SOLVED Amazon Linux 2016.03 / cPanel DNSONLY / Bind Defaults

oldchili

Member
Mar 18, 2014
5
0
1
cPanel Access Level
Root Administrator
Hello,

Installing cPanel DNSONLY on Amazon Linux 2016.03 is pretty straight forward, however there is an issue with BIND's default /etc/named.conf vanilla setup. Bind on Amazon Linux is installed as a caching only nameserver. This is an issue when creating your own public ns1. and ns2. nameservers.

You can see the following default configuration below which clearly states is for caching only nameserver:

Code:
include "/etc/rndc.key";

controls {
  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

//
// named.conf
//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
  listen-on { any; }; /*      updated by cPanel*/
  listen-on-v6 port 53 { ::1; };
  directory   "/var/named";
  dump-file   "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { localhost; };
  recursion yes;
  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";
  managed-keys-directory "/var/named/dynamic";

};

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Under the default installation your nameservers will REFUSE all DNS queries from the public...

To fix this you need change
Code:
allow-query { localhost; }
to
Code:
allow-query { any; }
in order to allow zones to be queried.

I belive cPanel should update Amazon Linux's bind configurations from fresh install otherwise installing out of the box when creating public nameservers is broken.
 

UHLHosting

Well-Known Member
Sep 26, 2014
58
5
58
Bratislava
cPanel Access Level
Root Administrator
Twitter
Hello,

Installing cPanel DNSONLY on Amazon Linux 2016.03 is pretty straight forward, however there is an issue with BIND's default /etc/named.conf vanilla setup. Bind on Amazon Linux is installed as a caching only nameserver. This is an issue when creating your own public ns1. and ns2. nameservers.

You can see the following default configuration below which clearly states is for caching only nameserver:

Code:
include "/etc/rndc.key";

controls {
  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

//
// named.conf
//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
  listen-on { any; }; /*      updated by cPanel*/
  listen-on-v6 port 53 { ::1; };
  directory   "/var/named";
  dump-file   "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { localhost; };
  recursion yes;
  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";
  managed-keys-directory "/var/named/dynamic";

};

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Under the default installation your nameservers will REFUSE all DNS queries from the public...

To fix this you need change
Code:
allow-query { localhost; }
to
Code:
allow-query { any; }
in order to allow zones to be queried.

I belive cPanel should update Amazon Linux's bind configurations from fresh install otherwise installing out of the box when creating public nameservers is broken.

How did you enabled DNSSEC since is not supported in cpanel or?
 

kbisignani

Member
Jan 29, 2012
17
0
51
cPanel Access Level
Root Administrator
I was able to confirm this is still the case today - I was able to set up Amazon Linux AMI on an Amazon EC2 instance (I think a perfect and inexpensive option for something like cPanel DNSONLY). The installation went pretty smooth. But I ran in to the same issues that @oldchili did.

The fix worked, but don't forget that you also need to restart the DNS service on the DNSONLY machine in order to for the changes to take effect.
 

oldchili

Member
Mar 18, 2014
5
0
1
cPanel Access Level
Root Administrator
Hello,

Could you verify the steps you took to install Amazon Linux? Did you use the Amazon AMI offered by cPanel?

Thank you.
No I did not user the Amazon Linux AMI offered by cPanel because it's rarely up to date. Kinda disappointing this platform seems to lag behind CentOS compatibility.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
No I did not user the Amazon Linux AMI offered by cPanel because it's rarely up to date. Kinda disappointing this platform seems to lag behind CentOS compatibility.
Thank you for the valued feedback. There are plans to streamline updated images in the future. In the meantime, we recommend installing the older version of cPanel included with the official AMI offered by cPanel and then manually updating cPanel to the newer version.

Thank you.