DNS Clustering Setup Security/Best Practices

So as I move along in getting Virtualmin setup, I’ve moved on to setting up DNS to replace the cPanel managed DNS I’ve been using. So I could have two separate name servers, I took two VPSes I’d already spun up for other purposes, installed Webmin on them, installed BIND on them and went to add them to the Webmin server index on the main server. I’m stuck on two parts of how to configure this – thought it does seem to be functioning.

First, adding the servers to the server index seems to add a plaintext copy of the root password for those servers in the files within /etc/webmin/servers . This sounds like a most nightmarish of security arrangements – I never keep my root passwords in plaintext anywhere, for the obvious reasons. Is there an alternative, such as using pre-shared key authentication or something?

Second, am I supposed to likewise add the main server to the server indexes of those other servers? Each has its own domains, so are those supposed to be configured locally on those servers and then synchronized back to the “main server”?

OS type and version Debian 12
Virtualmin version 7.10.0

Never noticed the passwords in the config files… good catch that said I only give ssh access to myself, everyone else has to use the webmin interface and most don’t use the terminal for anything as they don’t understand the principles.
after you have added server1 to server2 (and vice versa) via Webmin → Servers → Bind DNS Servers → Cluster Slave Servers with the following set
you will end up with

as you can see some are master (local to this server) and some are slaves, you will find logging into the other server and looking at bind the conditions are reversed slaves become masters and masters become slaves.
Once setup I very rarely look at the bind module as virtualmin does it for you

It can be any Webmin user, so you could make a Webmin user specifically for this that does not have a system user. Webmin access is still powerful, but that limits it somewhat. I think you could even make it a user that only has access to the BIND module (though the API has root-like access always, it would raise the bar on the type of attack that could work, and you could firewall the secondary server off so only the primary can access Webmin).

We’ve discussed the problem of password auth, and the API being somewhat unlimited, and it’s on the todo list, but it’s a pretty big set of changes to remedy the problem. But, there are many ways to mitigate it to the point of being a non-issue.

As long as your secondary is just a DNS server, you can limit the surface area for attack to basically zero.

Thanks. I think I’ll create such a Webmin user. Are there any recommended guides to server hardening tips like this for Virtualmin?

You should probably not use root for this in the first place. Create a dedicated user, or setup SSH authentication keys between the system and not passwords would be required (SSH keys for dedicated users as well, not root).

In general, you should never use root for anything and always use an isolated account with limited permission only related to the function they need to perform.

SSH authentication doesn’t provide access to Webmin, which is what OP is setting up (Webmin allows automatically creating zones on a secondary BIND DNS server when they’re created on the primary, which is the one part of having a secondary DNS server that isn’t already covered by BIND itself…one could use ssh to create those zones, of course, but that’s not what’s happening).