Last active
November 27, 2024 21:34
-
-
Save GeoTimber/d321cc8cb2c7636b70cf2eda3a4faea8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://docs.directadmin.com/other-hosting-services/dns/general.html#what-options-do-i-have-for-setting-up-an-external-dns-server | |
| and then | |
| https://directslave.com/ | |
| Some clues here | |
| https://github.com/afrizal-id/directslave-install/blob/master/directslave-install.sh | |
| General GIST on how to install and maintain DirectSlave | |
| Install Directslave | |
| wget -q https://directslave.com/download/directslave-3.4.3-advanced-all.tar.gz | |
| move the files to | |
| /usr/local/directslave | |
| This dir needs to have all its files readable by bind always | |
| chown -R bind:bind /usr/local/directslave | |
| Configure Directslave | |
| /usr/local/directslave/etc/directslave.conf | |
| background 1 | |
| host <yourdomain> | |
| port 2221 | |
| sslport 2222 | |
| ssl on | |
| ssl_cert /usr/local/directslave/ssl/fullchain.pem | |
| ssl_key /usr/local/directslave/ssl/privkey.pem | |
| cookie_sess_id DS_SESSID | |
| cookie_auth_key something_long | |
| debug 0 | |
| # Set this to the bind user id | |
| uid 105 | |
| gid 105 | |
| pid /usr/local/directslave/run/directslave.pid | |
| access_log /usr/local/directslave/log/access.log | |
| error_log /usr/local/directslave/log/error.log | |
| action_log /usr/local/directslave/log/action.log | |
| # Biggest issue here was AppArmor preventing bind user to write to any other dirs than the specified ones in /etc/apparmor.d/usr.sbin.named resulting in the directslave.inc file to be written but not the named.db' s of each host | |
| named_workdir /var/cache/bind | |
| named_conf /etc/bind/directslave/directslave.inc | |
| retry_time 1200 | |
| rndc_path /usr/sbin/rndc | |
| named_format text | |
| authfile /usr/local/directslave/etc/passwd | |
| # `allow` directive removed, please, use your local firewall. | |
| language-text | |
| Generate a passwd file: | |
| /usr/local/directslave# ./bin/directslave-linux-amd64 --password directslave:password | |
| SSL | |
| Generate a lets encrypt cert by creating a apache vhost for the domain on port 80 and run | |
| certbot certonly --apache -d <yourdomain> | |
| and sort out your vhost to listen on ssl, you may as well. | |
| The ssl certs need to be readable by bind to, so we copy them to the ssl dir. | |
| Lets create a script for this which we will call in a renew hook. | |
| echo "Copying new SSL cert to /usr/local/directslave/ssl/" | |
| cp /etc/letsencrypt/live/<yourdomain>/* /usr/local/directslave/ssl/ | |
| chown bind:bind /usr/local/directslave/ssl/* | |
| language-bash | |
| Add a renewal hook | |
| nano /etc/letsencrypt/renewal/<yourdomain>.conf | |
| # Options used in the renewal process | |
| [renewalparams] | |
| ... | |
| renew_hook = /usr/local/directslave/copy-ssl.sh | |
| language-text | |
| Test | |
| certbot renew --dry-run --cert-name <yourdomain> | |
| /etc/bind/directslave# cat /var/log/letsencrypt/letsencrypt.log | grep hook | |
| Install & Configure BIND9 on Slave server | |
| apt install bind9 bind9utils | |
| edit bind/named.conf.options and make sure you have the below in the option {} block, the IP needs to be the master servers ip | |
| dnssec-validation auto; | |
| listen-on port 53 { any; }; | |
| listen-on-v6 { any; }; | |
| allow-query { any; }; | |
| allow-notify { <masterip>; }; | |
| allow-transfer { <masterip>; }; | |
| language-text | |
| edit bind/named.conf.local and include the directslave.inc file and enable some loging | |
| // | |
| // Do any local configuration here | |
| // | |
| // Consider adding the 1918 zones here, if they are not used in your | |
| // organization | |
| include "/etc/bind/zones.rfc1918"; | |
| include "/etc/bind/directslave/directslave.inc"; | |
| logging { | |
| channel my_syslog { | |
| syslog daemon; | |
| severity notice; | |
| }; | |
| channel my_file { | |
| file "/var/log/named/messages"; | |
| severity info; | |
| print-time yes; | |
| }; | |
| # channel to log all zone transfers: | |
| channel my_xfer_file { | |
| file "/var/log/named/xfers"; | |
| severity info; | |
| print-time yes; | |
| }; | |
| # channel to log all dynamic updates: | |
| channel my_update_file { | |
| file "/var/log/named/updates"; | |
| severity info; | |
| print-time yes; | |
| }; | |
| category default { my_file; }; | |
| category update { my_update_file; }; | |
| category xfer-in { my_xfer_file; }; | |
| category xfer-out { my_xfer_file; }; | |
| }; | |
| language-text | |
| Create the log files and make sure the permission are right | |
| /usr/local/directslave# ls -alh /var/log/named | |
| total 1008K | |
| drwxr-x--- 2 bind root 4,0K nov 27 13:27 . | |
| drwxr-xr-x 12 root root 4,0K nov 27 13:26 .. | |
| -rw-r--r-- 1 bind bind 152K nov 27 15:17 messages | |
| -rw-r--r-- 1 bind bind 0 nov 27 13:27 updates | |
| -rw-r--r-- 1 bind bind 837K nov 27 15:17 xfers | |
| same for the directslave.inc file, permissions are imporant | |
| /etc/bind/directslave# ls -lah | |
| total 20K | |
| drwxrwsr-x 2 root bind 4,0K nov 27 15:51 . | |
| drwxrwsr-x 3 root bind 4,0K nov 27 14:54 .. | |
| -rw-r--r-- 1 bind bind 12K nov 27 14:51 directslave.inc | |
| Restart bind | |
| systemctl bind9 restart | |
| Check your logs, bind logs to the system log | |
| journalctl -f | |
| Configure bind on the Master server | |
| Missing from most instruction but nothing will happen if you don't, set the allow-transfer option to you slave IP | |
| /etc/bind/named.conf.options | |
| options { | |
| allow-transfer { <slaveip>; }; | |
| directory "/var/cache/bind"; | |
| // If there is a firewall between you and nameservers you want | |
| // to talk to, you may need to fix the firewall to allow multiple | |
| // ports to talk. See http://www.kb.cert.org/vuls/id/800113 | |
| // If your ISP provided one or more IP addresses for stable | |
| // nameservers, you probably want to use them as forwarders. | |
| // Uncomment the following block, and insert the addresses replacing | |
| // the all-0's placeholder. | |
| // forwarders { | |
| // 0.0.0.0; | |
| // }; | |
| //======================================================================== | |
| // If BIND logs error messages about the root key being expired, | |
| // you will need to update your keys. See https://www.isc.org/bind-keys | |
| //======================================================================== | |
| dnssec-validation auto; | |
| listen-on-v6 { any; }; | |
| }; | |
| language-text | |
| Restart bind | |
| systemctl bind9 restart | |
| Test Directslave | |
| First run | |
| /usr/local/directslave# ./bin/directslave-linux-amd64 --check | |
| and check if all is ok, if not fix it first | |
| then start Directslave in debug mode | |
| /usr/local/directslave# ./bin/directslave-linux-amd64 --debug | |
| Got to your web url and see if you can log in with your password | |
| Configure Directadmin master | |
| https://<yourdomain>:2222/evo/admin/multi-server | |
| and test it | |
| Sync the DNS from master | |
| Only updates are passed, so to intialize the slave bind you have to run on the master | |
| root@sulayr /etc/bind # echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue | |
| Check if it is done it should just say Named rewritten | |
| root@sulayr /etc/bind # tail /var/log/directadmin/errortaskq.log | |
| 2024:11:27-13:59:55: Named rewritten | |
| Test the results | |
| When everything works you should see something like this when you run | |
| dig @ns2.<yourdomain> <yourtestdomainlookup> NS | |
| ; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @ns2.<yourdomain> <yourtestdomainlookup> NS | |
| ; (1 server found) | |
| ;; global options: +cmd | |
| ;; Got answer: | |
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13457 | |
| ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 | |
| ;; OPT PSEUDOSECTION: | |
| ; EDNS: version: 0, flags:; udp: 1232 | |
| ; COOKIE: f6623fae1958bf2d010000006747321104c7669952a9a7a1 (good) | |
| ;; QUESTION SECTION: | |
| ;<yourtestdomainlookup>. IN NS | |
| ;; ANSWER SECTION: | |
| <yourtestdomainlookup>. 3600 IN CNAME <yourtestdomainlookup>. | |
| <yourtestdomainlookup>. 3600 IN NS ns2.<yourdomain>. | |
| <yourtestdomainlookup>. 3600 IN NS ns1.<yourdomain>. | |
| ;; Query time: 110 msec | |
| ;; SERVER: <slaveip>>#53(ns2.<yourdomain>) (UDP) | |
| ;; WHEN: Wed Nov 27 15:52:01 CET 2024 | |
| ;; MSG SIZE rcvd: 142 | |
| language-text | |
| Troubleshooting | |
| Login to https://<yourdomain>:2222/dashboard/domains and see if you have a master record for all domains, you can check the logs there too. | |
| Check | |
| /etc/bind/directslace/directslave.inc | |
| and see if all domain and their db files exist | |
| Check to see if all named.db's for your doman are created | |
| /var/cache/bind | |
| Check the bind logs we created in, they will flag permission problems | |
| /var/log/named | |
| Check your logs, bind logs to the system log, they wil flag bind start problems | |
| journalctl -f | |
| Check Directslave logs in ( same as on web UI ) | |
| /usr/local/directslave/logs | |
| Set Directslave to start on boot | |
| Lets Daemonize it | |
| nano /etc/systemd/system/directslave.service | |
| [Unit] | |
| Description=DirectSlave for DirectAdmin | |
| After=network.target | |
| [Service] | |
| Type=simple | |
| User=bind | |
| ExecStart=/usr/local/directslave/bin/directslave-linux-amd64 --run | |
| Restart=always | |
| [Install] | |
| WantedBy=multi-user.target | |
| language-bash | |
| chown root:root /etc/systemd/system/directslave.service | |
| chmod 755 /etc/systemd/system/directslave.service | |
| /etc# systemctl daemon-reload | |
| /etc# systemctl start directslave | |
| /etc# systemctl status directslave | |
| /etc# systemctl enable directslave | |
| /etc# systemctl enable named |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment