Subject: Re-configuring BIND DNS Servers for CentOS Web Panel Web Hosting Control Panel on Amazon AWS Cloud
Author: Mr. Turritopsis Dohrnii Teo En Ming, Singapore
Date: 27 Feb 2020 Thursday
Rationale for Re-configuration of BIND DNS Servers for CentOS Web Panel
=======================================================================
I have originally followed the approach for cPanel where there are 2 DNS-ONLY servers and one or more cPanel webservers. However, CentOS Web Panel
implements DNS Clusters differently. Hence I have to re-configure BIND DNS Servers for CentOS Web Panel web hosting control panel.
PREREQUISITES
=============
Part 1 of the series: Mr. Teo En Ming's Guide to Deploying CentOS Web Panel (CWP) Web Hosting Control Panel on Amazon AWS Cloud
Redundant Blogger and Wordpress blog links:
[1] https://tdtemcerts.blogspot.com/2020/02/mr-teo-en-mings-guide-to-deploying.html
[2] https://tdtemcerts.wordpress.com/2020/02/23/mr-teo-en-mings-guide-to-deploying-centos-web-panel-cwp-web-hosting-control-panel-on-amazon-aws-cloud/
Part 2 of the series: Setting Up Mail Server Operation for CentOS Web Panel Web Hosting Control Panel on Amazon AWS Cloud
Redundant Blogger and Wordpress blog links:
[1] https://tdtemcerts.blogspot.com/2020/02/setting-up-mail-server-operation-for.html
[2] https://tdtemcerts.wordpress.com/2020/02/25/setting-up-mail-server-operation-for-centos-web-panel-web-hosting-control-panel-on-amazon-aws-cloud/
THIS guide is Part 3 of the series.
EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING'S GUIDE
======================================================
Login to Amazon AWS Console.
Setting Up Secondary/Slave DNS Server
=====================================
On the EC2 Dashboard, click Instances.
Click Launch Instance.
Search for centos in the AWS Markpetplace.
Select CentOS 7 (x86_64) - with Updates HVM (free tier eligible).
Click Continue.
Select t2.micro (free tier eligible).
Click Next: Configure Instance Details.
Network: Teo En Ming VPC
Subnet: Public subnet | us-east-2a
Click Protect against accidental termination.
Click Next: Add Storage
Size (GiB): 8
Click Next: Add Tags
Key = Name
Value = slave
Click Next: Configure Security Group
Click Select an existing security group
Select NameServers
Click Review and Launch.
Click Launch.
Select Choose an existing key pair.
Key pair name: cwp
Click Launch Instances.
Click Instances.
Select slave, right click and select Networking > Manage IP Addresses.
Click Allocate an elastic IP to this instance.
Click Allocate.
Click Associate this Elastic IP Address.
Instance: slave
Click Associate.
IPv4 address of Secondary/Slave DNS server is 3.12.224.179
$ ssh -i cwp.pem centos@3.12.224.179
$ sudo passwd
$ su -
# yum -y update && yum -y install wget
# hostnamectl set-hostname ns2.teo-en-ming.com
# cd /usr/local/src && wget http://centos-webpanel.com/cwp-el7-latest && sh cwp-el7-latest
Started installing CentOS Web Panel at 9:00 PM on 26 Feb 2020 Wed.
Completed installing CentOS Web Panel at 9:05 PM on 26 Feb 2020 Wed.
Total duration: 5 mins.
#############################
# CWP Installed #
#############################
Go to CentOS WebPanel Admin GUI at http://SERVER_IP:2030/
http://3.12.224.179:2030
SSL: https://3.12.224.179:2031
---------------------
Username: root
Password: ssh server root password
MySQL root Password:
#########################################################
CentOS Web Panel MailServer Installer
#########################################################
SSL Cert name (hostname): ns2.teo-en-ming.com
SSL Cert file location /etc/pki/tls/ private|certs
#########################################################
Visit for help: www.centos-webpanel.com
Write down login details and press ENTER for server reboot!
Please reboot the server!
Reboot command: shutdown -r now
# reboot
REFERENCE
=========
Guide: Slave DNS Server & Manager - DNS Cluster
Link: https://wiki.centos-webpanel.com/slave-dns-server-manager-dns-cluster
REFERENCE
=========
Guide: Slave DNS Server & Manager download version
Link: https://wiki.centos-webpanel.com/slave-dns-server-manager-download-version
Login to the CentOS Web Panel Admin Panel on the Slave.
From the left menu, click on CWP Settings, then select Edit Settings.
Admin Email: ceo@teo-en-ming-corp.com
Check Activate NAT-ed network configuration.
Click Save Changes.
Create a New Account on the Secondary/Slave DNS Server
======================================================
From the left menu, click User Accounts, then click New Account.
Domain name: teo-en-ming.com
Username: slave
Package: default
Click Create.
Download Slave DNS Manager and upload it to public_html folder on the Secondary/Slave DNS Server
================================================================================================
ssh -i cwp.pem centos@3.12.224.179
su -
cd /home/slave/public_html
wget http://dl1.centos-webpanel.com/files/cwp/addons/cwp-slave_dns.zip
unzip cwp-slave_dns.zip
mv slave_dns/* .
rm -f index.html
Fix file permissions on the Slave DNS Server
============================================
chown -R slave.slave /home/slave/public_html/*
MySQL: Create User and Database on the Slave DNS Server
=======================================================
From the left menu, click SQL Services, then click MySQL Manager.
Click Create Database and User.
New Database for user: slave
Database Name: slave
Click Create Database.
Edit file /home/slave/public_html/inc/db_conn.php.sample and enter your database connection details
# nano /home/slave/public_html/inc/db_conn.php.sample
# mv inc/db_conn.php.sample inc/db_conn.php
# mysql slave_slave < sql/slave_dns.sql
# nano /etc/sudoers.d/slave
slave ALL= NOPASSWD: /bin/systemctl start named
slave ALL= NOPASSWD: /bin/systemctl stop named
slave ALL= NOPASSWD: /bin/systemctl restart named
slave ALL= NOPASSWD: /bin/systemctl reload named
slave ALL= NOPASSWD: /bin/systemctl status named
slave ALL= NOPASSWD: /bin/systemctl is-active named
# touch /etc/named/slave.conf
# chmod 771 /etc/named
# usermod -a -G named slave
# chown slave.named /etc/named/slave.conf
# mkdir /var/named/slave
# chown named.named /var/named/slave
Edit File: /etc/named.conf and add this in options section before closing }
masterfile-format text;
Add after options{} where other include lines are specifed
//Slave dns configuration
include "/etc/named/slave.conf";
Now you can login to Slave DNS Manager GUI by using a domain link of the account you have created.
Go to http://3.12.224.179/~slave/index.php?login
Default login for Slave DNS Manager GUI admin/root
Username: root
Password: FX8QKxvQ
* Please change the default password after the first login
Adding WebServers to Slave DNS Manager
======================================
- On Slave DNS manager GUI create a new user for each server or use a single for all webservers if you plan to transfer accounts from one to another webserver.
Click Add New User.
Username:
Password:
Email:
API Key:
API Secret:
Domain Limit: 1000000
Click Save.
- On Master CentOS Web Panel WebServer go to DNS Functions -> Slave DNS Manager
Buy CWPPro license first. It is only USD$1.49 compared to USD$20 for the license of cPanel. I can't afford to buy the license for cPanel, hence
I have to settle for CentOS Web Panel.
Then ssh into your Master CentOS Web Panel Webserver.
# sh /scripts/update_cwp
You have successfully upgraded to CWPpro.
On the Master CentOS Web Panel, Go to DNS Functions -> Slave DNS Manager
API Key:
Secret Key:
Base URL: http://3.12.224.179/~slave
Master Server IP's: 3.21.30.127
Click Submit.
Master CentOS Web Panel WebServer configuration
===============================================
Edit File: /etc/named.conf and add this in options section before closing }
//Slave dns configuration
allow-transfer {3.12.224.179;};
allow-recursion {3.12.224.179;};
also-notify {3.12.224.179;};
masterfile-format text;
# named-checkconf
# systemctl restart named
REFERENCE
=========
Guide: How to setup DNS cluster on CWP 1 – Install DNS Manager
Link: https://opentechy.com/how-to-setup-dns-cluster-on-cwp/
REFERENCE
=========
Guide: How to setup DNS cluster on CWP 2 – Add webservers to DNS cluster
Link: https://opentechy.com/how-to-setup-dns-cluster-on-cwp-2-add-webservers-to-dns-cluster/
CONFIGURING CUSTOM NAME SERVERS AT YOUR DOMAIN REGISTRAR
========================================================
Go to Advanced Features > Hostnames
Host: ns1 IP Addresses: 3.21.30.127
Host: ns2 IP Addresses: 3.12.224.179
Nameservers: Using custom nameservers
ns1.teo-en-ming.com
ns2.teo-en-ming.com
CONFIGURING NAME SERVERS ON THE MASTER CENTOS WEB PANEL WEBSERVER
==================================================================
From the left menu, click DNS Functions, then click Edit Nameservers IPs.
Name Server 1: ns1.teo-en-ming.com 3.21.30.127
Name Server 2: ns2.teo-en-ming.com 3.12.224.179
Click Save changes.
# systemctl restart named
BIND DNS CONFIGURATION ON THE MASTER CENTOS WEB PANEL WEBSERVER
===============================================================
File /etc/named.conf:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a any DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
// recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
//Slave dns configuration
allow-transfer {3.12.224.179;};
allow-recursion {3.12.224.179;};
also-notify {3.12.224.179;};
masterfile-format text;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "ns1.teo-en-ming.com" {type master;file "/var/named/ns1.teo-en-ming.com.db";};
zone "ns2.teo-en-ming.com" {type master;file "/var/named/ns2.teo-en-ming.com.db";};
// zone teo-en-ming.com
zone "teo-en-ming.com" {type master; file "/var/named/teo-en-ming.com.db";};
// zone_end teo-en-ming.com
File /var/named/ns1.teo-en-ming.com.db:
; Panel %version%
; Zone file for ns1.teo-en-ming.com
$TTL 14400
ns1.teo-en-ming.com. 86400 IN SOA ns1.teo-en-ming.com. info.centos-webpanel.com. (
2013071600 ;serial, todays date+todays
86400 ;refresh, seconds
7200 ;retry, seconds
3600000 ;expire, seconds
86400 ;minimum, seconds
)
ns1.teo-en-ming.com. 86400 IN NS ns1.teo-en-ming.com.
ns1.teo-en-ming.com. 86400 IN NS ns2.teo-en-ming.com.
ns1.teo-en-ming.com. 14400 IN A 3.21.30.127
File /var/named/ns2.teo-en-ming.com.db:
; Panel %version%
; Zone file for ns2.teo-en-ming.com
$TTL 14400
ns2.teo-en-ming.com. 86400 IN SOA ns1.teo-en-ming.com. info.centos-webpanel.com. (
2013071600 ;serial, todays date+todays
86400 ;refresh, seconds
7200 ;retry, seconds
3600000 ;expire, seconds
86400 ;minimum, seconds
)
ns2.teo-en-ming.com. 86400 IN NS ns1.teo-en-ming.com.
ns2.teo-en-ming.com. 86400 IN NS ns2.teo-en-ming.com.
ns2.teo-en-ming.com. 14400 IN A 3.12.224.179
File /var/named/teo-en-ming.com.db:
; Generated by CWP
; Zone file for teo-en-ming.com
$TTL 14400
@ 86400 IN SOA ns1.teo-en-ming.com. ceo.teo-en-ming-corp.com. (
2020022453 ; serial, todays date+todays
3600 ; refresh, seconds
7200 ; retry, seconds
1209600 ; expire, seconds
86400 ) ; minimum, seconds
@ 86400 IN NS ns1.teo-en-ming.com.
@ 86400 IN NS ns2.teo-en-ming.com.
@ IN A 3.21.30.127
localhost.teo-en-ming.com. IN A 127.0.0.1
@ IN MX 0 teo-en-ming.com.
mail 14400 IN CNAME teo-en-ming.com.
smtp 14400 IN CNAME teo-en-ming.com.
pop 14400 IN CNAME teo-en-ming.com.
pop3 14400 IN CNAME teo-en-ming.com.
imap 14400 IN CNAME teo-en-ming.com.
webmail 14400 IN A 3.21.30.127
cpanel 14400 IN A 3.21.30.127
cwp 14400 IN A 3.21.30.127
www 14400 IN CNAME teo-en-ming.com.
ftp 14400 IN CNAME teo-en-ming.com.
_dmarc 14400 IN TXT "v=DMARC1; p=none"
@ 14400 IN TXT "v=spf1 +a +mx +ip4:3.21.30.127 ~all"
ns1.teo-en-ming.com. 14400 IN A 3.21.30.127
ns2.teo-en-ming.com. 14400 IN A 3.12.224.179
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEXk5wQIfKJPjTkkj0yHGX8yIJOOrsOsvAqbqVaEBFBWhRlF7YxyGzchaAdWEVQkozcsWPIL5DgJ7vWBoJIGqfNOT7vO/lStqNcXC+2hYVIF7MTB8i6tBW1/UDEuL8oammKWDq8P9Fpduk6JppV7rtKXeFzrYj35ydIhDIKUABcwIDAQAB"
BIND DNS CONFIGURATION ON THE SLAVE DNS MANAGER
===============================================
File /etc/named.conf:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a any DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
masterfile-format text;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
// zone teo-en-ming.com
// zone "teo-en-ming.com" {type master; file "/var/named/teo-en-ming.com.db";};
// zone_end teo-en-ming.com
//Slave dns configuration
include "/etc/named/slave.conf";
File /var/named/teo-en-ming.com.db (WRONG, DON'T USE):
; Generated by CWP
; Zone file for teo-en-ming.com
$TTL 14400
@ 86400 IN SOA ns1.centos-webpanel.com. ceo.teo-en-ming-corp.com. (
2020022660 ; serial, todays date+todays
3600 ; refresh, seconds
7200 ; retry, seconds
1209600 ; expire, seconds
86400 ) ; minimum, seconds
@ 86400 IN NS ns1.centos-webpanel.com.
@ 86400 IN NS ns2.centos-webpanel.com.
@ IN A 3.12.224.179
localhost.teo-en-ming.com. IN A 127.0.0.1
@ IN MX 0 teo-en-ming.com.
mail 14400 IN CNAME teo-en-ming.com.
smtp 14400 IN CNAME teo-en-ming.com.
pop 14400 IN CNAME teo-en-ming.com.
pop3 14400 IN CNAME teo-en-ming.com.
imap 14400 IN CNAME teo-en-ming.com.
webmail 14400 IN A 3.12.224.179
cpanel 14400 IN A 3.12.224.179
cwp 14400 IN A 3.12.224.179
www 14400 IN CNAME teo-en-ming.com.
ftp 14400 IN CNAME teo-en-ming.com.
_dmarc 14400 IN TXT "v=DMARC1; p=none"
@ 14400 IN TXT "v=spf1 +a +mx +ip4:3.12.224.179 ~all"
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCktDYpEtFO7dyJeErMbjHvyfJYU8RqDeS7WVqQnjH4fP42JSqPmxEFX+QytFTlGqd6ndlz9Tjqi1iZsD0ajB/+0Pkwq/KtL6NVo2TIqnXj8VebV9+FEcx+FGvLA/b5zz+Hfn0Bf+w/2T2bSwUm+tJoHilmANCFGlcGmpO9/lXvAwIDAQAB"
File /etc/named/slave.conf:
zone "teo-en-ming.com" { type slave; file "slave/db.teo-en-ming.com"; masters { 3.21.30.127; };}; //username:enming
That's all folks!