[PART 8 - DRAFT 2] [Virtualmin and Webmin] Teo En Ming's Notes for Setting Up Slave DNS Server
Subject: [PART 8 - DRAFT 2] [Virtualmin and Webmin] Teo En Ming's Notes for Setting Up Slave DNS Server
Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
Country: Singapore
Date: 24 Oct 2021 Sunday Singapore Time
Type of Publication: Plain Text
Document Version: 20211026.01
WHAT IS WHAT
=============
Virtualmin (along with Webmin) is installed on the Master Server.
Webmin (STANDALONE) is installed on the Slave Server.
TIME TAKEN TO SETUP THIS CONFIGURATION
======================================
I took about 3.5 hours, starting from 9 PM on 24 Oct 2021 Sunday and finishing at 12.30 AM on 25 Oct 2021 Monday, to setup the Virtualmin Master and Slave DNS Configuration. Singapore Time.
DETAILED INSTRUCTIONS
======================
SECTION A - Setting Primary Name Server in Virtualmin Master Server
====================================================================
Reference Guide: Name server setting, hostname and DNS
Link: https://archive.virtualmin.com/node/22091
Login to Virtualmin.
Click System Settings > Server Templates
Click on Default Settings template.
Edit template section: BIND DNS domain
Under Master DNS server hostname, click Hostname. Change from vmi696121.contaboserver.net to ns1.turritopsis-dohrnii-teo-en-ming.com
Click Save.
SECTION B - Modify System hostname in the Master Server
========================================================
Putty/SSH into your Virtualmin Master Server.
The existing /etc/hosts is as follows:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
185.182.9.61 vmi696121.contaboserver.net vmi696121
Modify your /etc/hosts as follows:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
185.182.9.61 ns1.turritopsis-dohrnii-teo-en-ming.com ns1
Login to Virtualmin.
Click on Webmin at the top left.
Click Dashboard.
Click on System hostname.
Change Hostname from vmi696121.contaboserver.net to ns1.turritopsis-dohrnii-teo-en-ming.com
Click Save.
Reboot the Virtualmin Master Server using Putty. It is important and necessary to reboot.
SECTION C - Changing IP address of Name Server 2 at Your Domain Registrar
==========================================================================
Login to your domain registrar. In my case it is namecheap.
Click Domain List on the left menu.
Click domain turritopsis-dohrnii-teo-en-ming.com and click Manage.
Under NAMESERVERS, change to Namecheap BasicDNS. Click green check mark.
Click Advanced DNS.
Under PERSONAL DNS SERVER, click Search.
Click ns2.turritopsis-dohrnii-teo-en-ming.com and click Delete.
Still under PERSONAL DNS SERVER, click ADD NAMESERVER.
Nameserver: ns2
IP Address: 185.214.135.104
Click Done.
Click Search again to ensure both ns1 and ns2 entries show up. We need both ns1 and ns2 entries.
Click the Domain tab at the top.
Under NAMESERVERS, change to Custom DNS.
Nameserver 1: ns1.turritopsis-dohrnii-teo-en-ming.com
Nameserver 2: ns2.turritopsis-dohrnii-teo-en-ming.com
Click the green check mark.
Sign out of namecheap.
SECTION D - Changing IP address of Name Server 2 in Virtualmin Master Server
============================================================================
Login to Virtualmin.
Click Webmin at the top left.
Click Servers > BIND DNS Server
Click the zone turritopsis-dohrnii-teo-en-ming.com
Click Address button.
Click ns2.turritopsis-dohrnii-teo-en-ming.com.
Change Address to 185.214.135.104
Click Save.
Click Return to record types.
Click Apply Configuration. You MUST click Apply Configuration for the changes to take effect.
SECTION E - Setting Up the Slave DNS Server
============================================
Putty/SSH into your Slave DNS Server. CentOS 7.9 Linux was pre-installed on the Slave Server.
Change your root password.
# passwd
Download Webmin on the Slave Server.
# wget https://prdownloads.sourceforge.net/webadmin/webmin-1.981-1.noarch.rpm
ERROR
======
--2021-10-24 15:46:47-- https://prdownloads.sourceforge.net/webadmin/webmin-1.981-1.noarch.rpm
Resolving prdownloads.sourceforge.net (prdownloads.sourceforge.net)... 204.68.111.105
Connecting to prdownloads.sourceforge.net (prdownloads.sourceforge.net)|204.68.111.105|:443... connected.
ERROR: cannot verify prdownloads.sourceforge.net's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
Issued certificate has expired.
To connect to prdownloads.sourceforge.net insecurely, use `--no-check-certificate'.
Solution to above error
=======================
# yum install ca-certificates
Download Webmin again.
# wget https://prdownloads.sourceforge.net/webadmin/webmin-1.981-1.noarch.rpm
Install Webmin on the Slave Server.
# rpm -ivh webmin-1.981-1.noarch.rpm
ERROR
=====
warning: webmin-1.981-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID 11f63c51: NOKEY
error: Failed dependencies:
perl(Net::SSLeay) is needed by webmin-1.981-1.noarch
perl(Encode::Detect) is needed by webmin-1.981-1.noarch
perl(Data::Dumper) is needed by webmin-1.981-1.noarch
unzip is needed by webmin-1.981-1.noarch
Solution to above error
========================
# yum install perl-Net-SSLeay
# yum install perl-Encode-Detect
# yum install perl-Data-Dumper
# yum install unzip
Install Webmin on the Slave Server again.
# rpm -ivh webmin-1.981-1.noarch.rpm
warning: webmin-1.981-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID 11f63c51: NOKEY
Preparing... ################################# [100%]
Operating system is CentOS Linux
Updating / installing...
1:webmin-1.981-1 ################################# [100%]
Webmin install complete. You can now login to https://vmi701385.contaboserver.net:10000/
as root with your root password.
SECTION F - Login to the Webmin Slave Server for the 1st time
=============================================================
Login to your Webmin Slave Server at https://185.214.135.104:10000
Dashboard > System Information
===============================
System hostname: vmi701385.contaboserver.net (185.214.135.104) Operating system: CentOS Linux 7.9.2009
Webmin version: 1.981 Authentic theme version: 19.83-2
Time on system: Sunday, October 24, 2021 3:57 PM Kernel and CPU: Linux 3.10.0-1160.el7.x86_64 on x86_64
Processor information: Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz, 4 cores System uptime: 47 minutes
Running processes: 95 CPU load averages: 0.01 (1 min) 0.06 (5 mins) 0.05 (15 mins)
Real memory: 421.51 MiB used / 563.47 MiB cached / 7.63 GiB total Local disk space: 11.96 GiB used / 184.74 GiB free / 196.71 GiB total
Package updates: 96 package updates are available
SECTION G - Install Firewalld on the Slave Server
==================================================
Firewalld is already pre-installed. There is no need to install it again.
# systemctl enable firewalld
# systemctl start firewalld
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-10-24 16:06:44 CEST; 19s ago
Docs: man:firewalld(1)
Main PID: 9533 (firewalld)
CGroup: /system.slice/firewalld.service
└─9533 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Oct 24 16:06:44 vmi701385.contaboserver.net systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 24 16:06:44 vmi701385.contaboserver.net systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 24 16:06:44 vmi701385.contaboserver.net firewalld[9533]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It w... it now.
Hint: Some lines were ellipsized, use -l to show in full.
Checking if Firewalld is running
=================================
# firewall-cmd --state
running
Checking for default zone
=========================
# firewall-cmd --get-default-zone
public
Checking for active zone
========================
# firewall-cmd --get-active-zones
public
interfaces: eth0
List all services of the active zone
====================================
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Restart Firewalld
=================
# firewall-cmd --reload
success
Opening Firewall Port 10000 So That You Can Access Webmin on the Slave Server
=============================================================================
# firewall-cmd --zone=public --add-port=10000/tcp
success
Immediately after running the above command, you can login to Webmin on the Slave Server already.
SECTION H - Configuring FirewallD on the Slave Server Using Webmin
===================================================================
Login to your Webmin Slave Server at https://185.214.135.104:10000
Click Networking > FirewallD
Click Add allowed port
Allowed in zone: public
Under Port to allow, click Single port and enter 10000
Network protocol: TCP
Click Create
SECTION I - Install BIND DNS Server on the Slave Server
========================================================
# yum install bind bind-config
# systemctl enable named
# systemctl start named
# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-10-24 16:27:59 CEST; 9s ago
Process: 11361 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11358 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11364 (named)
CGroup: /system.slice/named.service
└─11364 /usr/sbin/named -u named -c /etc/named.conf
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Oct 24 16:27:59 vmi701385.contaboserver.net named[11364]: resolver priming query complete
Oct 24 16:28:00 vmi701385.contaboserver.net named[11364]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Reference Guide: Menu item in Webmin > Servers missing for "BIND DNS Server".
Link: https://archive.virtualmin.com/node/59786
Go to Webmin on your Slave server.
Click Refresh Modules on the left menu.
You should now see BIND DNS Server under Servers.
SECTION J - Open Additional Firewall Ports on the Slave Server Using Webmin
============================================================================
Login to Webmin.
Click Networking > FirewallD
Click Add allowed port
Allowed in zone: public
Under Port to allow, click Single port and enter 53
Network protocol: UDP
Click Create
Click Add allowed port
Allowed in zone: public
Under Port to allow, click Single port and enter 53
Network protocol: TCP
Click Create
Click Add allowed port
Allowed in zone: public
Under Port to allow, click Port range and enter 10001-10010
Network protocol: TCP
Click Create
Apply rules to interfaces: Click eth0 Click Save
Click Apply Configuration
Activate at boot: Yes
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 10000/tcp 53/udp 53/tcp 10001-10010/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
SECTION K - Configuring the Virtualmin Master Server
====================================================
Login to Virtualmin.
Click Webmin at the top left.
Click Webmin > Webmin Servers Index
Click Register a new server
Hostname or IP address: ns2.turritopsis-dohrnii-teo-en-ming.com
Server type: CentOS Linux
SSL server? Yes
Under Link type, click Login via Webmin with username: root password: <removed>
Make fast RPC calls? Yes
Click Save
There should now be an icon representing the server you created in the Webmin Servers page.
SECTION L - Enabling Cluster Slave Servers on the Master Server
===============================================================
On the Master Server, login to Virtualmin.
Click Webmin on the top left.
Click Servers > BIND DNS Server
Click the Cluster Slave Servers button
Add server: ns2.turritopsis-dohrnii-teo-en-ming.com
Create secondary on slave when creating locally? Yes
Create all existing master zones on slave? Yes
Name for NS record: ns2.turritopsis-dohrnii-teo-en-ming.com
Click Add Now
Add Servers
===========
Adding ns2.turritopsis-dohrnii-teo-en-ming.com ..
Added ns2.turritopsis-dohrnii-teo-en-ming.com, with 0 existing zones.
Setup ns2.turritopsis-dohrnii-teo-en-ming.com with 1 new slave zones, but encountered 5 errors :
ns2.turritopsis-dohrnii-teo-en-ming.com : This zone already exists
SECTION M - Setting the Master IP Address on the Master Server
==============================================================
Go to your Master Server.
Click Servers > BIND DNS Server
Click Module config
Configuration category: Zone file options
Default master server(s) for slave zones: 185.182.9.61
Click Save
Reference Guide: DNS Slave Auto-configuration
Link: https://www.virtualmin.com/slave-configuration/
Reference Guide: How To Setup DNS Slave Auto Configuration Using Virtualmin/Webmin on Ubuntu
SECTION N - Problem: BIND DNS Server is not listening on the Slave Server
==========================================================================
Problem Description
====================
C:\PortQryV2>portqry -n ns2.turritopsis-dohrnii-teo-en-ming.com -e 53 -p both
Querying target system called:
ns2.turritopsis-dohrnii-teo-en-ming.com
Attempting to resolve name to IP address...
Name resolved to 185.214.135.104
querying...
TCP port 53 (domain service): NOT LISTENING
UDP port 53 (domain service): LISTENING or FILTERED
Sending DNS query to UDP port 53...
DNS query timed out
Solution
========
Edit /etc/named.conf
# nano /etc/named.conf
Find the "options {" section.
Replace the following lines:
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
with the lines below:
listen-on port 53 {
any;
};
listen-on-v6 port 53 {
any;
};
# systemctl restart named
Run the following port scanning command on your Windows 10 laptop
==================================================================
C:\PortQryV2>portqry -n ns2.turritopsis-dohrnii-teo-en-ming.com -e 53 -p both
Querying target system called:
ns2.turritopsis-dohrnii-teo-en-ming.com
Attempting to resolve name to IP address...
Name resolved to 185.214.135.104
querying...
TCP port 53 (domain service): LISTENING
UDP port 53 (domain service): LISTENING
SECTION O - Problem: BIND DNS Server on the Slave Server is Rejecting Queries
================================================================================
Problem Description
===================
C:\PortQryV2>nslookup
Default Server: UnKnown
Address: 192.168.122.221
> server ns2.turritopsis-dohrnii-teo-en-ming.com
Default Server: ns2.turritopsis-dohrnii-teo-en-ming.com
Address: 185.214.135.104
> www.turritopsis-dohrnii-teo-en-ming.com
Server: ns2.turritopsis-dohrnii-teo-en-ming.com
Address: 185.214.135.104
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to ns2.turritopsis-dohrnii-teo-en-ming.com timed-out
> set type=ns
> turritopsis-dohrnii-teo-en-ming.com
Server: ns2.turritopsis-dohrnii-teo-en-ming.com
Address: 185.214.135.104
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to ns2.turritopsis-dohrnii-teo-en-ming.com timed-out
Solution
=========
Edit /etc/named.conf
# nano /etc/named.conf
Find the line that says
allow-query { localhost; };
And replace it with
allow-query { any; };
# systemctl restart named
Reference Guide: Bind9 denied query
Link: https://unix.stackexchange.com/questions/283276/bind9-denied-query
Result
=======
C:\Users\Teo En Ming>nslookup
Default Server: UnKnown
Address: 192.168.122.221
> server ns2.turritopsis-dohrnii-teo-en-ming.com
Default Server: ns2.turritopsis-dohrnii-teo-en-ming.com
Address: 185.214.135.104
> www.turritopsis-dohrnii-teo-en-ming.com
Server: ns2.turritopsis-dohrnii-teo-en-ming.com
Address: 185.214.135.104
Name: www.turritopsis-dohrnii-teo-en-ming.com
Address: 185.182.9.61
SECTION P - The FINALIZED Master DNS Zone
=========================================
$ttl 3600
@ IN SOA ns1.turritopsis-dohrnii-teo-en-ming.com. ceo.teo-en-ming-corp.com. (
1634651919
3600
600
1209600
3600 )
turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
www.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
ftp.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
m.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
localhost.turritopsis-dohrnii-teo-en-ming.com. IN A 127.0.0.1
webmail.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
admin.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
mail.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
turritopsis-dohrnii-teo-en-ming.com. IN MX 5 mail.turritopsis-dohrnii-teo-en-ming.com.
turritopsis-dohrnii-teo-en-ming.com. IN TXT "v=spf1 a mx a:turritopsis-dohrnii-teo-en-ming.com ip4:185.182.9.61 ip4:185.182.9.61 ip6:2a02:c207:2069:6121:0000:0000:0000:0001 ?all"
@ IN CAA 0 issuewild letsencrypt.org
2021._domainkey.turritopsis-dohrnii-teo-en-ming.com. IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtAag9wT+JcVqf"
"4LOXV4tIkfAeOudlfU5ne3at292ch+En3zhRlwUflzMJkE/Ax+chxy+lbj2X4/mUdhFiEsMcly2LNFkO"
"06xLK+2LUcl71u+JfOvt1vSGwV1EXtlEkbtfH7y9eQu0SRX13cy0oQTvtpyrbbrmRSjUKpHA8wxdJQq8"
"0lj7X3n6EahtY1Y+P5t04tsUBpPyxplIauqp9j47iib2lLwXAAgUw+q2ezz2OgX9nwgMUZfVNFzZAuug"
"nzoQgBij7UVmH72GOaDsJ724Pp2RqJhYXZaYMImy1pExDXRUc60I7EjXn6ONXHlszjO7U2XVOreaLGPl"
"c4UAmMNrQIDAQAB" )
_dmarc.turritopsis-dohrnii-teo-en-ming.com. IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:ceo@teo-en-ming-corp.com; adkim=r; aspf=r"
turritopsis-dohrnii-teo-en-ming.com. IN NS ns1.turritopsis-dohrnii-teo-en-ming.com.
turritopsis-dohrnii-teo-en-ming.com. IN NS ns2.turritopsis-dohrnii-teo-en-ming.com.
ns1.turritopsis-dohrnii-teo-en-ming.com. IN A 185.182.9.61
ns2.turritopsis-dohrnii-teo-en-ming.com. IN A 185.214.135.104
Conclusion
==========
Teo En Ming's Virtualmin web hosting control panel is now setup successfully with Master and Slave DNS Configuration.
Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 26 Oct 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a Systems Integrator (SI)/computer firm in Singapore. He is an IT enthusiast.
REFERENCES
===========
[1] https://sourceforge.net/p/webadmin/mailman/message/37373922/
[2] https://marc.info/?l=webmin-l&m=163528877500627&w=2
[3] https://pastebin.com/raw/hVShREH6
Comments
Post a Comment