Subject: Re-configuring BIND DNS Servers for CentOS Web Panel Web Hosting Control Panel on Amazon AWS Cloud Author: Mr. Turritopsis Dohrnii Teo En Ming, Singapore Date: 27 Feb 2020 Thursday Rationale for Re-configuration of BIND DNS Servers for CentOS Web Panel ======================================================================= I have originally followed the approach for cPanel where there are 2 DNS-ONLY servers and one or more cPanel webservers. However, CentOS Web Panel implements DNS Clusters differently. Hence I have to re-configure BIND DNS Servers for CentOS Web Panel web hosting control panel. PREREQUISITES ============= Part 1 of the series: Mr. Teo En Ming's Guide to Deploying CentOS Web Panel (CWP) Web Hosting Control Panel on Amazon AWS Cloud Redundant Blogger and Wordpress blog links: [1] https://tdtemcerts.blogspot.com/2020/02/mr-teo-en-mings-guide-to-deploying.h... [2] https://tdtemcerts.wordpress.com/2020/02/23/mr-teo-en-mings-guide-to-deployi... Part 2 of the series: Setting Up Mail Server Operation for CentOS Web Panel Web Hosting Control Panel on Amazon AWS Cloud Redundant Blogger and Wordpress blog links: [1] https://tdtemcerts.blogspot.com/2020/02/setting-up-mail-server-operation-for... [2] https://tdtemcerts.wordpress.com/2020/02/25/setting-up-mail-server-operation... THIS guide is Part 3 of the series. EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING'S GUIDE ====================================================== Login to Amazon AWS Console. Setting Up Secondary/Slave DNS Server ===================================== On the EC2 Dashboard, click Instances. Click Launch Instance. Search for centos in the AWS Markpetplace. Select CentOS 7 (x86_64) - with Updates HVM (free tier eligible). Click Continue. Select t2.micro (free tier eligible). Click Next: Configure Instance Details. Network: Teo En Ming VPC Subnet: Public subnet | us-east-2a Click Protect against accidental termination. Click Next: Add Storage Size (GiB): 8 Click Next: Add Tags Key = Name Value = slave Click Next: Configure Security Group Click Select an existing security group Select NameServers Click Review and Launch. Click Launch. Select Choose an existing key pair. Key pair name: cwp Click Launch Instances. Click Instances. Select slave, right click and select Networking > Manage IP Addresses. Click Allocate an elastic IP to this instance. Click Allocate. Click Associate this Elastic IP Address. Instance: slave Click Associate. IPv4 address of Secondary/Slave DNS server is 3.12.224.179 $ ssh -i cwp.pem centos@3.12.224.179 $ sudo passwd $ su - # yum -y update && yum -y install wget # hostnamectl set-hostname ns2.teo-en-ming.com # cd /usr/local/src && wget http://centos-webpanel.com/cwp-el7-latest && sh cwp-el7-latest Started installing CentOS Web Panel at 9:00 PM on 26 Feb 2020 Wed. Completed installing CentOS Web Panel at 9:05 PM on 26 Feb 2020 Wed. Total duration: 5 mins. ############################# # CWP Installed # ############################# Go to CentOS WebPanel Admin GUI at http://SERVER_IP:2030/ http://3.12.224.179:2030 SSL: https://3.12.224.179:2031 --------------------- Username: root Password: ssh server root password MySQL root Password: ######################################################### CentOS Web Panel MailServer Installer ######################################################### SSL Cert name (hostname): ns2.teo-en-ming.com SSL Cert file location /etc/pki/tls/ private|certs ######################################################### Visit for help: www.centos-webpanel.com Write down login details and press ENTER for server reboot! Please reboot the server! Reboot command: shutdown -r now # reboot REFERENCE ========= Guide: Slave DNS Server & Manager - DNS Cluster Link: https://wiki.centos-webpanel.com/slave-dns-server-manager-dns-cluster REFERENCE ========= Guide: Slave DNS Server & Manager download version Link: https://wiki.centos-webpanel.com/slave-dns-server-manager-download-version Login to the CentOS Web Panel Admin Panel on the Slave.
From the left menu, click on CWP Settings, then select Edit Settings.
Admin Email: ceo@teo-en-ming-corp.com Check Activate NAT-ed network configuration. Click Save Changes. Create a New Account on the Secondary/Slave DNS Server ======================================================
From the left menu, click User Accounts, then click New Account.
Domain name: teo-en-ming.com Username: slave Package: default Click Create. Download Slave DNS Manager and upload it to public_html folder on the Secondary/Slave DNS Server ================================================================================================ ssh -i cwp.pem centos@3.12.224.179 su - cd /home/slave/public_html wget http://dl1.centos-webpanel.com/files/cwp/addons/cwp-slave_dns.zip unzip cwp-slave_dns.zip mv slave_dns/* . rm -f index.html Fix file permissions on the Slave DNS Server ============================================ chown -R slave.slave /home/slave/public_html/* MySQL: Create User and Database on the Slave DNS Server =======================================================
From the left menu, click SQL Services, then click MySQL Manager.
Click Create Database and User. New Database for user: slave Database Name: slave Click Create Database. Edit file /home/slave/public_html/inc/db_conn.php.sample and enter your database connection details # nano /home/slave/public_html/inc/db_conn.php.sample # mv inc/db_conn.php.sample inc/db_conn.php # mysql slave_slave < sql/slave_dns.sql # nano /etc/sudoers.d/slave slave ALL= NOPASSWD: /bin/systemctl start named slave ALL= NOPASSWD: /bin/systemctl stop named slave ALL= NOPASSWD: /bin/systemctl restart named slave ALL= NOPASSWD: /bin/systemctl reload named slave ALL= NOPASSWD: /bin/systemctl status named slave ALL= NOPASSWD: /bin/systemctl is-active named # touch /etc/named/slave.conf # chmod 771 /etc/named # usermod -a -G named slave # chown slave.named /etc/named/slave.conf # mkdir /var/named/slave # chown named.named /var/named/slave Edit File: /etc/named.conf and add this in options section before closing } masterfile-format text; Add after options{} where other include lines are specifed //Slave dns configuration include "/etc/named/slave.conf"; Now you can login to Slave DNS Manager GUI by using a domain link of the account you have created. Go to http://3.12.224.179/~slave/index.php?login Default login for Slave DNS Manager GUI admin/root Username: root Password: FX8QKxvQ * Please change the default password after the first login Adding WebServers to Slave DNS Manager ====================================== - On Slave DNS manager GUI create a new user for each server or use a single for all webservers if you plan to transfer accounts from one to another webserver. Click Add New User. Username: Password: Email: API Key: API Secret: Domain Limit: 1000000 Click Save. - On Master CentOS Web Panel WebServer go to DNS Functions -> Slave DNS Manager Buy CWPPro license first. It is only USD$1.49 compared to USD$20 for the license of cPanel. I can't afford to buy the license for cPanel, hence I have to settle for CentOS Web Panel. Then ssh into your Master CentOS Web Panel Webserver. # sh /scripts/update_cwp You have successfully upgraded to CWPpro. On the Master CentOS Web Panel, Go to DNS Functions -> Slave DNS Manager API Key: Secret Key: Base URL: http://3.12.224.179/~slave Master Server IP's: 3.21.30.127 Click Submit. Master CentOS Web Panel WebServer configuration =============================================== Edit File: /etc/named.conf and add this in options section before closing } //Slave dns configuration allow-transfer {3.12.224.179;}; allow-recursion {3.12.224.179;}; also-notify {3.12.224.179;}; masterfile-format text; # named-checkconf # systemctl restart named REFERENCE ========= Guide: How to setup DNS cluster on CWP 1 – Install DNS Manager Link: https://opentechy.com/how-to-setup-dns-cluster-on-cwp/ REFERENCE ========= Guide: How to setup DNS cluster on CWP 2 – Add webservers to DNS cluster Link: https://opentechy.com/how-to-setup-dns-cluster-on-cwp-2-add-webservers-to-dn... CONFIGURING CUSTOM NAME SERVERS AT YOUR DOMAIN REGISTRAR ======================================================== Go to Advanced Features > Hostnames Host: ns1 IP Addresses: 3.21.30.127 Host: ns2 IP Addresses: 3.12.224.179 Nameservers: Using custom nameservers ns1.teo-en-ming.com ns2.teo-en-ming.com CONFIGURING NAME SERVERS ON THE MASTER CENTOS WEB PANEL WEBSERVER ==================================================================
From the left menu, click DNS Functions, then click Edit Nameservers IPs.
Name Server 1: ns1.teo-en-ming.com 3.21.30.127 Name Server 2: ns2.teo-en-ming.com 3.12.224.179 Click Save changes. # systemctl restart named BIND DNS CONFIGURATION ON THE MASTER CENTOS WEB PANEL WEBSERVER =============================================================== File /etc/named.conf: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a any DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ // recursion no; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; //Slave dns configuration allow-transfer {3.12.224.179;}; allow-recursion {3.12.224.179;}; also-notify {3.12.224.179;}; masterfile-format text; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "ns1.teo-en-ming.com" {type master;file "/var/named/ns1.teo-en-ming.com.db";}; zone "ns2.teo-en-ming.com" {type master;file "/var/named/ns2.teo-en-ming.com.db";}; // zone teo-en-ming.com zone "teo-en-ming.com" {type master; file "/var/named/teo-en-ming.com.db";}; // zone_end teo-en-ming.com File /var/named/ns1.teo-en-ming.com.db: ; Panel %version% ; Zone file for ns1.teo-en-ming.com $TTL 14400 ns1.teo-en-ming.com. 86400 IN SOA ns1.teo-en-ming.com. info.centos-webpanel.com. ( 2013071600 ;serial, todays date+todays 86400 ;refresh, seconds 7200 ;retry, seconds 3600000 ;expire, seconds 86400 ;minimum, seconds ) ns1.teo-en-ming.com. 86400 IN NS ns1.teo-en-ming.com. ns1.teo-en-ming.com. 86400 IN NS ns2.teo-en-ming.com. ns1.teo-en-ming.com. 14400 IN A 3.21.30.127 File /var/named/ns2.teo-en-ming.com.db: ; Panel %version% ; Zone file for ns2.teo-en-ming.com $TTL 14400 ns2.teo-en-ming.com. 86400 IN SOA ns1.teo-en-ming.com. info.centos-webpanel.com. ( 2013071600 ;serial, todays date+todays 86400 ;refresh, seconds 7200 ;retry, seconds 3600000 ;expire, seconds 86400 ;minimum, seconds ) ns2.teo-en-ming.com. 86400 IN NS ns1.teo-en-ming.com. ns2.teo-en-ming.com. 86400 IN NS ns2.teo-en-ming.com. ns2.teo-en-ming.com. 14400 IN A 3.12.224.179 File /var/named/teo-en-ming.com.db: ; Generated by CWP ; Zone file for teo-en-ming.com $TTL 14400 @ 86400 IN SOA ns1.teo-en-ming.com. ceo.teo-en-ming-corp.com. ( 2020022453 ; serial, todays date+todays 3600 ; refresh, seconds 7200 ; retry, seconds 1209600 ; expire, seconds 86400 ) ; minimum, seconds @ 86400 IN NS ns1.teo-en-ming.com. @ 86400 IN NS ns2.teo-en-ming.com. @ IN A 3.21.30.127 localhost.teo-en-ming.com. IN A 127.0.0.1 @ IN MX 0 teo-en-ming.com. mail 14400 IN CNAME teo-en-ming.com. smtp 14400 IN CNAME teo-en-ming.com. pop 14400 IN CNAME teo-en-ming.com. pop3 14400 IN CNAME teo-en-ming.com. imap 14400 IN CNAME teo-en-ming.com. webmail 14400 IN A 3.21.30.127 cpanel 14400 IN A 3.21.30.127 cwp 14400 IN A 3.21.30.127 www 14400 IN CNAME teo-en-ming.com. ftp 14400 IN CNAME teo-en-ming.com. _dmarc 14400 IN TXT "v=DMARC1; p=none" @ 14400 IN TXT "v=spf1 +a +mx +ip4:3.21.30.127 ~all" ns1.teo-en-ming.com. 14400 IN A 3.21.30.127 ns2.teo-en-ming.com. 14400 IN A 3.12.224.179 default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEXk5wQIfKJPjTkkj0yHGX8yIJOOrsOsvAqbqVaEBFBWhRlF7YxyGzchaAdWEVQkozcsWPIL5DgJ7vWBoJIGqfNOT7vO/lStqNcXC+2hYVIF7MTB8i6tBW1/UDEuL8oammKWDq8P9Fpduk6JppV7rtKXeFzrYj35ydIhDIKUABcwIDAQAB" BIND DNS CONFIGURATION ON THE SLAVE DNS MANAGER =============================================== File /etc/named.conf: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a any DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion no; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; masterfile-format text; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; // zone teo-en-ming.com // zone "teo-en-ming.com" {type master; file "/var/named/teo-en-ming.com.db";}; // zone_end teo-en-ming.com //Slave dns configuration include "/etc/named/slave.conf"; File /var/named/teo-en-ming.com.db (WRONG, DON'T USE): ; Generated by CWP ; Zone file for teo-en-ming.com $TTL 14400 @ 86400 IN SOA ns1.centos-webpanel.com. ceo.teo-en-ming-corp.com. ( 2020022660 ; serial, todays date+todays 3600 ; refresh, seconds 7200 ; retry, seconds 1209600 ; expire, seconds 86400 ) ; minimum, seconds @ 86400 IN NS ns1.centos-webpanel.com. @ 86400 IN NS ns2.centos-webpanel.com. @ IN A 3.12.224.179 localhost.teo-en-ming.com. IN A 127.0.0.1 @ IN MX 0 teo-en-ming.com. mail 14400 IN CNAME teo-en-ming.com. smtp 14400 IN CNAME teo-en-ming.com. pop 14400 IN CNAME teo-en-ming.com. pop3 14400 IN CNAME teo-en-ming.com. imap 14400 IN CNAME teo-en-ming.com. webmail 14400 IN A 3.12.224.179 cpanel 14400 IN A 3.12.224.179 cwp 14400 IN A 3.12.224.179 www 14400 IN CNAME teo-en-ming.com. ftp 14400 IN CNAME teo-en-ming.com. _dmarc 14400 IN TXT "v=DMARC1; p=none" @ 14400 IN TXT "v=spf1 +a +mx +ip4:3.12.224.179 ~all" default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCktDYpEtFO7dyJeErMbjHvyfJYU8RqDeS7WVqQnjH4fP42JSqPmxEFX+QytFTlGqd6ndlz9Tjqi1iZsD0ajB/+0Pkwq/KtL6NVo2TIqnXj8VebV9+FEcx+FGvLA/b5zz+Hfn0Bf+w/2T2bSwUm+tJoHilmANCFGlcGmpO9/lXvAwIDAQAB" File /etc/named/slave.conf: zone "teo-en-ming.com" { type slave; file "slave/db.teo-en-ming.com"; masters { 3.21.30.127; };}; //username:enming That's all folks! -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE-----