Exchange of Secondary DNS service ?

Looking for someone interested to offer mutual secondary DNS service ? Someone interested ?


is this offer still valid ?

Sure it is :slight_smile: Where are you based ? I’m in Europe here :slight_smile:

Europe, too - how would you prefer this to be set up, via webmin DNS clustering or just a one-time bind setup ?

Well, WEbmin DNS clustering would be better as it would allow us to add domains in our respective Virtualmin and get them automatically duplicated as secondary on other Virtualmin system no ?
I’m not familiar with the one-time bind setup !!!

Okay, so if I am not mistaken, we only need to set up new restricted accounts just for DNS:;up=#Editing_the_user_or_group_ACL_fo

Maybe we can get 2-3 more people involved in this (mutual secondary DNS), no need for any additional IPs or workarounds …

In the meantime, I looked through this:

And ended up adding these two:

These took only 3 minutes to set up.

So anybody looking for secondary DNS should consider these.

If I recall correctly, I had asked about this quite a while ago already, and received the answer that a Webmin user that can act as a DNS Cluster Slave user needs the “Can accept RPC Calls” right.

I haven’t really tried this, but I think through RPC the user is basically a root user who can do anything. You might want to test that first, before there’s any surprises. And/or Eric or Jamie might shed some more light on this.

I was also concerned about this, but according to the webmin docs, this feature seems explicitly designed to be also used by non-privileged users, i.e. having a dedicated “DNS” user. Not sure if RPC really does require root access though.
On the other hand, it should be also possible to use SSH/pubkey authentication instead of Web RPC - i.e. having a separate “slavedns” group with privileged users that may be used for DNS clustering.

The whole “mutual secondary DNS” is a common thing obviously, and it would be great if people could offer their services via webmin (continent/country) to team up with folks who need another DNS.

I agree the RPC issue is a real concern ! Would be nice to get a feature in Virtualmin itself that would allow to setup such configurations without compromising security of server or needing too much trust between people exchanging DNS services :wink:

Its not a security risk so long as you restrict the IP’s that are allowed to access the slave DNS webmin and you also setup a valid SSL cert so webmin and virtualmin can talk in private… unless the NSA is listening.

it’s a risk if you need root access in Webmin to allow ACL access as if remote server is compromised you compromise your own server :frowning:

Why do you need root access in webmin to edit dns ? You don’t… you create a normal user that only has access to the BIND module and you restrict access to the dns user role. There is nothing risky in this.

Unahppy it’s not enough, you need also to allow RPC access to webmin to remote webmin so virtualmin can automatically create the secondary DNS zone when you create a new domain on your account !

Thanks for the updates !

I haven’t yet tried it, but I would also prefer NOT going over HTTP/HTTPS for the RPC stuff and instead use SSH on a non-default port for this. I have yet to check the docs/forum (or code) to see if (and how) that could work though …

Currently, the webmin/server index panel reads “Link Type” and only seems to support HTTP/HTTPS-style RPC. On the other hand, virtualmin does have extensive CLI tools which should be also possible to run over SSH instead, as as we know it also supports SSH for various things.

Maybe some of the webmin devs can briefly comment on this ?


Perhaps a feature to add in a next update of Virtualmin to allow secondary DNS communication easily between servers :slight_smile:

People are over thinking this.

RPC isn’t root access… it only allows a particular user access to certain commands that root would have and coupled with IP restrictions and SSL your safe.

It’s not brain surgery

okay, here’s what I’ve done so far, and it’s working nicely:

On the Slave DNS server

  1. go to webmin
  2. go to webmin/webmin users
  3. click "create a new webmin group"
  4. add a new secondary-dns group
  5. under "available modules" select "servers" and then "Bind DNS Server", save
  6. go back and edit the new group, go to "permissions for all modules" and enable "Can accept RPC calls"
  7. next, create a new webmin user, using the "secondary-dns" group we just created (member of group)
  8. check permissions again (RPC needed)
  9. edit "Security and limits options" add trusted IPs / hostnames there (only allow listed addresses)

On the master server:

  1. webmin/webmin server index
  2. register new server
  3. specify webmin hostname/port of the slave server
  4. enable SSL (needs to be enabled on the slave too)
  5. "Link type" via webmin (credentials as configured on the slave)
  6. enable fast RPC
  7. save & go back, to edit the new entry, and check the "status" line, which should read "Running Webmin ..."

Further details at:

Perfect !!

ya, it only took 2 minutes to set up actually - i.e. much less time than we spent here talking about it…
it would be even better if webmin could show the status line without having to edit the entry first :slight_smile:

But a really awesome feature would be “pairing” of volunteers who are willing to offer mutual slave DNS - i.e. if people who need slave DNS could just browse a list of other volunteers and select them by location/domain.
The whole concept could be generalized and even provide redundancy for other features like mail (postfix) or httpd clustering - there are so many people in this community, why not leverage all that power and allow them to easily team up with each other to increase their redundancy and get rid of SPOFs

(it only just occurred to me that the whole could be fully automated by directly using the “cluster” feature in webmin using a little helper module)

In the meantime, it would be great if we could have a wiki page or sticky forum thread for people to offer mutual DNS.