Use same DNS servers on all VIrtualmin hosts

So, say I have 3 Virtualmin GPL servers configured as DNS slaves. Say they are ns1, ns2, and ns3 for some domains.

Now, say I end up with 10 servers each running Virtualmin PRO and a bunch of users on each. Ideally, I do NOT want to use each host as the primary DNS for the servers on it. This confuses things too much. The user doesn't know where to point his domains if registered in another provider. I want the same 3 nameservers to be used no matter what server they are on!

So, in the BIND DNS Domain screen for server templates, there is a "Master DNS server hostname" field, which sounds exactly like what I might want, except... Clicking on the help says that whatever I set it to, it MUST resolve to the IP address of the server! Not good.

So, since Virtualmin automatically adds DNS records for slaves, the only thing I need is to NOT add a record for the server it is on. Is there a good way to do this?

In this way, only ns1, ns2, and ns3 would ever be used, and the current host, never used and thus the inbound DNS port would be blocked by the firewall except for stuff from slaves. Add, our FAQ, ordering screen, you name it, could always state exactly what nameservers to point their domain to.

I hope this makes sense, not sure how anyone would want to do otherwise with multiple servers?

Status: 
Active

Comments

My suggestion in this case would be to use a "hidden master" scheme, by whipping up a custom BIND configuration in the server template, section BIND DNS records for new domains, entry "BIND DNS records for new domains" (set the radio button below to "Use only the records above". Thus you can have Virtualmin not enter the server's own IP address into the zone.

The template might look like this:

$ttl 38400
@   IN  SOA ns1.thedomain.com. root.ns1.thedomain.com. (
            ${CURRENT_YEAR}${CURRENT_MONTH}${CURRENT_DAY}01
            10800
            3600
            604800
            38400 )
@   IN  NS  ns1.thedomain.com.
@   IN  NS  ns2.thedomain.com.
@   IN  NS  ns3.thedomain.com.
${DOM}test6.tianet.de.  IN  A   ${IP}
www.${DOM}test6.tianet.de.  IN  A   ${IP}

You then configure your ns1, ns2 and ns3 as Cluster Slaves in Webmin, as you already did I assume, and have your domain users use those when registering their domains. The master is the respective Virtualmin server, while the slaves hold exact copies of their zones.

Note in this context that the master nameserver is not required to also a publicly reachable (authoritative) one. The master can stay "hidden in the background" and just feed the publicly configured slaves with their zone files.

Another thought. You might be able to achieve the same result by putting all your slave servers in the "Additional manually configured nameservers" box (except they are cluster slaves - in that case they get added automatically), turning off "Add nameserver record for this system" and setting "Master DNS server hostname" to ns1.thedomain.com.

The note in the help page that the master DNS server hostname MUST resolve to the server's external IP does - in my opinion - not apply here. It should rather read like "the hostname you enter there must resolve to the IP address of a nameserver that holds a valid copy of the zone" (since it is used for the SOA record of the zone).

I haven't fully tested this yet, but I think it should work. As long as the data in the registrar matches with the SOA and NS records in the zone on all used servers you should be fine.

I did not see that box, "Add nameserver record for this system", clear as day now though. The spacing sort of looks like it is an option to the box above it, but maybe not. I don't think any manually configured ones should be needed since it auto includes the webmin slaves.

It COULD be a matter of the help text not reflecting what it really does in this case. Hopefully, this ticket will prompt a help text fix if so. I thought of the hidden master, but, figured it would fail only on the basis of that text. And I didn't see that box! I figured it might add ns1 twice even if the text was wrong.

Surely, I would not the be the only one with multiple servers who would have this issue. I can't see it working very well order fulfilling or processing wise without doing this.

As far as the manual specifying of bind dns records for new domains, had thought of that also, but, not clear what that really means. Would Virtualmin later on create records for dkim if turned on? I presume so since it is on the "when created" screen. Seems like one would need a lot of if's there for different scenarios though. And I couldn't remember of other scenarios where Virtualmin might add a DNS record based on other options.

Virtualmin should indeed add (and remove) further zone file entries as necessary, no matter how the zone was initially created. Webmin in general is quite good at manipulating config files, changing only the required parts and leaving everything else untouched.

As for the slightly confusing help text: you can be sure that the developers will read this and consider the suggestion. My experience so far is that they read every issue tracker entry thoroughly. :)

One option would be for all your systems to be slaves of the others. That way when registering a zone that is hosted on any of them, you can use the IPs of some or all systems. A system doesn't actually have to be the primary nameserver for a domain to be the nameserver you supply to the registrar ..

Yes, but with an unknown number of future systems, this could quickly become unwieldy. I am going to try the hidden master. See the comment:

"there is a "Master DNS server hostname" field, which sounds exactly like what I might want, except... Clicking on the help says that whatever I set it to, it MUST resolve to the IP address of the server!"

Apparently, from quick testing, this is not true. Can you fix the help text?

I will update the help text for that field in the next Virtualmin release, as suggested..