Ns server for backup (NS2)

dimgr · June 21, 2024, 11:30am

Hello. At the moment I have an ip from contabo on the server and I have an ns server (NS1). In order to have a second ns server for backup (NS2), what do I need to do? Should I ask for a second ip?

shoulders · June 21, 2024, 12:05pm

To be a real backup it has to be another server and IP otherwise it’s the same server. Most people using cpanel have 1 server, 1 IP and both ns1 and ns1 pointing to them.

calport · June 21, 2024, 12:23pm

You are right, we need to have a minimum of two name servers for backup and if they both point to the same server and same IP and same network then it rather defeats the purpose of having two.

It would be so nice if the Virtualmin community could come together and offer to host secondary name servers for each other.

Just an idea.

Edit: I don’t think there are any legal liabilities involved with this, at least in my own country - which looks upon us service providers as intermediary and in case of any problem with the content of a website, we co-operate with law enforcement and there are no further problems for us.

jimr1 · June 21, 2024, 12:54pm

I’ve done that in the past but no one took me up on the offer

popmay · June 21, 2024, 12:56pm

Since i only have one server and one IP in order to have DNS redundancy I use the name servers at my domain registrar (NameSilo). That doesn’t allow me to make custom ns names. I feel confident in their ability to run reliable DNS servers. My DNS always propagates in 15-30 min. For me it’s just easier.

If you use external DNS Virtualmin has to know it is not handling your DNS.

If you use external DNS go to System Settings > Features and Plugins > uncheck DNS domain

You can then go to DNS Records while on any server and get all the suggested records to put in your external DNS provider.

shoulders · June 21, 2024, 2:32pm

Having 2 nameservers will only make sense if you have have redundancy for your websites aswell.

If you only have 1 server for your websites and this goes down it is pointless having a secondary nameserver because the websites have gone down.

ID10T · June 21, 2024, 2:43pm

Not precisely true, especially for commercial sites. It is about what your browser returns. You really want to return some acknowledgment the site exists. No DNS makes it look like it is gone. Secondary allows your browser to complain the site is not responding.

dimgr · June 23, 2024, 4:17pm

That is, if I understood correctly, I must have 2 servers to have an ns2 name server? In contabo I see dns settings, but I have not configured anything there.

calport · June 23, 2024, 4:27pm

Ideally you must have two name servers on two different servers which are on two different networks so that there is redundancy.

But if that is not possible then you could have the appearance of having redundancy by creating two subdomains, dns1 and dns2 pointing to the same single server, the same IP address and the same network.

Most domain registrars will accept such non-redundant name servers without fuss, but not all.

Joe · June 23, 2024, 8:17pm

I like the spirit of this idea, but I can’t recommend it. DNS is literally the keys to the kingdom, and a secondary is an administrative concept, not a security feature. A secondary can be turned into a primary, and your records could be compromised by the person or company hosting it. You’re trusting not only good intentions on the part of anyone hosting your DNS but good security practices. If they’re compromised, you’re compromised.

With DNS, someone can send spam on behalf of your domain, because they could change SPF, DMARC, and DKIM. With DNS, they can get a TLS cert from Let’s Encrypt. With DNS, they can implement any MITM attack they want, in a way that is almost entirely undetectable; it’s based on a race (being the DNS server that gets queried first and responds first), but ~50% odds of a successful MITM is a big gaping hole. DNS is cached, so if they win the race once, a user’s entire session will likely go to the attacker, making it invisible to the user and to you. You could try to monitor it, but a clever/industrious attacker could probably detect that and serve you a custom view, so you’d need more infrastructure than what a DNS server would cost to evade their detection.

DNS is dangerous. Trusting it to your registrar is one thing (unless that registrar has a history of terrible security, as at least one major registrar has exhibited). Trusting it to something like Amazon Route 53 is also reasonable. They have security teams and full-time admins. Trusting it to a random person you only know from a forum is, unfortunately, not a reasonable choice for most people. A few bucks for another VM or a dollar a month per zone for Route 53 is a small price to pay for avoiding a very risky practice.

I’m not saying anyone here is untrustworthy; I think all the regulars here are pretty standup guys/gals/pals. But, security is hard.

calport · June 23, 2024, 8:26pm

Very true, Joe. In light of all this it’s best to let each admin host his own DNS or use the DNS of a third party such as the domain registrar.

But could we not have something ready to offer those who are newbies and need just a stop gap solution for DNS while the put Virtualmin through its paces.

Such a thing would be of great convenience to newbies.

Joe · June 23, 2024, 9:43pm

I don’t know how to do that safely. If we implemented something, we couldn’t do it for free (it’s a pretty big investment of time and money to do it well). If volunteers do it, we’re getting newbies comfortable with something that they probably shouldn’t be comfortable with; even some experienced admins don’t realize all the security implications of outsourcing DNS. Every time my day job gets a new web design contractor, I have to give them the speech about why I won’t give them the ability to manage our DNS directly.

It’s one of the reasons we started adding cloud DNS APIs, and eventually a few more of those will probably trickle into Virtualmin GPL.

But, I think using your registrars DNS servers is no more difficult than setting up a secondary. I don’t think telling a newbie to setup a primary/secondary relationship is making it easier for them than just saying, “It’s fine to use your registrars DNS servers until you’re comfortable self-hosting. Just turn off the DNS Feature, and Virtualmin will show you suggested records to add to your registrar’s DNS servers.”

calport · June 24, 2024, 3:47am

Yes.

Then perhaps this communication (or words to that effect) should be included in the post install wizard on the screen where name servers are being specified.

We have a wizard. Let’s use it make it super easy for newbies to get their first few domains working with Virtualmin. A little bit of spoon-feeding the newbie admin in the wizard will have a positive impact on the adoption rate of Virtualmin, I am sure.

stefan1959 · June 24, 2024, 4:17am

I think you can use there dns free of charge.

shoulders · June 26, 2024, 4:05pm

For normal people coming to virtualmin and self hosting I would say, if you are hosting websites you might as well host the DNS, it is easy to setup and there are various guides out there .

Redundant nameserver can be useful if you are doing enterprise websites but other than that just use virtualmin.

system · August 25, 2024, 4:05pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.