Cluster setup to sync to outside DNS

[SactoBob]

It seems fairly straight forward (DNS Clustering), but maybe I'm missing something.

I have 2 cpanel servers. And putting up 1 cpanel-dnsonly server.

I've tried both write-only and sync-changes to cpanel-dnsonly. However, when I look in /var/named there are no zone files from any of the cpanel servers. And the regular cpanel servers are also not propagating to each other. And an nslookup bounces the lookup to another DNS. I've also seen the cpanel-dns go into "Disabled due to connection failures." this state, but looking at firewall logs there's nothing showing up that is being blocked.

The end result here however is at some point I want the 3 cpanels to act as internal DNS, but the cpanel-dnsonly server will be synced (via vendor provided scripts) to an outsourced DNS service that will propagate my external dns through several servers within their network.

But I of course need to get the initial syncing to work! I've read the documents and how-tos, every thing looks correct, but no zone files are showing up.

Another question: What are the minimum security assignments do I give for an API token for dns cluster services?

 

[cPanelLauren]

Hi @SactoBob


The forums post here DNS Clustering may be helpful for you in setting this up and answering some of your questions.

Can you also ensure that ports 53 and 953 are open on the clustered servers - or at least each of the servers in the cluster can reach ports 53 and 953 on the primary and vice versa?

Thanks!

 

[SactoBob]

So after reading a few other threads (the answer wasn't here), I ran the following command on each server:

/scripts/dnscluster syncall

After that all the zones showed up on every server and testing by making change to various zones immediately synced to the others. Did I miss a step?

Also, if I want to unsync two servers later (for now I synced both webservers with each other), is there an easy way to tell cPanel to remove all the zones it imported that isn't part of any accounts on the local server and cleanup their /var/named directories? The cleanup option did not do that.

 

[SactoBob]

Also, I read:

The reverse trust relationship does not currently work without an access hash file on the remote server. You must login to the remote server and add this server to its cluster manager manually if you want the other server to be able to access this one.

That this was not necessary for v.70 and up as clicking the "Setup Reverse Trust Relationship" is already done for you?

 

[cPanelLauren]

So after reading a few other threads (the answer wasn't here), I ran the following command on each server:

/scripts/dnscluster syncall

After that all the zones showed up on every server and testing by making change to various zones immediately synced to the others. Did I miss a step?

The thread I linked you to does include that command...I'm glad that worked for you.

Also, if I want to unsync two servers later (for now I synced both webservers with each other), is there an easy way to tell cPanel to remove all the zones it imported that isn't part of any accounts on the local server and cleanup their /var/named directories? The cleanup option did not do that.

It does not do that, you'd need to remove the DNS zones manually if you chose to remove the server from the cluster and no longer wanted the zones hosted.

That this was not necessary for v.70 and up as clicking the "Setup Reverse Trust Relationship" is already done for you?

Yea there is currently a case open for this issue CPANEL-15085 to clarify the behavior of the reverse trust relationship when using tokens. Right now you'll need to set the cluster up on both servers.