Question DNS server problem

[Piekielko]

Server operating system version

Debian 11.6

Plesk version and microupdate number

18.0.49

On my server, all my domains use external DNS addresses. As in the DNS test of the piekielko.com domain:

Report for piekielko.com

www.dnsinspect.com

• 
  fns1.42.pl. → 79.98.145.34
• 
  fns2.42.pl. → 51.38.99.90
• 
  ns2.afraid.org. → 69.65.50.223
• 
  sdns2.ovh.net. → 213.251.188.141

However, I'm having trouble with the current forwarding of DNS data to these servers from Plesk. A few days go by and nothing updates.
In the DNS settings, I have added the IP addresses of these external DNS servers as friendly
DNS data is transferred to external servers only if I refresh (save) the settings in the DNS template.

My settings:
Tools & Settings > DNS Template > DNS Recursion Settings: Any Host
version "none";
auth-nxdomain no;
listen-on-v6 { any; };

What is wrong? Should I change auth-nxdomain to yes?

 

[scsa20]

I am not sure what you're trying to archive but the way zone transfers works is that the 2 DNS servers would have to basically agree on the servers for the transfers to be accepted which most third party DNS servers would not allow other than for their own servers.

If you're trying to use the DNS server that's provided with Plesk, then you'll want to add Glue records in your registrar pointing to your server IP address(es) and update the name server to point to your ns1/ns2.domain.tld. If you want to use the third party DNS providers then you'll just need to input in the entries accordingly in that DNS provider and you don't need to edit anything else on the server.

 

[Piekielko]

I don't want the piekielko.com zone on the plesk server - I prefer to have it hidden
I manage all DNS records directly in Plesk. But the primary DNS address for my domain is fns1.42.pl in FreeDNS::42 - Darmowa usługa udostępniania serwerów DNS

For example,
piekielko.com. IN NS fns1.42.pl.
piekielko.com. IN NS fns2.42.pl.

communication on TCP port 53


zone "piekielko.com" {
type master;
file "piekielko.com";
allow-transfer {
79.98.145.34; 51.38.99.90;
};
};

I have these IP addresses entered in Restricting DNS Zones Transfer

I have the impression that any changes to DNS records for any domain are not directly transferred to the fns1.42.pl server - as if they were transferred from the memory cache. Only if he resets BIND, the current data is transferred immediately. Maybe some firewall is blocking it? It worked for me on old Ubuntu. After migrating to Debian 11.6 something seems to have broken

Generally, it's not a big problem but the Let's Encrypt update annoys me the most - TXT records are out of date

 

[scsa20]

As mention, the third party DNS provider would need to be able to accept the zone transfer which, chances are, they won't. Is there specific reason why you want your name server hidden? Anyone experience enough can easily find it anyways.

In any event, what you're asking for will never be possible since you don't have direct access to the third party DNS servers to allow the zone transfers.

If your DNS provider has an API support you could probably make a program that runs on the server or an extension for Plesk that will allow you to sync the DNS zones within Plesk to your DNS provider that way. Plesk has extensions available that works with Amazon Route 53, DigitalOcean DNS, and Microsoft Azure DNS which lets you edit the DNS within Plesk and have it synced to those respective services for example.

 

[Piekielko]

Is there specific reason why you want your name server hidden?

I used to have frequent DDoS attacks on my direct DNS server in Plesk. Since I changed my DNS servers to external, the problem is over.
I've had Plesk set up with these servers for several years and everything works. but now i have to refresh BIND every now and then for server-to-server data update. I don't fully understand why this is happening.

 

[Piekielko]

Just press the [ok] or [apply] button in /dns/settings and all external servers immediately update the DNS records stored in Plesk. Weird..

 

[Dave W]

We had some issues with slave DNS servers a while back, the solution was to update BIND on the slaves. BIND on the plesk servers was auto-updated and there was a miscommunication issue between the Plesk BIND and the slave BIND, this may be related to your issue?

 

[Piekielko]

Everything seems to be up to date.
Probably the simplest solution will be to do a cyclic reload of BIND using CRON - once a day and after the problem

 

[Dave W]

Anything in syslog?

 

[Piekielko]

I am updating the DNS zone
Feb 17 10:13:49 ns3125328 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '4' (byledowylotu.pl) (task=4661 process=4661 trace=123639:63ef454d505ef).

An external server DNS downloads outdated data
Feb 17 10:17:43 ns3125328 named[102875]: client @0x7ff5f8060fb0 79.98.145.34#55965 (byledowylotu.pl): transfer of 'byledowylotu.pl/IN': AXFR started (serial 2023021709)

Restart BIND
Feb 17 10:20:01 ns3125328 systemd[1]: Stopping BIND Domain Name Server...

Feb 17 10:20:02 ns3125328 named[129813]: client @0x7f64d4c4c0e0 79.98.145.34#44548 (byledowylotu.pl): transfer of 'byledowylotu.pl/IN': IXFR version not in journal, falling back to AXFR

An external server DNS downloads uptdated data
Feb 17 10:21:41 ns3125328 named[129813]: client @0x7f64cc010270 79.98.145.34#48097 (byledowylotu.pl): transfer of 'byledowylotu.pl/IN': AXFR started (serial 2023021710)

 

[Piekielko]

Now I deleted one TXT record from the same domain and saved the settings.
Feb 17 10:38:16 ns3125328 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '4' (byledowylotu.pl) (task=4665 process=4665 trace=123638:63ef4b0886047).
Feb 17 10:38:16 ns3125328 systemd[1]: run-plesk-task-4665.service: Succeeded.
Feb 17 10:38:16 ns3125328 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '4' (byledowylotu.pl) (task=4665 process=4665 trace=123638:63ef4b0886047).

And this is where the key problem arises
Feb 17 10:38:16 ns3125328 dnsmng[143099]: : invalid IP address
Feb 17 10:38:16 ns3125328 systemd[1]: Reloading BIND Domain Name Server.
Feb 17 10:38:16 ns3125328 rndc[143140]: WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
Feb 17 10:38:16 ns3125328 rndc[143140]: rndc: connection to remote host closed
Feb 17 10:38:16 ns3125328 rndc[143140]: This may indicate that
Feb 17 10:38:16 ns3125328 rndc[143140]: * the remote server is using an older version of the command protocol,
Feb 17 10:38:16 ns3125328 rndc[143140]: * this host is not authorized to connect,
Feb 17 10:38:16 ns3125328 rndc[143140]: * the clocks are not synchronized,
Feb 17 10:38:16 ns3125328 rndc[143140]: * the key signing algorithm is incorrect, or
Feb 17 10:38:16 ns3125328 rndc[143140]: * the key is invalid.
Feb 17 10:38:16 ns3125328 named[129813]: invalid command from 127.0.0.1#42865: bad auth
Feb 17 10:38:16 ns3125328 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Feb 17 10:38:16 ns3125328 systemd[1]: Reload failed for BIND Domain Name Server.

 

[Piekielko]

rndc.key and rndc.conf have different rndc-keys
Which is the right one?

 

[Piekielko]

Will deleting rndc.key solve this problem?

 

[Piekielko]

Removing this file did nothing. There is no warning but there is still an authorization problem. Maybe reinstalling BIND makes sense?

Feb 17 11:58:35 ns3125328 systemd[1]: Started Plesk task: Event 'domain_dns_update' for object with ID '4' (byledowylotu.pl) (task=4674 process=4674 trace=153365:63ef5ddb68d4c).
Feb 17 11:58:35 ns3125328 systemd[1]: run-plesk-task-4674.service: Succeeded.
Feb 17 11:58:35 ns3125328 systemd[1]: Stopped Plesk task: Event 'domain_dns_update' for object with ID '4' (byledowylotu.pl) (task=4674 process=4674 trace=153365:63ef5ddb68d4c).
Feb 17 11:58:35 ns3125328 dnsmng[155780]: : invalid IP address
Feb 17 11:58:35 ns3125328 systemd[1]: Reloading BIND Domain Name Server.
Feb 17 11:58:35 ns3125328 named[145060]: invalid command from 127.0.0.1#39887: bad auth
Feb 17 11:58:35 ns3125328 rndc[155821]: rndc: connection to remote host closed
Feb 17 11:58:35 ns3125328 rndc[155821]: This may indicate that
Feb 17 11:58:35 ns3125328 rndc[155821]: * the remote server is using an older version of the command protocol,
Feb 17 11:58:35 ns3125328 rndc[155821]: * this host is not authorized to connect,
Feb 17 11:58:35 ns3125328 rndc[155821]: * the clocks are not synchronized,
Feb 17 11:58:35 ns3125328 rndc[155821]: * the key signing algorithm is incorrect, or
Feb 17 11:58:35 ns3125328 rndc[155821]: * the key is invalid.
Feb 17 11:58:35 ns3125328 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Feb 17 11:58:35 ns3125328 systemd[1]: Reload failed for BIND Domain Name Server.

 

[Oper]

named.service: Control process exited, code=exited, status=1/FAILURE and Reload failed for BIND Domain Name Server

DNS service working? ;-)

 

[Piekielko]

I managed to fix it
The problem was different key and algorithm hmac-md5 and hmac-sha256.

The correct key is here:
/var/named/run-root/etc/named.conf

It was enough to copy this key
key "rndc-key" {
algorithm hmac-md5;
secret "somekey=";
};
and add it to the file
/etc/bind/rndc.conf

of course we delete:
/etc/bind/rndc.key


Feb 17 15:46:53 ns3125328 systemd[1]: Reloading BIND Domain Name Server.
Feb 17 15:46:53 ns3125328 named[180323]: received control channel command 'reload'
Feb 17 15:46:53 ns3125328 named[180323]: loading configuration from '/etc/named.conf'
Feb 17 15:46:53 ns3125328 named[180323]: unable to open '/etc/bind/bind.keys'; using built-in keys instead
Feb 17 15:46:53 ns3125328 named[180323]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Feb 17 15:46:53 ns3125328 named[180323]: using default UDP/IPv4 port range: [1024, 65535]
Feb 17 15:46:53 ns3125328 named[180323]: using default UDP/IPv6 port range: [1024, 65535]
Feb 17 15:46:53 ns3125328 named[180323]: generating session key for dynamic DNS
Feb 17 15:46:53 ns3125328 named[180323]: couldn't mkdir '//run': Permission denied
Feb 17 15:46:53 ns3125328 named[180323]: could not create //run/named/session.key
Feb 17 15:46:53 ns3125328 named[180323]: failed to generate session key for dynamic DNS: permission denied
Feb 17 15:46:53 ns3125328 named[180323]: sizing zone task pool based on 11 zones
Feb 17 15:46:53 ns3125328 named[180323]: none:91: 'max-cache-size 90%' - setting to 28617MB (out of 31797MB)
Feb 17 15:46:53 ns3125328 named[180323]: using built-in root key for view _default
Feb 17 15:46:53 ns3125328 named[180323]: automatic empty zone (.....)

Feb 17 15:46:53 ns3125328 named[180323]: reloading configuration succeeded
Feb 17 15:46:53 ns3125328 named[180323]: reloading zones succeeded
Feb 17 15:46:53 ns3125328 named[180323]: zone byledowylotu.pl/IN: loaded serial 2023021722
Feb 17 15:46:53 ns3125328 named[180323]: zone byledowylotu.pl/IN: sending notifies (serial 2023021722)
Feb 17 15:46:53 ns3125328 rndc[189841]: server reload successful
Feb 17 15:46:53 ns3125328 systemd[1]: Reloaded BIND Domain Name Server.
Feb 17 15:46:53 ns3125328 named[180323]: all zones loaded
Feb 17 15:46:53 ns3125328 named[180323]: running
Feb 17 15:46:54 ns3125328 named[180323]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Feb 17 15:46:54 ns3125328 named[180323]: client @0x7fe2b406e1b0 79.98.145.34#28228 (byledowylotu.pl): transfer of 'byledowylotu.pl/IN': IXFR version not in journal, falling back to AXFR
Feb 17 15:46:54 ns3125328 named[180323]: client @0x7fe2b406e1b0 79.98.145.34#28228 (byledowylotu.pl): transfer of 'byledowylotu.pl/IN': AXFR-style IXFR started (serial 2023021722)
Feb 17 15:46:54 ns3125328 named[180323]: client @0x7fe2b406e1b0 79.98.145.34#28228 (byledowylotu.pl): transfer of 'byledowylotu.pl/IN': AXFR-style IXFR ended: 1 messages, 13 records, 494 bytes, 0.003 secs (164666 bytes/sec) (serial 2023021722)

The external DNS server was updated in no time