Ignorance regarding Name Servers

Hi everyone!

My set-up works, but I don’t understand Name Servers … and it would be really cool if someone can enlighten me.

As far as I understand:

System Hostname = “Irrelevant name” we give our “machine”
Primary Nameserver = It has to be resolvable and contains a subdomain like for example “ns1” and a domain I name I own, otherwise my sites will never be online.
Virtual Servers = My websites and are linked to the domain names I own

But what are Primary and Secondary Nameservers on Virtualmin and what is their function?

Why do they have to contain a domain name I own?

Are they some sort of 5th-level DNS server?

Thanks in advance :peace_symbol::heart:

My hostname for the Virtualmin server is vps01.indiax.com and the name servers I use are dns1.indiax.com and dns2.indiax.com. I use my domain registrar’s control panel to point vps01, dns1 and dns2 to the ip address of the server on which I have installed Virtualmin.

In Virtualmin on vps01.indiax.com I create a virtual server named vps01.indiax.com (but disable mail) and use it as the default website for the server. I apply for SSL certificates using Let’s Encrypt and then use the ‘Copy to Webmin’ and associated buttons to apply the SSL certificate of vps01 to Postfix, Dovecot etc.

One little trick that you could use @Centaro is to configure your domain registrar’s control panel to point the ns record of your domain to the name servers you have in virtulmin. This will let you create subdomains under your hostname as virtual servers in Virtulmin without needing you to manually update your domain registrars control panel. Dig vps07.indiax.com and to see how this works.

Hi @Calport! Thanks for your answer, but I am looking for an explanatory answer to my questions, not a step-by-step guide. The services I need are up and running. Thanks though =)

Very well, I shall try again. May I illustrate my answers and comments with examples and additional info in the interest of completeness as well as to assist others who might find this thread and need more info than you do, @Centaro?

Nameservers in Virtualmin enable you and your clients the convenience of having the entire set of DNS records created and configured correctly and automatically for the domains which are hosted on the Virtualmin server. To avail of this convenience, all that you or your client has to do is point the hosted domain’s DNS records to those specified in Virtualmin.

For example, if the Virtualmin hostname is vps01.indiax.com, the nameservers created for it are dns1.indiax.com and dns2.indiax.com and one of the the domains hosted on that server is hosted.com then all that you or your client has to do is point hosted.com nameserver records to dns1… and dns2… for all the DNS records for that domain, such as A records for the IP address, txt records for SPF, DKIM etc., to be correctly configured and managed automatically by Virtualmin. In this context, and in answer to your question @Centaro, the function of Virtualmin’s nameservers is to keep current and serve to the rest of the net the authoritative DNS records for the domains which are hosted on the Virtualmin server.

When installing Virtualmin you must specify a set of DNS servers to use BIND (and subsequently DKIM and other goodies which depend on BIND) and the easiest / quickest way to do this is to use one of your own domains / subdomains.

I would like to point out that many people set up name servers in Virtualmin at the time of installation but do not use them, preferring to use a third party DNS service with the domains that they host under Virtualmin. Such services could be free or paid and the paid ones offer advantages which are not available via Virtualmin. When a third party DNS service is used, Virtualmin nevertheless maintains its own set of DNS records for the domains which are hosted on the server and may even use the service for its own internal functions.

I must also add that primary and secondary nameservers are supposed to be on seperate networks for redundancy, however in Virtualmin both can be and often are on the same server, a little hack for compliance with the purist / legacy systems on the net.

In conclusion, if you do not know much about nameservers then the best thing for you to do would be to go along with the default workflow when installing Virtualmin and then point the nameservers of the domains that you wish to host to the nameservers that you have specified at the time of installing Virtualmin.

They are the name servers you plan to host your domains on. If you don’t want to have Virtualmin manage your name servers, don’t put anything in the additional name servers field. But, be aware you’re making quite a bit of extra work for yourself if you don’t let Virtualmin manage DNS (but Virtualmin doesn’t care).

They don’t. But if you don’t plan to host your own DNS, you shouldn’t put anything in the additional name servers. If you are hosting your own DNS, then the additional name servers should obviously be servers you control, but there is no requirement that you own the domains they’re on (though I can’t imagine that’s a common scenario).

Ok, but they have to point to an actual domain name as in “domain.com” and they have to create a subdomain, where the BIND stores the DNS records.

Is that correct, guys? @Joe @calport

Ok, I am running BIND on my sites and dig shows the authoritative DNS is my name server. So the DNS records I create on my registrar are pointing to the DNS records I have on my nameserver.

Is that right?

Thanks again guys. Loved the answers … and @Joe’s answer was the same as in his YouTube video word by word. You are reading it off the script!! :laughing:

I think you’re misunderstanding what that field does (I assume we’re talking about additional name servers field in the setup wizard). It does not cause any records to be created on those additional servers, it just adds them as NS records to the zones Virtualmin creates.

If you want records to be created automatically on those additional servers, you need to setup Webmin and BIND DNS Slave configuration on the additional servers. DNS Slave Auto-configuration – Virtualmin

Or, if you have many Virtualmin servers, Cloudmin Professional has a Services feature for DNS that does a bit of it automatically.

Those NS records could point to a server you don’t manage, if you wanted to have Virtualmin manage DNS locally, and you also planned to duplicate those records to the other servers (somehow other than making a BIND slave configuration).

Worth noting, because you need to have two DNS servers to make registrars happy, some people give their one Virtualmin server two IPs and two names and the second name gets put in the additional name servers field (and is the second NS record). But, that’s not really recommended, it’s best to have two real DNS servers and setup the second as a slave.

I’d recommend you read up on DNS. Our docs in the Webmin wiki are a reasonable start. BIND DNS Server | Webmin

I am actually trying to understand the Primary Nameserver first … I left Secondary Nameservers 'cause I assumed they might be slaves to the Primary Nameserver which would be a master? … Like automatic copies of the Primary Nameserver or copies you have to set up.

But what is a name server?

The last attempt at trying to understand the concept is that … name servers are synonym with authoritative name servers and are the bottom of the DNS tree. And resolvers (ISP’s) communicate with them to retrieve its DNS records.

So the Primary Nameserver we create upon installing Virtualmin creates, stores and manages all of these DNS records through BIND?

But I still don’t understand why the machine can have any name … the primary name server has to have an actual domain name and an arbitrary subdomain.

Like my host name can be “fake.whatever.tld” and my primary name server has to be “ns1.domain-I-actually-bot.tld” …

because a primary name server won’t work if I give it “thisis.alsofake.tld”. I have tried it.

I will read the webmin documentation though. Thanks for the hint. I think what threw me off the most is the fact people call them different names … like “Authoritative Name Servers”, “Name Servers”, and then on Virtualmin we go for “Nameservers” …

I found this to be the most confusing part of the process … it is via Virtualmin that I am starting to deepen my knowledge and expand my skillset, but that little detail threw me a bit off. Have you considered using “Primary Name Server” or “Primary Authoritative Name Server” instead? I think that blank space would improve the UI a bit … especially for noobs like me :laughing: :heart: :peace_symbol:

Just a suggestion though. I love your work and I am as thankful as can be. Thanks to the whole VMin team <3

Now … let’s read a bit of documentation =)

To people who understand DNS, please forgive me as I make some generalisations…

BIND is software that is commonly used for name servers. It can be configured quite flexibly which is why you see it used so often. The principles I explain below are not limited to BIND, but can be used with almost any name server software worth your time.

Authoritative Name Server has a specific meaning. It means the name server holds the master records for a domain (as opposed to them having been cached somewhere by a Recursive Name Server). If you want the exact, up-to-date record, you ask the authoritative name server. These are also either primary or secondary name servers, by the way.

A Recursive Name Server is a name server that goes out and fetches records for you. Your computer will have been configured to use name servers (either statically or via DHCP) so that you can resolve names on the internet. Those server will be configured to allow recursive queries. When your computer needs to find the IP address of a site you want to visit, it asks the name server to find the record, and it does that by asking other servers in specific order until it finds the record and sends it back to your computer.

Authoritative name servers for your domain are what you would tell your domain registrar about when you delegate (tell the registrar where your name servers are) your domain.

Name servers are usually either authoritative, recursive, or both. They don’t have to be primary or secondary (but they may be), as those terms have other meanings.

A primary name server is the one that holds the copy of the domain records (usually referred to as a zone file) that gets edited when changes are made. Secondary name servers receive a copy of this file after changes were made on the primary name server. Every zone has only one primary name server, but can have many secondary name servers. As Joe mentioned, best practice requires your zone files to be on two servers, so in practice you will always have one primary name server, and should also have a secondary name server.

How does that relate to Virtualmin?

Assuming a vanilla installation, when you create new virtual servers Virtualmin creates a zone file for that domain. When that happens, your Virtualmin server is the primary name server for that zone. It is possible you may have more than one Virtualmin server. Each would be the primary name server for the zones they create. It is possible to configure Virtualmin/Webmin to be a secondary name server for the others. That is, a name server can be both primary and secondary at the same time.

There is much, much more that could be explained, but it may be worth checking out some sites dedicated to that.

As Joe mentioned, it is possible you might want to have other servers handle your DNS rather than Virtualmin. That is up to you but as said, it is more work for you.

2 Likes

Thanks @noisemarine!

So … ISP’s have, I assume, primary and secondary recursive name servers (also called resolvers?) that cache the most demanded DNS records in an area for quick access … and my Virtualmin server is acting, I guess, as a primary authoritative name server.

I am reading documentation and I got to read /etc/named.conf where it says

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

This gives me the impression that a name server cannot be both? But I assume you are right and there is a work-around … not that I need to know about setting it up, because I think all I need is an authoritative name server so my websites can be found online … which they are even if my BIND server has recursion enabled?

But then again … I only have a primary name server and I haven’t told my registrar about my primary name server because they want two name servers … I guess a primary and a secondary name server … so I have a feeling I am actually using my registrar’s name servers as authoritative name servers by default and that is why it makes sense that my BIND server is set to recursive?

:man_facepalming: Am I dumb or is this really complicated? :laughing:

Small typo in the documentation … “This form is only shown if Webmin detects that the configuration file named.conf does not exist, or if the zone files directory that is specifies is non-existent.”

is should be it … or maybe specifies should be specified?

Tryna give a bit back even if it is not much. Also … the pictures are a little bit out of date, but the new interface for the Existing DNS Zones is way better now :wink: :+1:

Kind of. There’s reasons for configuring things certain ways.

When you publish your zone on authoritative servers, and assuming you have told the registrar about them, you are essentially inviting everybody on the internet to connect to your server and ask about records they may contain, such as where to find your web and email servers. Generally speaking, you want this.

On the other hand, a recursive name server will not only go and get the record you want if it is not authoritative for it, it will often cache the result. This means it doesn’t have to go through the whole process every time you want to visit your favourite sites as it will just tell you the record it has remembered. This speeds things up and reduces unnecessary network traffic. Eventually the cached records expire and it looks them up again the next time it’s asked. You can control how long other recursive servers cache your zone records using the TTL (Time To Live) value in your DNS record entries, by the way. Anyway, it can be possible for bad actors to cause a recursive server to cache a fake record (known as cache poisoning). That might cause unsuspecting users to end up at a faked website where further bad things could happen. You do NOT want this. Publicly accessible recursive name servers are generally considered to be a bad thing. So, admins will usually lock down who has access to the recursive function on a name server, or just disable it when it isn’t needed.

Examples of both authoritative and recursive servers:

  • Your own Virtualmin instance. It is authoritative for the zones you create, allowing everyone to request information about records in the zone files. It is recursive for the other services that run on the server (ie. email).
  • I run a Raspberry Pi on my home network. I have some internal zones (authoritative) and it does lookups for devices on my LAN (recursive). In this instance, even though it is a primary name server, I don’t have a secondary name server because I’m not making the records publicly available (no registrars griping at me).

Examples of recursive only name servers are Google (8.8.4.4 and 8.8.8.8), and most likely the internet modem/router at your house.

Like I said, there can be a lot involved. There are entire books that have been written on the subject. Good luck with your web hosting journey. Being curious is a good trait. :+1:

Ok … so I cannot run mail services without being somewhat partially recursive and that is why my /etc/named.conf has recursion turned on?

I haven’t yet had a look at Postfix … but I am sure I wouldn’t like to contribute to an insecure network.

Virtualmin configures BIND to only be recursive for localnets (or maybe localhost) during installation. If you’re seeing other behavior that would be a bug in the installation process and we’d like to know about it.

The default BIND configuration in Virtualmin is to be both recursive (for local) and authoritative (for domains it hosts).

1 Like

Hi @Joe

Like I said … my named.conf has recursion enabled by default.

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

It also says it is the “caching only nameserver” version of the file.

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).

So … that’s in place I guess! No bugs!

But it also has the links to my domains’ master zones? Does that make it authoritative for domains? I think so … but I could be wrong. Is having those links the criteria for it being authoritative for those domains? They are master zones …

Keep reading. All will be revealed by the rest of the config file. :wink:

That’s where the file ends! I’ve been reading it for 3 days … maybe 7 times … it is pretty short and I don’t think I can tell you much more about the authoritative configuration … :laughing:

allow-recursion { localnets; 127.0.0.1; };

The master zones for my domains go

allow-transfer { localnets; 127.0.0.1; };

instead, and that I think is by default.

Just a question. Why is it more work to use an external dns? I dont use Bind at all. Dns is handled by cloudflare and its very convenient and totally free

Instead of using cloudflare or similar third party DNS to manage your domain records, if you use the default DNS server which is installed with Virtualmin, you will never have to manually set or update DNS records again for any of the domains that are hosted on the Virtualmin server.

This can save you a lot of time and effort. It can let you automate a lot of things. All you have to do to use the DNS servers of Virtualmin is point the NS record of the domain to it and then Virtualmin takes care of everything else.