RNDC with non-cPanel server

[kenneth-vkd]

Hi
We have built a new infrastructure and use WHM/cPanel for our Linux webhosting and it works really great.
However we have about 200 websites running in Microsoft ASP.NET, which does require a Windows-based system. In our case with have provisioned a server with Windows Server 2016 and Plesk 17. According to their documentation, we need to generate and RNDC-key and then modify the bind/named configuration on the DNS-server. However I cannot seem to find the correct location to do this on our WHM DNSOnly instances.

How can I add an external RNDC-key to WHM DNSOnly so that we can sync DNS-zones from Windows to WHM?

 

[cPanelMichael]

Hi Kenneth,

Here are some key paths to note when making custom configuration changes to Bind on cPanel DNSOnly:

/etc/named.conf - Bind configuration file
/etc/rndc.key - Existing RNDC key

Here's a link to Bind documentation as provided by RedHat:

11.2. BIND - Red Hat Customer Portal

Thank you.

 

[kenneth-vkd]

Hi
Thank you for the reply.

Here are some key paths to note when making custom configuration changes to Bind on cPanel DNSOnly:

/etc/named.conf - Bind configuration file
/etc/rndc.key - Existing RNDC key

So I can basically make changes to these files as if it was a custom configured BIND-server?

 

[cPanelMichael]

So I can basically make changes to these files as if it was a custom configured BIND-server?

Yes, although you may want to setup DNSOnly on a test machine first to verify the custom modifications don't result in any issues with the cPanel servers that sync to the DNSOnly machine.

Thank you.

 

[kenneth-vkd]

Hi
I have now configured and tested that the required RNDC configuration does not break existing cPanel functionality.
However there is an issue with syncing DNS zones to the cPanel DNSonly.
We get the following error in /var/log/named/named.log

23-Mar-2018 12:01:03.329 xfer-in: error: transfer of 'mydomain.com/IN/internal' from X.X.X.X#53: failed while receiving responses: REFUSED

I tried to check how this is normally fixed using BIND nameservers and the configuration is done. But it seems that it tries to create the zone different than the ones created between the cPanel servers.

Is there a way to allow creating the zones, or would that require a change in the configuration of the sending server, so that it structures the zones differently

 

[cPanelMichael]

I tried to check how this is normally fixed using BIND nameservers and the configuration is done. But it seems that it tries to create the zone different than the ones created between the cPanel servers.

Is there a way to allow creating the zones, or would that require a change in the configuration of the sending server, so that it structures the zones differently

Could you provide specific details about the changes you made and the differences in the zone file? Please provide step-by-step instructions of what you are doing.

Thank you.

 

[kenneth-vkd]

First I generate the RNDC key on the foreign system and add a new file on the cpanel DNSOnly server.
I then add this line in the top of /etc/named.conf, so that it now looks like this:

include "/etc/rndc.key";
include "/etc/rndc-5-206-197-215.key";

I then modify the control block so that it listens on the public facing interface
Before:

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

After:

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
        inet 172.16.11.55 port 953 allow { 5.206.197.215; 127.0.0.1; localhost; } keys { "rndc-key"; "rndc-key-5.206.197.215"; };
};

Next I modify the options block so that it should allow zone transfers from the listed hosts:

allow-transfer    { 5.206.197.215; 172.16.11.56; };
    allow-update      { 5.206.197.215; 172.16.11.56; };
    allow-notify      { 5.206.197.215; 172.16.11.56; };
    allow-new-zones yes;

The rest of /etc/named.conf is the default generated from cPanel installation.

The zonefile it self looks the same on both systems, but the source server does not seem to encapsulate the zones in the "internal" view.

 

[cPanelMichael]

Hello,

Here are a couple of third-party URLs where a similar error message is reported:

failed while receiving responses: REFUSED on SLAVE with BIND 9.2.2
Problem with slave DNS

If that doesn't help, I recommend reaching out to a qualified system administrator if you don't receive sufficient user-feedback to this post:

System Administration Services | cPanel Forums

You may also want to try posting to a website such as StackOverflow.

Thank you.

 

[kenneth-vkd]

So I have now found out why RNDC was not working and zones are now coming to my cPanel DNS only servers without errors.
However as they are not automatically registered in the configuration file, I cannot perform lookups from outside clients.
If I try to perform a lookup on a domain that was not created on a connected cPanel server, then it fails with "server can't find domain.tld: REFUSED"
Is there some kind of tool available for cPanel to have it look in the /var/named directory for any DNS zones that are not listed in /etc/named.conf and then create entries for them.
It seems the transferred zones are saved like domain.tld and not domain.tld.db, like the other zones. I can create a manual zone entry in /etc/named.conf, but that will leave some manual work when someone is ordering af new domain that is not hosted on a cPanel server.

 

[cPanelMichael]

Is there some kind of tool available for cPanel to have it look in the /var/named directory for any DNS zones that are not listed in /etc/named.conf and then create entries for them.

Hello,

The following command will do this:

/scripts/rebuilddnsconfig

However, the zone needs to be named $domain.tld.db in the /var/named/ directory for the script to pick them up. Thus, you'd need to setup a hook with your custom script or add a cron job that renames the zone file to the correct format.

Thank you.