-   Linux - Server (
-   -   Easiest way to mirror a DNS server (

Red Squirrel 05-30-2016 01:45 AM

Easiest way to mirror a DNS server
I want to setup a secondary DNS on my local network as I realized it's needed if my VM or file server is down, as the DNS server is in a VM.

Everything I'm reading seems to indicate you still have to configure stuff on a per domain basis, ex you have to create individual domain zone entries on the backup. Is there a way to set it up so it actually does a full mirror?

Is there any reason I can't just setup two regular DNS servers and just have a rsync job to copy records/config over to the backup?

Keruskerfuerst 05-30-2016 03:55 AM

The DNS Server is on a VM?

When you want to setup a mirror DNS server, then you should ask ISC.

Good luck....

Red Squirrel 05-30-2016 04:29 AM

Not sure what is so strange about having it in a VM, it's a rather low resource box that did not really benefit from having dedicated hardware so I virtualized it when I setup my VM envornment. Unfortunately I kinda overlooked the whole thing where the hardware still needs DNS to be alive when booting up, ex: to mount the stores (by name), so I will end up needing it on hardware in addition to the VM. I could just move it completely to hardware but I figure I should have two anyway. I have a physical server that handles my home automation stuff so I'll just throw it on there to act as backup.

Not sure what you mean about your last sentence. What is ISC?

Keruskerfuerst 05-31-2016 02:56 AM

I would use a single computer for that purpose.
And not a VM.

How many computers have to be fed with the DNS information?

Elizine 05-31-2016 06:34 AM

Is your existing DNS AD-integrated? If so, and if the new server is a non-domain controller, you will need to configure a secondary zone on the 2nd server, and configure the 1st DNS server (the DC) to allow zone transfers to the IP address of the new server. You will then need to configure your client computers to use the DC as their preferred DNS server and the member server as the alternate DNS server.

lazydog 05-31-2016 10:40 AM

If you are using bind then simply setup one as root and the other as slave. The root will update the salve as needed provided your setup is correct.

Habitual 05-31-2016 10:51 AM

I've been known to rsync from Master to slave and turn it on with "minimal" edits.

Sorry, soley Secondary Zones, so no mirroring.

Red Squirrel 05-31-2016 06:33 PM

No AD this is strictly a Linux environment. The problem with setting one as slave is you still have to configure each individual zone too, unless there's a way to tell it to be a full mirror? The tutorials I found seem to indicate you still have to setup each zone on both servers. It kinda defeats the purpose if I have to do the work twice every time I add/delete a zone. I have maybe 30 or so zones.

I'm aiming towards the rsync route and just having them both run as regular servers, just wondering if there's any reason not to do it that way.

wpeckham 05-31-2016 09:28 PM

Keep it simple
I have used OpenVZ on two servers (hardware) each with a guest. The primary was set up first, then the secondary created by making a 'clone' of the primary. The clone was then migrated to the other OpenVZ server and configured as secondary, and the permissions set in the primary to allow it to replicate out to the secondary. From then on they stayed in sync for YEARS.

In server space, we would make certain that the two physical machines were in different racks. We kept and off-site backup of the primary and a continuity document detailing certain configuration data about each and the restore path in case of partial or total failure.

I see no reason why the same basic plan would not work with nearly any kind of virtualization. Use as much or as little of the plan as you need for your purpose.

Doug G 05-31-2016 10:21 PM

One more thought, using rsync to copy zone files wouldn't work if you configure bind to use a database for storage.

Red Squirrel 11-06-2016 12:43 AM

I ended up just using rsync, and it turned out to be fairly straightforward. Basically I copy over the zones.conf file (a file I created myself just to organize all the zone declarations in a single file) and the zones folder, which all the actual zones are in.

So the script copies those two files, then executes a script on the secondary to chown them as named because the operation will make them owned as root (WHY does Linux not have permission inheritance is beyond me, but that is a whole other story) and then restarts the named service. I have it setup to do this once a day.

I do find it odd that there is not something built into the DNS specification to do this though, as the existing zone transfer mechanisms are kinda useless given you still have to set it up on a per zone basis. The whole idea is that you should only need to do edits on the primary box and it replicates.

Either way got it working nicely now, as far as I can tell. I started adding the secondary DNS to most of my servers. Any ones I missed I can do later on as required. Primary DNS is the VM, secondary is the hardware box.

Now I don't have to worry about my file or VM server going down again. That sucked. :P

MadeInGermany 11-07-2016 07:56 PM

The rsync running as root should also copy the owner/permission.
I.e. if the original owner is named then the copied file gets owner named if you have the rsync -a option. See "man rsync".
I wonder if the role in the copied config should be changed from master(primary) to slave(secondary).
The zone files are copied automatically if the slave knows the master and vice versa. But you need a script to make these changes.
You are right, Bind 9 does not have a full builtin administration. Either you create your own scripts or you buy a commercial solution (that also comes with an admin gui or Web interface and an import/export API and ...).
The risk with DNS on a VM guest is if the VM host depends on its DNS service.
Having a copy on a HW server, and having it in each resolv.conf eliminates the risk.

Red Squirrel 11-08-2016 04:48 PM

Actually I was thinking that too, is there a master/slave designation I need to add somewhere? What setting do I put for that and where do I put it? The way I did it, the actual named.conf file does not get copied as the zones are in an include file, so it would not be too hard to change a setting in named.conf and have it stay the same.

Red Squirrel 10-30-2017 07:23 PM

Ok so this did not work so well. I had another incident that involved the primary DNS going down, and half of the clients were not failing over properly. They were still trying to do name resolution using the primary which was down. It was very sporadic, as sometimes it did work.

So it seems doing it with rsync the way I'm doing it is not right as it does not fail over like it should. Is there any other way to setup a redundant DNS without having to configure zone transfers for every single zone? I just want the secondary DNS to be an exact mirror of the other, and for clients to fail over properly to that one if the primary goes down.

Failing that, I'm thinking of setting up two Raspberry PIs that have the same IP address, then if the first one goes down, the other one would just bring it's interface online. I could use a USB dongle to have a separate interface that is always online for management purposes. Basically they would just monitor each other. IF the B side detects that the A side is not working it flips the A side interface off and B side interface on. A would monitor B and do the same if B goes down. Essentially they would be a mirror but only one runs at once. Think this would work? That way I only need to configure 1 DNS IP on clients and they probably won't know the difference if the A or B side is online, correct? Right now I have two DNS IPs in the clients but if the first one fails it still tries it anyway and waiting for timeouts causes massive network slowdowns.

wpeckham 10-30-2017 08:00 PM

For that kind of failover to work seemlessly, and not add a resolution delay, the secondary has to be able to take over the IP address of the primary. I have used virtual networking and some HA scripts for this kind of thing in the past. There may be a "canned" solution, but I am not aware of one.

All times are GMT -5. The time now is 09:37 AM.