave out of beta; I'll discuss it with Onno, and we'll probably do it soon.

It works well for us; we use it instead of the DA Multi-Server feature for several reasons:

1) We wrote it .

2) It works equally well, and the same way, on DA and non-DA servers.

3) We started it long before DA added Multi-Server, and we felt we had a lot invested in it .

master2slave wasn't designed specifically for a hidden-master scenario but it works well in that function.

However I think that DA's Multi-Server feature will as well.

Now on to Jon's post.

Jon, I'm not quoting and referring to your post line-by-line; it's not my intention to write it.

However, I think you've made it a bit more complex than it is.

Simply create ns1 and ns2 settings in DA, both of them for IP#s not on the DA server, but for the server you want to use. Leave DA to set up NS1 and NS2.

The local machine isn't NSx anything. It's the hidden master.

When you refer to it, you can call it NS3 internally but it shouldn't be in the nameserver records and you shouldn't need a custom zonefile. (If you call it NS3 internally, you may need an A record for ns3 in the zone file for the domain hosting the nameservers.)

If Multi-Server won't let you do it this way, it probably should .

In that case just go ahead and use our master2slave.

Jeff

 

[jjma]

Now on to Jon's post.

Jon, I'm not quoting and referring to your post line-by-line; it's not my intention to write it.

However, I think you've made it a bit more complex than it is.

Simply create ns1 and ns2 settings in DA, both of them for IP#s not on the DA server, but for the server you want to use. Leave DA to set up NS1 and NS2.

I understand that. I wasn't aware that the DA multi server would work with any server including an old cobalt ;-)

The local machine isn't NSx anything. It's the hidden master.

When you refer to it, you can call it NS3 internally but it shouldn't be in the nameserver records and you shouldn't need a custom zonefile. (If you call it NS3 internally, you may need an A record for ns3 in the zone file for the domain hosting the nameservers.)

I don't quite follow this - can you eplain. I thought DA would have the domain hosting the nameservers.

If Multi-Server won't let you do it this way, it probably should .

In that case just go ahead and use our master2slave.

Jeff [/B]

I've lowered the ttl's on my domains that exist on the current master nameserver (which is going to become a slave of the hidden master) so that when they change to become slaves from the hidden master there should'nt be any distruption. Is this correct?

Thanks

Jon

 

[nobaloney]

I understand that. I wasn't aware that the DA multi server would work with any server including an old cobalt ;-)

If it's a real old Cobalt, well we have some interesting scripts for RaQ1 servers, but I don't think we'd risk distributing them .

I don't quite follow this - can you eplain. I thought DA would have the domain hosting the nameservers.

No matter where it's hosted you still need to create nameservers for the domain at the registrar where the domain is registered, AND create NS records in all the domains and A records in the domain hosting the nameserver(s).

I've lowered the ttl's on my domains that exist on the current master nameserver (which is going to become a slave of the hidden master) so that when they change to become slaves from the hidden master there should'nt be any distruption. Is this correct?

The only one you have to change is TTL; we regularly run ours at 600 seconds. But I don't see why you'd need to change them on domains that are the same except for the nameserver names and which physical server they're on. That doesn't matter. You only need to worry about TTL for the domain hosting the nameservers. For example if you've got ns1.example.com, then you'll have to worry bout the TTL only on example.com.

Even if you're changing the nameserver names in the zone files for the other domains it won't stop resolution, it'll just cause errors (which won't affect resolution) for a while.

Jeff

 

[jjma]

Just to confirm that I should be able to use the multi server setup with a linux machine that does not cruunetly have DA installed onto it. (including a cobalt 5).

It doesn't appear to mention third party machines in the knowledgebase i.e machine without DA installed.

What is does, is transfers any zones on the given machine to the DA machines you add to the list.

Jon

 

[nobaloney]

Cobalt didn't make a "5".

Do you mean a RaQ550?

Or one of the earlier RaQs?

Either way, I wouldn't try either Multi-Server or Master2Slave with a RaQ, because when they update their own DNS (either because someone used the RaQ interface, or because a new domain was added or an old one removed on a RaQ 550), the RaQs completely rewrite DNS, so they'll overwrite all your changes.

Jeff

 

[jjma]

It was a cobalt raq 550. Maybe I should look into the bluequartz?

If not I have a linux box I can use but I still go back to the point that DA multiserver appears to work with only DA boxes and not a third party system.

regards

Jon

 

[nobaloney]

If you try bluequartz you'll be stuck with their way of doing everything. Similarly to the RaQ550, everything is handled by the php and mysql databases.

DirectAdmin's Multi-server DNS solution works properly and is compatible with DA for the master and with any standard Linux/Unix system for the slaves.

And our master2slave solution works fine with any Linux/Unix server for the master and any Linux/Unix server for the slave.

It's the RaQs and their successors that limit you because they take standard Linux/Unix files and delete them and overwrite them according to the contents of their databases.

Unless you're suggesting we rewrite the RaQ and the BlueQuartz systems?

Surely you can't hold us responsible for not being compatible with a system that's designed to overwrite the standard stuff.

Or can you?

Jeff

 

[jjma]

Lol - not at all.

BTW - Do you know of any threads for installing centos or redhat on a cobalt?

Jon

 

[nobaloney]

No.

But the BlueQuartz installation CD first installs a minimum CentOS distribution, so you can probably start from there.

Try asking on the cobalt-users list or the zeffie-users list.

Jeff

 

[jjma]

Jeff

I know the software is still in beta (master2slave) but I was having trouble setting up the master server on one of our servers (centos4). Couldn't work out why the getzone.dns.sh was not creating the serverip.named.conf file in /var/www/html/namedftp. I checked the getzone.dns.sh script and at the bottom of the script there is this line commented out:

#cp -f /home/namedftp/named.master.conf $weboroot/namedftp/$masterip.named.conf

I wanted to see if uncommenting would create the file so re ran the script with the line uncommented but it failed.

Looking at the line the reference to $webroot has a typo in it - you have $weboroot. Changed this to reflect correct webroot and the file was created ;-)

I haven't tried this out on any other servers and hav'nt tried the setup instructions for a slave server (will post when I have) but if I shouldn't have uncommented this line please let me know. Without doing so I was not able to create the serverip.named.conf file.

rgds

Jon

 

[nobaloney]

You're the first person to bring this to my attention and I don't remember what problems I ran into or what I did .

Anyone else?

I can always do an install and try it, but not this week.



Jeff

 

[jjma]

What would the two secondary nameservers put in their resolv.conf?

Would it contain:

search domain.com (the main domain that is used for nameserver)
other nameserver's ip address
localhost

(the above is using two nameservers for dns)

Is this correct?

Jon

 

[nobaloney]

What would the two secondary nameservers put in their resolv.conf?

Would it contain:

search domain.com (the main domain that is used for nameserver)

You should never use a search example.com line in a server with multiple domains. It's only useful if you have a lot of local users who don't bother to type in the domain name when sending email, etc., to each other.

other nameserver's ip address
localhost

And you shouldn't really use your own nameserver (localhost) for resolving the outside world as your own nameserver shouldn't even be a chaching nameserver; it should only serve the domains you host.

But of course that would in general work.

Is this correct?

Not according to most DNS purists. But it would certainly work.

Jeff