Skip to main content

Slave DNS and Plesk

Preface

There are several reasons why you might need at least two DNS servers for serving your sites:

  • You purchased a domain name from a domain registrar. To delegate the domain, many registrars require the domain zone to be served by at least two name servers residing in different IP subnets.
  • You have several hosting servers, and you have not grown enough to use the products like PPA or PA, but you want to use a single set of name servers for all the domains you host.
  • You want to have your own name servers and not depend on third parties.
  • You want the WHOIS records for your domains to list your name servers.

Usually you would set up a couple of name servers in the Master/Slave mode. Then you create domain zones on both servers, but administer resource records of the domain zones only on the master server. The secondary (slave) server automatically downloads the changes from the master. Thus, you always have two active name servers with the same set of domain zones and resource records.

The only trifle annoyance is that you have to create and delete each zone on both servers. This does not happen automatically. That’s why you create a domain zone on the master, and then you create this domain zone on the slave and specify the master server’s address. After that, when you add the domain resource records on the master, you can be sure that your slave server will automatically get them from the master.

For many years, integration of Plesk with a slave DNS server has not been obvious. A Plesk server is supposed to be the master. In Plesk, we have the slave and master modes for a domain zone and the list of IP addresses that can retrieve domain zones. But there is no mechanism for creation of new domain zones on the slave server. And it will never appear, because Plesk’s concept presumes automation of hosting operations on a single server. For integration of several servers that are dedicated to running individual services, Parallels offers PPA and PA.

Still there are a lot of Plesk users for whom PPA or PA are more than they actually need. They just want integration with a slave name server. Previously, to solve this problem, each Plesk administrator had to write their own scripts, purchase commercial ones, or manually created and deleted domain zones on the slave server.

Seemingly, there are no complications. Plesk has got its local name server – let it be the master, and there is a system of event triggers – let us associate our script execution with the events “DNS zone creation” and “DNS zone deletion”. The problem will be solved. Unfortunately, Plesk does not support such events.

Not only Plesk software engineers develop Plesk, but they also use the product they develop. That’s why we created an extension that allows Plesk users to integrate Plesk with an external slave name server running BIND9. You can download this extension here.

How it works

Plesk uses BIND as a local name server. It can be managed remotely with the native rndc utility. There’s no reason why we could not install BIND on a remote server and manage it with rndc. Plesk 11.5 introduced the “Custom DNS backend” mechanism. It can be used to connect an external DNS service, for example AWS Route53. You can learn more in our doc.

Briefly, this feature allows us to register a script with Plesk. The script will receive a DNS zone description in JSON format with instructions what to do to a zone upon creation, modification, and deletion of any DNS zone in Plesk. That’s all we need. While implementing this feature, we assumed that you would use an external DNS service instead of installing the BIND server with Plesk. However, you do not necessarily have to delete the local BIND. The script can operate concurrently with a local DNS service. This is the idea that our extension uses.

The extension works according to the following algorithm:

  1. It registers a slave server in the extension settings.
  2. The slave server’s IP address is automatically added to the list of addresses allowed to transfer domain zones from the Plesk server.
  3. When you create, modify, or delete an active domain zone in Plesk, Plesk creates, modifies, or deletes the domain zone in the local DNS service.
  4. Then the script starts and receives the domain name and the command to create, modify, or delete.
  5. The script initiates the rndc command for each connected slave server.
  6. Slave servers synchronize domain zones with the ones on the Plesk server.

Thus, we get a simple and very reliable scheme of working with slave name servers. All issues with zone files format, connection, and service restart are handled by the DNS service. The administrator should set up a slave server to work with an external Plesk only once. After that you can go to the registrar and say that the Plesk server and the slave server are name servers for your domains. Thus, we resolved all the issues stated at the beginning of the article.

Now we will describe more technical details of the process

To set up a slave name server, using the example of a server with Debian 7:

  • Install BIND.

  •  Allow creating new zones with rndc. In the /etc/bind/named.conf.options file, in the options {} directive, type:

  •  Specify the IP address from which control instructions should be accepted and set BIND to listen on all accessible network interfaces. Specify rndc key which will used by Plesk. In the /etc/bind/named.conf.local file, type:

  •  That’s it, the slave name server is set up.

After that, install the extension on the Plesk server. In the extension settings, add the slave server and specify its IP address and the pass key. The extension will create a configuration file with the slave server settings for the rndc utility. From now on, Plesk will automatically transfer all created, modified, and deleted zones to the slave server by executing the following command for each slave server:

Now, when you add a domain in Plesk, a DNS zone is automatically created on the slave server as well as on the master server.

Extension is available for download direct by link Slave DNS manager.

Parallels does not provide technical support services for this Plesk extension. The extension is intended to serve as example of how certain technical tasks can be accomplished.

50 thoughts

  1. Ross -

    Thank you! I think this could be very helpful

    Reply

  2. Alex Goncharov -

    Or you could get Parallels Business Automation Standard and let it manage your Plesk server and all DNS servers.
    If you are a Parallels partner, you can get it for free + get free 2 days training + free 5 CT PCS license, using “Pay-As-You-Grow” program.
    More information: http://www.parallels.com/landingpage/grow-with-pbas/

    Reply

  3. John -

    need a way to do this with simpleDNS as the slave server!

    Reply

    Sergey Ugdyzhekov -

    You can do it using documentation from article. Just need write wrapper-script which will parse JSON packet from Plesk and kick your simpleDNS instances.

    Reply

  4. Ken -

    Is this extension compatible with Plesk for Windows?

    Reply

    Sergey Ugdyzhekov -

    No, this extension uses linux utilities.

    Reply

    Sergey Ugdyzhekov -

    UPD. Extension available for all platforms.

    Reply

  5. Julian -

    A more detailed doc on this extension would be helpful? We have had mixed results with implementing it on various OS’s
    Maybe Parallels should do what cPanel did with cPanel ‘DNS Only” and build a cut down version of Plesk for use as slave nodes which would make customer deployment a lot more straight forward and allow providers to build provisioning templates to rapidly roll out slave nodes.

    Comprehensive slave name server support is the missing link in the Plesk offering. This extension does go a long way towards bridging the gap and providing for a greater level of automation but I think more could be done without a huge dev investment by Parallels.

    Reply

  6. Alwin -

    Hi,

    Great extension, but how can we change of the domain zones on our slave dns server from /var/lib/bind/ to something other? We use CentOS on our slave DNS server and the zone file are stored in /var/named/chroot/var/named/slaves.

    Thanks!

    Reply

    Sergey Ugdyzhekov -

    Hello Alwin

    Sorry for delay with answer. This extension available as example for our SDK (http://download1.parallels.com/Plesk/Doc/en-US/zip/plesk-extensions-sdk.zip). Sources in example directory is not encoded.

    We want to improve this extension in future but right now we hardly working on Plesk 12.

    Reply

    MikeB -

    Hi Alwin,

    Did you make changes? We checked example but not found where is path hardcoded or to change. Any help would be appreciated.

    Reply

    Sergey Ugdyzhekov -

    Hi MikeB,

    Hardcoded paths were fixed. Extension compatible with CentOS and Debian like systems.

    Reply

    MikeB -

    Hi Sergey,

    We tried and it works fine on CentOS. Thank you.

    Reply

  7. Lefteris -

    Hello,
    How can we test if this actually works on our server?
    which log file should we monitor?

    Reply

    Sergey Ugdyzhekov -

    Lefteris,

    Sorry for long time before answer. Which log file used depends on your linux distributive on remote slave dns server. In case of Debian/Ubuntu is /var/log/syslog. There are logged all rndc calls from remote Plesk. Also you can see script calls which produced by Plesk in /usr/local/psa/admin/logs/panel.log:
    2014-03-27T12:07:27+07:00 INFO (6) [panel]: Executing /opt/psa/admin/plib/modules/slave-dns-manager/scripts/slave-dns.php done.

    Reply

  8. Cameron -

    Hi,

    Great – Finally something that works without much configuration change! Is it possible to push all existing domains to the slave? At the moment it is only pushing domains that have changes made or new domains?

    Cheers

    Reply

    Sergey Ugdyzhekov -

    Hello Cameron,

    Thank you for your feedback! You can use “Apply DNS Template Changes” feature to push all existing domain zones to slave server.

    Reply

    Alexander Garzon -

    Or you can run this script I just created: https://gist.github.com/agarzon/37b6eac3f31a5017ffb2

    This will push all your domains with slaves servers.

    Reply

  9. ALMC INTERNET -

    Muchas gracias:
    Me fue de mucha utilidad.
    Saludos

    Reply

  10. Alonso -

    Hello,

    What for when the extension for Plesk 12 will be available?

    a greeting

    Reply

    Eugene Kazakov -

    Current version (on the link in the article) is compatible with Plesk 12.
    All extensions from Extensions Catalog in Plesk must be also compatible.

    Reply

    Alonso -

    Thanks!!! 😀

    Reply

    Daniel -

    Plesk Extensions Catalog:

    http://ext.plesk.com/

    Compatible with Plesk 12.x
    Thanks!

    Reply

  11. Alexander Garzon -

    Remember to open port 953 TCP-IN and TCP-OUT if you are using a firewall.

    Reply

  12. Patrick -

    Just installed this on a clean setup of plesk 12. I’ve configured a slave though the plesk interface and it’s listed but there’s a red exclamation mark before it. When I hover with the mouse it says ‘Error code 1: rndc: /usr/local/psa/var/modules/slave-dns-manager/slave_.conf does not exist’ where ” is the configured ip for the slave. When I check the server using ssh I can see the file is present. Also, when I click the slave server item a new screen with the contents of the mentioned file shows.

    Plesk 12.0.18#22 on CentOS 7.0.1406 (Core).

    Any ideas what’s wrong?

    Reply

    Patrick -

    previous post got bad because of disabled tags. It should read:

    ‘Error code 1: rndc: /usr/local/psa/var/modules/slave-dns-manager/slave_[ip].conf does not exist’ where ‘[ip]’ is the configured ip for the slave

    Reply

    Patrick -

    SSH’d into the plesk server as admin, SUDO -i to become root… ran the following command:

    /usr/sbin/rndc -c /usr/local/psa/var/modules/slave-dns-manager/slave_[slave dns ip].conf addzone [domain on plesk server]'{ type slave; file “[domain on plesk server]”; masters { [bind slave server ip]; }; };’

    result: zone added to slave server! So it seems that the script running the rndc command doesn’t have access to the conf files (strange, because i guess it can be read by plesk for viewing as I can click the object).

    Now what?

    Reply

    admin -

    Did you check audit.log? Looks like selinux restriction.

    Reply

  13. Patrick -

    I get syscall succes on call /usr/sbin/rndc
    The a AVC Denied { getattr } for rndc
    Then a syscall failed for /usr/sbin/rndc

    Seems like permission problem indeed… I’m not a Linux guru.. any advice on how to fix this?

    Reply

    Sergey Ugdyzhekov -

    Could you show output of sestatus utility?

    Reply

    Patrick -

    SELinux status: enabled
    SELinuxfs mount: /sys/fs/selinux
    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: enforcing
    Mode from config file: enforcing
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Max kernel policy version: 28

    Server managers say they have fixed selinux policy rules but still not working.

    Reply

    Sergey Ugdyzhekov -

    You can disable selinux to avoid such problem.
    It can be disabled in /etc/selinux/config then you need restart server to apply new settings.

    Reply

  14. MikeB -

    Hi,

    We run CentOS 6 and have permission problem because your extensions only file name for zone without any directory and Bind try to wrote in /var/named but it should be /var/named/slaves. It would be helpful to set the path for slave zone files in Plesk for this extension.

    Reply

  15. kingsley -

    [FAIL] Starting domain name service…: bind9 failed!
    invoke-rc.d: initscript bind9, action “restart” failed.
    [email protected]:~# service bind9 restart
    [….] Stopping domain name service…: bind9rndc: connect failed: 127.0.0.1#953: connection refused

    Reply

  16. beemol -

    Hello,
    I’m trying to set up this extension, but the named service won’t restart because of the “allow-new-zones yes;” line tu add in the named.conf of the slave server ( in /var/named/run-root/etc/named.conf ).
    The error on restart is: /etc/named.conf:10: unknown option ‘allow-new-zones’

    Moreover (or may be Consequently), in the “Slave DNS Manager” of the master server, the red exclamation icon says “Error code 1: rndc: connect failed: 46.105.123.76#953: connection refused” on mouse over.

    I’m trying hard to find any clue on the internet or on the KB of Parallels, but I can’t find anything.
    So thanks a lot in advance for any help or clue !

    Best regards,
    Stephane

    Versions:
    Master server (188.165.227.13) : CentOS 6.5 Plesk 12.0.18 Up to date.
    Slave Server (46.105.123.76): CentOS release 5.6 (Final) Plesk 10.4.4#59

    Reply

    Sergey Ugdyzhekov -

    Hello beemol,

    Could you open thread on our forum – http://forum.sp.parallels.com/forums/parallels-plesk-panel-12-x-for-linux-problems-suggested-fixes-and-how-to.735/ ? We will try to solve your problem. Article comments are not best tool for troubleshooting.

    Reply

  17. Ngo Liem -

    Hi,

    I want to build DNS Master ( Centos with Plesk 12 installed ) and DNS Slave ( Centos ) . I want to know how to configure DNS Slave (Centos) because it so different with Slave (Debian ) configuration file. Can you send me the configuration file on Slave (Centos).

    Thanks

    Reply

  18. Iceman -

    I have the ‘Slave DNS Manager’ extension installed on my primary DNS server, which has the following setup:

    OS: CentOS v6.6
    Control Panel: Plesk Panel 12
    DNS: BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3

    I have a secondary DNS server with the following setup:

    OS: CentOS v6.6
    Control Panel: None
    DNS: BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3

    When a change is made to a pre-existing DNS zone file within the Plesk Panel on the primary DNS server and that DNS zone file exist in the ‘named.conf’ file and there is a zone file (i.e. slave/domain.tld) on the slave server, it updates successfully. However, if a new domain is added or deleted within the Plesk Panel on the primary server, then it does not create or remove the zone file on the secondary server.
    Additionally, if I execute the following command on the primary DNS server:

    /usr/sbin/rndc -c slave_2.2.2.2.conf addzone example.com ‘{ type slave; file “example.com”; masters { 1.1.1.1; }; };’
    * 1.1.1.1 = Primary DNS server
    * 2.2.2.2 = Secondary DNS server

    The result of the command is:

    rndc: ‘addzone’ failed: permission denied

    I am at a loss. If anyone can provide any assistance, I would greatly appreciate it! Thanks in advance.

    Reply

    Isaiah Olson -

    I had the same problem, the root cause is that the CentOS BIND9 package expects slave zones to be stored under /var/named/slaves, but this extension’s rndc commands use file “example.com” which implies /var/named/example.com. SELinux and the directory permissions prevent BIND from writing that file, so the rndc commands fail.

    I already had disabled SELinux for other reasons, but there are commands that I don’t know off the top of my head to force SELinux to allow the named daemon to write to that directory. I also used chmod to make the /var/named/ directory group writable. However, it is worth noting that CentOS enforces the separation of zones in /var/named into multiple directories the way that it does in order to protect against known vulnerabilities in BIND, so you may want to find another option.

    Reply

  19. arva -

    what a bout if the master dns and plesk is behind nat. i have a problem that on the slave dns in therndc configs the master ip address is the plesk private ip.. i have the NAT manager in use and the records are correct but in rndc the for zone transfers the master ip address is still the private one. does any one have asolution for this?

    Reply

  20. SiXwishlist -

    Not only that:

    allow-new-zones yes;

    should be added:

    allow-transfer { ; ; ;};
    allow-query { trusted; };

    Above the existing options block, create a new ACL block called “trusted”. This is where we will define list of clients that we will allow recursive DNS queries from servers. Using example IP addresses, add host1, host2, host3 to list of trusted clients:

    acl “trusted” {
    ; # host1
    ; # host2
    ; # host3
    };

    this may be helpful

    Reply

  21. Thomas Ehrhardt -

    It seems there is a problem with IPv6 at my slave or master server. Setting up the Plesk addon and the slave DNS was easy. At the master server I see the updates in syslog:

    Example:
    Oct 23 12:31:19 37081 named[12891]: client 81.30.156.94#53098: transfer of ‘jet-hangar.de/IN’: AXFR-style IXFR started
    Oct 23 12:31:19 37081 named[12891]: client 81.30.156.94#53098: transfer of ‘jet-hangar.de/IN’: AXFR-style IXFR ended
    Oct 23 12:31:19 37081 named[12891]: client 81.30.156.94#44545: transfer of ‘de.powie.de/IN’: AXFR-style IXFR started
    Oct 23 12:31:19 37081 named[12891]: client 81.30.156.94#44545: transfer of ‘de.powie.de/IN’: AXFR-style IXFR ended

    At the slave Server this is logged to sylog at this time:

    Oct 23 12:31:34 156094 named[27377]: zone powie.de/IN: refused notify from non-master: 2001:4ba0:cafe:278::1#46739
    Oct 23 12:31:34 156094 named[27377]: client 2001:4ba0:cafe:278::1#46739: received notify for zone ‘de.powie.de’
    Oct 23 12:31:34 156094 named[27377]: zone de.powie.de/IN: refused notify from non-master: 2001:4ba0:cafe:278::1#46739
    Oct 23 12:31:34 156094 named[27377]: client 2001:4ba0:cafe:278::1#46739: received notify for zone ‘skyspots.de’
    Oct 23 12:31:34 156094 named[27377]: zone skyspots.de/IN: refused notify from non-master: 2001:4ba0:cafe:278::1#46739

    I dont’t know why, but there is a confusion between IPv4 and IPv6….??

    Tips?

    Reply

  22. Willy -

    Do I need this extension if my slave server is also a plesk server? Thanks.

    Reply

    Sergey Ugdyzhekov -

    Yes. Moreover we did not test such configuration.

    Reply

    Willy -

    Thanks for your reply.

    So is there a built-in way in Plesk for master/slave dns to work? both master/slave are running latest Plesk 12.5 (Windows).

    Reply

  23. Jomardyan -

    I got this..

    [email protected]:~# sudo /etc/init.d/bind9 restart
    * Stopping domain name service… bind9 rndc: connect failed: 127.0.0.1#953: connection refused
    [ OK ]
    * Starting domain name service… bind9 [fail]
    [email protected]:~#

    Reply

  24. Jonas -

    I had to change your code for named.conf.local a bit to get it working:

    controls {
    inet * port 953 allow { ; 127.0.0.1; } keys {“rndc-key”, “plesk-key”};
    };

    changed to:

    controls {
    inet * port 953 allow { ; 127.0.0.1; } keys {“plesk-key”; };
    };

    The semikolon after plesk-key was missing.

    Reply

    Sergey Ugdyzhekov -

    Thank you, Jonas! I’m going to update article.

    Reply

  25. Isaiah Olson -

    First of all, thanks a bunch for the work on this plugin. It’s helped me out a lot so far! The only problem that I have run into is that when I add a slave DNS server, the plugin doesn’t seem to automatically add all of the zones that are currently on the master server to the slave server. After I manually ran the rndc addzone commands for some of the existing zones, they started working properly and updating when I made changes, but I wanted to know if there was any way to force Plesk to add all zones on the server to the slave servers.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *