The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Zone file values

Discussion in 'Bind / DNS / Nameserver Issues' started by dxer, Feb 19, 2004.

  1. dxer

    dxer Well-Known Member

    Joined:
    Sep 9, 2002
    Messages:
    295
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    In DNS Zone file of each domain there are following values:

    refresh: 28800
    retry: 7200
    expire: 3600000
    minimum ttl: 86400


    Can someone explain exactly for what is each one, specially this one "expire".

    Thanks
     
  2. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    well, this is basic DNS stuff and I recommend reading about it since it can turn all your sites dark if you make a mistake.
    DNS is a serious science and not to be taken too lightly!

    >refresh: 28800
    this line defines that every 28800 seconds the secondary nameservers will be refreshed with the current zone file information

    >retry: 7200
    this line defines that every 7200 seconds a secondary nameserver will retry to get the current zone file information if the previous attempt failed

    >expire: 3600000
    this line defines how long secondary nameservers will give out zone file data if they are no longer able to connect and update zone file information from the primary name server.
    the default value in cpanel is extremely long and much longer than normally suggested by the developers of bind

    >minimum ttl: 86400
    This line is probably the most important. It defines the ttl (time to live) for the zone. But be careful since every record within the zone can have its own ttl value. This means how long other caching nameservers on the net will store your zonefile information after it has been requested.

    Here a couple of comments from me and what I learned in Cricket Liu's classes about DNS (he is called Mr. DNS after all and has written great books on DNS and bind):

    1. The nameserver configuration in cpanel allows non-authoritative lookups. That is not good practice and means that someone can abuse your nameserver and your bandwidth even if they are not a customer.

    2. The nameserver configuartion in cpanel allows for zone transfers to everyone! This is a huge security risk since someone can look at your zonefile and sees right away what you have in there and what might look weak. For example there might be a host called beta.domain.com - perfect for a hacker to try to get to. If zonetransfers are only enabled between primary and secondary nameservers this cannot happen.

    3. The default refresh time is 28800 in cpanel but the default ttl is 14000 for all records. This can create totally out of sync nameservers. Here is why. lets say I change a record in the primary nameserver for a domain and the update to the secondary does not work (and that happens a lot in cpanel) then the secondary has old information. This is normally not a problem but the old information will be stored twice as long as the ttl time for that record! This means that if a request comes in after the 14400 seconds are over but goes to one of the secondary DNS servers, they will give out the old information even though you might think and might have planned for a switch to happen after this time is up!

    hope this helps and Josh can make this sticky since a lot of people ask this stuff.
     
  3. dxer

    dxer Well-Known Member

    Joined:
    Sep 9, 2002
    Messages:
    295
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    Thanks on this.

    If these are values for secondary nameserver than where are for primary ?

    and can you provide here values which you think are better and tell us where can we change that values to make this default.
     
  4. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    dxer, I did not say that these values are for primary or secondary name servers. In DNS it does not matter or even should matter.

    Here are the values I use for my zones and it has worked well for me:

    refresh: 7200

    retry: 3600

    expire: 432000

    minimum ttl: 86400


    And for all the zone records a ttl of 14400


    Now lets go to the more tricky security issues of bind and how to make bind in a cpanel environment safer.


    you have to edit /etc/named.conf:

    right after the line:
    controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
    };

    you add this:

    acl "trusted" {
    69.33.122.133; 69.56.129.144
    };

    (these ip addresses should be all of your nameservers who will handle your domains including the local ones that run nameservers on them.

    then further down you will see this:

    options {
    directory "/var/named";
    /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
    // query-source address * port 53;

    and you want to add right in the next line this:

    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    };

    this will make sure that the dns server does not give out a version number and that recursion, notify and zone transfers are only permitted between the ip addresses in the acl trusted (which we added earlier).

    After this is done save the file, chattr it and then restart bind from whm. If you see an error message then go into the named log file (/var/log) and see what line created a problem. Most likely you missed a space or tab or something.

    This addresses pretty much all of my security concerns in bind and you will have a much better and safer time running it that way.
     
  5. dxer

    dxer Well-Known Member

    Joined:
    Sep 9, 2002
    Messages:
    295
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    Thanks for this details.

    One more thing. Is this file named.conf containing this default values (seconds) so I must change them there ?
     
  6. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    If you chattr+i it, then you'll never be able to have any new accounts update into it automatically!
     
  7. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    dxer, the values I mentioned are specified in the individual zone files, I would recommend changing them in the WHM interface though.
    jsteele, you are right about the updates not working if you chattr the file. so far I have not seen cpanel doing anything to my additions so perhaps a chattr is not necessary. but then again you never know with cpanel and there is normally not a warning that certain conf files will be touched with the next release.
     
  8. vahan

    vahan Active Member

    Joined:
    Dec 10, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    thanks for the nice info on securing named...

    i've noticed that allow-notify line breaks the

    named 8.3.6-REL Mon Oct 27 14:55:35 GMT 2003
    root@freebsd-stable.sentex.ca:/usr/obj/usr/src/usr.sbin/named

    which is default one installed on FreeBSD 4.9


    BTW, How can I change the zone file template that is used when creating a new account? I want to change several things in there and don't want to create a script that opens up the *.db files directly.:confused:
     
  9. simoneast

    simoneast Member

    Joined:
    Mar 26, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Can someone explain the difference between the zone's minimum TTL and each record's TTL? When is each used by the caching DNS servers around the world?

    < Simon >
     
  10. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Maybe I'm missing something, but how can one edit the TTL for nameservers in the WHM editor? Can't be done? If not, where can you do that?

    I don't like dnsreport.com giving warnings about the TTL of my nameservers. When some customers experience issues with their ISPs I can't point them to dnsreport because they'll tell me something's wrong with my nameservers...
     
  11. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Have always done it in the edit zones of WHM.
    Another site that works well for checking dns is checkdns.net
     
  12. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Hmm. Then I'm not understanding the config options, then.
    Here's the template:
    I don't see where I can change the nameserver TTL.

    Thanks for the link to checkdns.net. Nice site.
     
  13. simoneast

    simoneast Member

    Joined:
    Mar 26, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    The last two lines of the zone header...

    <QUOTE>
    3600000 ; expire, seconds
    86400 ) ; minimum, seconds
    </QUOTE>

    The expire number is how long the secondaries should hold the data while they cannot access the primary. I've noticed that this value tends to cause warnings about being too high.

    The next number is the TTL minimum for the zone. I asked above what the difference was between this and the individual record TTLs and am still waiting on an answer.

    < Simon >
     
  14. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Would certainly defer to cyberspirit as being able to explain the technical details.
    For my part have been able to get a clean report from dnsreport.com by among other things changing the TTL in WHM in the domain field to 172800.
    Arrived at my settings mostly by trial and error. Not very scientific or technically correct but the results AFAIK seem to work well.
    You can check ecinames.com at dnsreport and see if the results look acceptable.
     
  15. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me

    Aha, so change %domain%. IN NS %nameserver%.
    to %domain%. 172800 IN NS %nameserver%.
    Thanks!
     
    #15 casey, May 18, 2004
    Last edited: May 18, 2004
  16. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    To quote from your template:
    %domain%.(TTL 172800) IN NS %nameserver%.
    HTH
     
  17. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    ok, let me go a little bit into detail because a couple people had questions in regards to TTL values.

    The default in WHM for a zone is this:

    14400 ; refresh, seconds
    7200 ; retry, seconds
    3600000 ; expire, seconds
    86400 ) ; minimum, seconds

    This means that secondaries refresh after a minimum of 14400 seconds or more. This is how it works:
    A secondary NS server keeps track of time stamps and notices when the refresh time is up for a zone. It will then queue this zone for a refresh. This does not mean it will do it at exactly 14400 seconds. Once the refresh is done the secondary basically checks in with the primary nameserver is the serial number and time stamp are still the same. If they are not a transfer will be initiated.
    Should this request or transfer fail it will try again in 7200 seconds ---> retry 7200
    The expire time tells the secondary for how long the zone data should be treated "fresh" and be given out to queries in case the primary cannot be reached for updates.
    The minimum TTL for the zone of 86400 describes the default "time to live" for the whole zone and every record in that zone. These values can be overwritten if the record itself has a TTL value. So if your zone has a minimum TTL of 86400 and then your A record has 14400 then the record will only be cached for 14400 seconds. The TTL describes how long this record can be stored in cache by other non-authoritative nameservers.
    What is confusing here is the term "minimum" TTL because it is actually more of a default TTL.

    Now here are my two cents to the way the defaults are done in cpanel:

    My values are:

    7200 ; refresh, seconds
    3600 ; retry, seconds
    432000 ; expire, seconds
    86400 ) ; minimum, seconds

    In my mind some of the values in the default cpanel are too high and some do not make sense. I chose fairly small refresh and retry values because DNS traffic if done right is very small and does not really do anything to performance. But out of sync or old DNS records can really cut down on performance.
    The expire time is way too high in the default cpanel. If a primary nameserver is done for more than 5 days then you should close down your hosting company. ;-)
    Besides forgetting an old secondary ns server somewhere can happen and if that machine keeps giving out old information for weeks to come this could be a disaster.
    The minimum TTL is one day, pretty standard and is anyways overwritten by the record TTL of 4 hours.

    Here is one important point people forget. DNS servers do not have a ranking even though we speak of primary and secondary ns. All nameservers that show up in a whois record for a domain are used in a round robin way. So it is crucial that all nameservers for a domain have the correct and up-to-date information and are fast enough with responses.

    hope this helps.
     
  18. simoneast

    simoneast Member

    Joined:
    Mar 26, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for that explanation. That helps clear things up a bit.

    Am I correct in saying that WHM enforces that you specify a TTL for each record in the zone - so the default or "minimum" TTL doesn't really have any effect?

    < Simon >
     
  19. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    lets put it this way, WHM comes with a default TTL value for each record. I have never tried to leave it blank. But according to DNS a record without a TTL field would be ok.
     
  20. simoneast

    simoneast Member

    Joined:
    Mar 26, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Yeah, I just tested it and WHM 9.2.0 does provide default TTLs of 14400, and will allow you to submit blank TTLs. But when you reedit the zone file again the values are back in there (so it probably doesn't write empty TTLs to the zone file).

    So in essence the minimum TTL has no effect. All records need to have their own.

    I'm not a web host who runs CPanel/WHM just a reseller who uses them, and... By default are the primary and secondary nameservers the same computer? They're different IPs, but how do I tell if the IPs go to the same place or not?

    < Simon >
     
Loading...

Share This Page