Welcome to masochist-city

Posted on May 28, 2022

… that is what my buddy said, when I told him i was “playing around with DNS”.

It’s not that bad. Then again, maybe I’m a sucker for punishment. Why? You may ask, well, because, why not (and really have nothing better to do). I already had the VPS servers. It also gives great insight into how DNS really works. What I’m showing here is thus, external DNS.

So, what’s needed? You need preferably two stable DNS servers (static IPs). A couple of low cost VPS servers will do.

Setup your “glue” records.

These are the records that tell the world where to find your name servers. You will typically do this in your domain provider’s web UI. Then you also configure the two NS servers you want to use.

Let’s say we have two DNS servers named:

  ns1.mydomain.tech   10.0.0.1
  ns2.mydomain.tech   10.0.0.2

If bind isn’t installed already, make sure to do so (milage varies on distro). On archlinux.

  $  sudo pacman -S --noconfirm bind

Ubuntu (depending on version, named in 20.04, bind9 in 18.04.

  $  sudo pacman -S --noconfirm bind9

On the ns1 server (master), edit /etc/bind/named.conf.local (ubuntu, arch /etc/named.conf) add the following:

zone "mydomain.tech" {
 type master;
 file "/etc/bind/db.mydomain.tech";
 allow-transfer { 10.0.0.2; };
};

zone "10.0.0.in-addr.arpa" {
 type master;
 notify no;
 file "/etc/bind/db.10";
 allow-transfer { 10.0.0.2; };
};

This tells bind we’re ‘da masta’ (and must focus powa!). Here we also allow transfer to the slave (yeah, sorry, bind is still politcially incorrect). File points to its respective zone files, which comes next.

Now edit /etc/bind/db.mydomain.tech in your favorite editor (if you say notepad, you lose a testicle). But we all know it’s ed.

Jokes aside, hostmaster.mydomain.tech below, is actually the email for the domain contact.

$TTL 4800
; mydomain.tech
$ORIGIN mydomain.tech.
@  IN    SOA     ns1.mydomain.tech.   hostmaster.mydomain.tech. (
           2021102001 ; Serial
           604800     ; Refresh
           86400      ; Retry
           2419200    ; Expire
           604800 )   ; Negative Cache TTL

              IN   NS ns1.mydomain.tech.
              IN   NS ns2.mydomain.tech..

ns1           IN    A      10.0.0.1
ns2           IN    A      10.0.0.2

Restart bind (typically systemctl restart bind9, or named). Check the journal for any issues.

Next, setup the secondary nameserver config on the ns2 server. Edit /etc/bind/named.conf.local :

 zone "mydomain.tech"  {
 type slave;
 file "/var/cache/bind/db.mydomain.tech";
 masters { 10.0.0.1; };
};

zone "10.0.0.in-addr.arpa"  {
 type slave;
 notify no;
 file "/var/cache/bind/db.10";
 masters { 10.0.0.1; };
};

The master will then transfer the zone files to the slave, which caches it in the named files above. Restart the bind (or named) service, and check if the transfer was successful (ls /var/cache/bind), and/or check the journal for the service.

Examples:

$ ls -l /var/cache/bind/db.*

-rw-r--r-- 1 bind bind  197 Oct 19 19:12 db.10
-rw-r--r-- 1 bind bind  464 Oct 19 18:50 db.mydomain.tech
sudo systemctl status named --no-pager -l 

Oct 19 19:12:26 someservername  named[3951182]: transfer of '10.0.0.in-addr.arpa/IN' from 10.0.0.1#53: Transfer status:
 successful

Firewall

If your servers are behind a firewall (I hope so), then you need to open port 53. Make sure you open both TCP and UDP ports. Since I often run ufw, it would be something like:

   sudo ufw allow from any to any port 53 proto tcp

If you like torture (iptables):

   sudo iptables -A INPUT -p tcp --source 0.0.0.0/0 --dport 53 -j ACCEPT
   sudo iptables -A INPUT -p udp --source 0.0.0.0/0 --dport 53 -j ACCEPT

Depending on the time-to-live on the records, It may take serveral hours before the glue entries have propogated around the internet. But you can check your own servers by digging a bit.

dig @10.0.0.1 ns1.mydomain.tech

dig @10.0.0.2 ns2.mydomain.tech

If that works, you’re probably good to go.

Now you can edit some more entries in your zone file (remember to increase the version number) and reload bind, and make sure everything transfers properly to the other server.


ns1                 IN    A      10.0.0.1
ns2                 IN    A      10.0.0.2
mydomain.tech. 3600 IN    A      10.0.0.1
mydomain.tech. 3600 IN    MX 10  mail.mydomain.tech
mydomain.tech. 3600 IN    MX 20  mail2.mydomain.tech

mail	       3600 IN    A      10.0.0.98
mail2          3600 IN    A      10.0.0.99
www                 IN    CNAME  mydomain.tech.

Recursion

You might want to disable recursion (lookups for domains you aren’t authorative for).

Look for an options section in your configs, likely in /etc/bind9/named.conf.options

 recursion no;

Reload bind.

rndc

This is the named control util, and is quite handy. You can ie, check the status of a zone, retransfer zones, and a whole lotta stuff I won’t get into here.

$ rndc zonestatus <zone>

Congratulations, you just caused yourself more headaches and admin work. But hey, we all know you love it!

Cheers,

=Jinxd=