• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.
How to start with Slave DNS Manager

Instruction How to start with Slave DNS Manager 1.0

No permission to download
Intro

This article is short step-by-step how-to about configuring slave DNS server based on CentOS7 and managed by "Slave DNS Manager" on Plesk.

I already created a virtual server based on CentOS7 in a cloud environment. The server has public IP-address on eth0 interface. In other words, the slave server is not behind NAT.

So, I had next information:
- Plesk' IP-address: 188.x.y.z
- IP-address of slave DNS: 138.a.b.c
- Domain: test-for-forum.com


Steps

1. Update OS.
Code:
slaveDNS# yum update -y
[...] Complete!
slaveDNS#


2. Check SELinux status.
Code:
slaveDNS# sestatus
SELinux status:                 disabled
slaveDNS#


3. Start new kernel after update OS.
Code:
slaveDNS# reboot
slaveDNS#


4. Install BIND.
Code:
slaveDNS# yum install -y bind bind-utils
[...] Complete!
slaveDNS#


5. Change option 'listen-on' inside named.conf.
Code:
slaveDNS# sed -i 's/listen-on port 53 { 127.0.0.1; };/listen-on port 53 { any; };/;' /etc/named.conf
slaveDNS#


6. Change option 'recursion' inside named.conf.
Code:
slaveDNS# sed -i 's/recursion yes;/recursion no;/;' /etc/named.conf
slaveDNS#


7. Add option 'allow-query' inside named.conf.
Code:
slaveDNS# sed -i 's/allow-query     { localhost; };/allow-query     { any; };/;' /etc/named.conf
slaveDNS#


8. Add option 'allow-new-zones' inside named.conf.
Code:
slaveDNS# sed -i 's/options {/options {\n        allow-new-zones yes;/;' /etc/named.conf
slaveDNS#


9. Add a new server in Slave DNS extensions in Plesk.


10. Add section with master-key inside named.conf (change `secret`-key and `pleskIp` below):
Code:
slaveDNS# cat <<EOF >> /etc/named.conf

key "rndc-key-master" {
        algorithm hmac-md5;
        secret "OTY_________________________OQ==";
};

controls {
        inet * port 953 allow { 188.x.y.z; 127.0.0.1; } keys { "rndc-key-master"; };
};

EOF
slaveDNS#


11. Add write perminission for named for /var/named.
Code:
slaveDNS# chmod g+w /var/named/
slaveDNS#


12. Enable named service.
Code:
slaveDNS# systemctl enable named.service
slaveDNS#


13. Start named service.
Code:
slaveDNS# systemctl start named.service
slaveDNS#


14. Check current /var/log/messages
Apr 26 08:45:54 digitalocean yum[8668]: Installed: 32:bind-9.9.4-38.el7_3.3.x86_64
Apr 26 08:45:54 digitalocean yum[8668]: Installed: 32:bind-utils-9.9.4-38.el7_3.3.x86_64
Apr 26 08:49:54 digitalocean systemd: Starting Cleanup of Temporary Directories...
Apr 26 08:49:54 digitalocean systemd: Started Cleanup of Temporary Directories.
Apr 26 09:01:01 digitalocean systemd: Started Session 2 of user root.
Apr 26 09:01:01 digitalocean systemd: Starting Session 2 of user root.
Apr 26 09:15:39 digitalocean systemd: Reloading.
Apr 26 09:15:43 digitalocean systemd: Starting Generate rndc key for BIND (DNS)...
Apr 26 09:15:43 digitalocean generate-rndc-key.sh: Generating /etc/rndc.key:[ OK ]
Apr 26 09:15:43 digitalocean systemd: Started Generate rndc key for BIND (DNS).
Apr 26 09:15:43 digitalocean systemd: Starting Berkeley Internet Name Domain (DNS)...
Apr 26 09:15:43 digitalocean bash: zone localhost.localdomain/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone localhost/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean bash: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: starting BIND 9.9.4-RedHat-9.9.4-38.el7_3.3 -u named
Apr 26 09:15:43 digitalocean named[8769]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Apr 26 09:15:43 digitalocean named[8769]: ----------------------------------------------------
Apr 26 09:15:43 digitalocean named[8769]: BIND 9 is maintained by Internet Systems Consortium,
Apr 26 09:15:43 digitalocean named[8769]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Apr 26 09:15:43 digitalocean named[8769]: corporation. Support and training for BIND 9 are
Apr 26 09:15:43 digitalocean named[8769]: available at [...]
Apr 26 09:15:43 digitalocean named[8769]: ----------------------------------------------------
Apr 26 09:15:43 digitalocean named[8769]: adjusted limit on open files from 4096 to 1048576
Apr 26 09:15:43 digitalocean named[8769]: found 1 CPU, using 1 worker thread
Apr 26 09:15:43 digitalocean named[8769]: using 1 UDP listener per interface
Apr 26 09:15:43 digitalocean named[8769]: using up to 4096 sockets
Apr 26 09:15:43 digitalocean named[8769]: loading configuration from '/etc/named.conf'
Apr 26 09:15:43 digitalocean named[8769]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Apr 26 09:15:43 digitalocean named[8769]: initializing GeoIP Country (IPv4) (type 1) DB
Apr 26 09:15:43 digitalocean named[8769]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMind
Apr 26 09:15:43 digitalocean named[8769]: initializing GeoIP Country (IPv6) (type 12) DB
Apr 26 09:15:43 digitalocean named[8769]: GEO-106FREE 20160607 Build 1 Copy
Apr 26 09:15:43 digitalocean named[8769]: GeoIP ...
[...]
Apr 26 09:15:43 digitalocean named[8769]: GeoIP ...
Apr 26 09:15:43 digitalocean named[8769]: using default UDP/IPv4 port range: [1024, 65535]
Apr 26 09:15:43 digitalocean named[8769]: using default UDP/IPv6 port range: [1024, 65535]
Apr 26 09:15:43 digitalocean named[8769]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 26 09:15:43 digitalocean named[8769]: listening on IPv6 interface lo, ::1#53
Apr 26 09:15:43 digitalocean named[8769]: generating session key for dynamic DNS
Apr 26 09:15:43 digitalocean named[8769]: open: 3bf305731dd26307.nzf: file not found
Apr 26 09:15:43 digitalocean named[8769]: sizing zone task pool based on 6 zones
Apr 26 09:15:43 digitalocean named[8769]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Apr 26 09:15:43 digitalocean named[8769]: automatic empty zone: ...
[...]
Apr 26 09:15:43 digitalocean named[8769]: automatic empty zone: ...
Apr 26 09:15:43 digitalocean named[8769]: command channel listening on 0.0.0.0#953
Apr 26 09:15:43 digitalocean named[8769]: managed-keys-zone: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Started Berkeley Internet Name Domain (DNS).
Apr 26 09:15:43 digitalocean named[8769]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Reached target Host and Network Name Lookups.
Apr 26 09:15:43 digitalocean named[8769]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean systemd: Starting Host and Network Name Lookups.
Apr 26 09:15:43 digitalocean named[8769]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: zone localhost.localdomain/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: zone localhost/IN: loaded serial 0
Apr 26 09:15:43 digitalocean named[8769]: all zones loaded
Apr 26 09:15:43 digitalocean named[8769]: running


15. Disable/enable DNS for domain; check logs again.
Apr 26 09:22:33 digitalocean named[8769]: received control channel command 'refresh test-for-forum.com'
Apr 26 09:22:33 digitalocean named[8769]: received control channel command 'addzone test-for-forum.com { type slave; file "test-for-forum.com"; masters { 188.x.y.z; }; };'
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com added to view _default via addzone
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: Transfer started.
Apr 26 09:22:33 digitalocean named[8769]: transfer of 'test-for-forum.com/IN' from 188.x.y.z#53: connected using 138.a.b.c#36857
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: transferred serial 2017042605
Apr 26 09:22:33 digitalocean named[8769]: transfer of 'test-for-forum.com/IN' from 188.x.y.z#53: Transfer completed: 1 messages, 15 records, 416 bytes, 0.005 secs (83200 bytes/sec)
Apr 26 09:22:33 digitalocean named[8769]: zone test-for-forum.com/IN: sending notifies (serial 2017042605)


16. Check new files in named directory ("3bf305731dd26307.nzf", "test-for-forum.com")
Code:
slaveDNS# ls -la /var/named
total 44
drwxrwx---   5 root  named 4096 Apr 26 09:22 .
drwxr-xr-x. 20 root  root  4096 Apr 26 08:45 ..
-rw-r--r--   1 named named  100 Apr 26 09:22 3bf305731dd26307.nzf
drwxrwx---   2 named named 4096 Apr 26 09:15 data
drwxrwx---   2 named named 4096 Apr 26 09:16 dynamic
-rw-r-----   1 root  named 2076 Jan 28  2013 named.ca
-rw-r-----   1 root  named  152 Dec 15  2009 named.empty
-rw-r-----   1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----   1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---   2 named named 4096 Apr 19 15:53 slaves
-rw-r--r--   1 named named  876 Apr 26 09:22 test-for-forum.com
slaveDNS#


17. Look inside "3bf305731dd26307.nzf".
Code:
slaveDNS# cat /var/named/3bf305731dd26307.nzf
zone "test-for-forum.com" { type slave; file "test-for-forum.com"; masters { 188.x.y.z; }; };
slaveDNS#

Finish! So, we have configured the extension and slave DNS. Slave DNS can retrieve zone from master DNS.


Troubleshooting
1. Check /etc/named.conf, be sure options updated by command `sed`

2. If one server does not connect to another, check firewall. In cloud environments check cloud firewall if it exists.
  • Do not block 53/udp connection from anywhere to DNS servers.
  • Do not block 53/tcp connection from slave DNS to master DNS.
  • Do not block 953/tcp connection from master DNS to slave DNS.
3. Check IP-addresses is correct. Check secret-key without typos.

4. If BIND does not start, check system logs and BIND logs. Maybe something wrong with config files.

5. Always check system' and BIND logs.
  • /var/log/messages


Notes
1. If you want to use slave DNS with SElinux, you should use different steps. This steps not described here but it is possible too.
2. If you want to use slave DNS in chrooted environment, you should use different steps. This steps not described here but it is possible too.
4. If you want to use master DNS (Plesk) behide NAT, you should use different steps. This steps not described here but it is possible too.
3. If you want to use slave DNS on Ubuntu or even Windows, you should use different steps. This steps not described here but it is possible too.
CHANGELOG:
Code:
2017.08.26
  Added new steps:
  #5: change "listen-on" address from "127.0.0.1" to "any"
  #6: change "recursion" from "yes" to "no"
  #7: change "allow-query" from "localhost" to "any"

  Added new point in troubleshooting:
  #1: check actual settings in "named.conf"

2017.06.29
  First version of the article.
  • Like
Reactions: DieterWerner
Author
AYamshanov
Downloads
3
Views
6,948
First release
Last update
Rating
5.00 star(s) 1 ratings

Latest reviews

Useful article
Back
Top