SOLVED Amazon Linux 2016.03 / cPanel DNSONLY / Bind Defaults

[oldchili]

Hello,

Installing cPanel DNSONLY on Amazon Linux 2016.03 is pretty straight forward, however there is an issue with BIND's default /etc/named.conf vanilla setup. Bind on Amazon Linux is installed as a caching only nameserver. This is an issue when creating your own public ns1. and ns2. nameservers.

You can see the following default configuration below which clearly states is for caching only nameserver:

include "/etc/rndc.key";

controls {
  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

//
// named.conf
//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
  listen-on { any; }; /*      updated by cPanel*/
  listen-on-v6 port 53 { ::1; };
  directory   "/var/named";
  dump-file   "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { localhost; };
  recursion yes;
  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";
  managed-keys-directory "/var/named/dynamic";

};

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Under the default installation your nameservers will REFUSE all DNS queries from the public...

To fix this you need change

allow-query { localhost; }

to

allow-query { any; }

in order to allow zones to be queried.

I belive cPanel should update Amazon Linux's bind configurations from fresh install otherwise installing out of the box when creating public nameservers is broken.

 

[UHLHosting]

Hello,

Installing cPanel DNSONLY on Amazon Linux 2016.03 is pretty straight forward, however there is an issue with BIND's default /etc/named.conf vanilla setup. Bind on Amazon Linux is installed as a caching only nameserver. This is an issue when creating your own public ns1. and ns2. nameservers.

You can see the following default configuration below which clearly states is for caching only nameserver:

include "/etc/rndc.key";

controls {
  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

//
// named.conf
//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
  listen-on { any; }; /*      updated by cPanel*/
  listen-on-v6 port 53 { ::1; };
  directory   "/var/named";
  dump-file   "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { localhost; };
  recursion yes;
  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";
  managed-keys-directory "/var/named/dynamic";

};

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Under the default installation your nameservers will REFUSE all DNS queries from the public...

To fix this you need change

allow-query { localhost; }

to

allow-query { any; }

in order to allow zones to be queried.

I belive cPanel should update Amazon Linux's bind configurations from fresh install otherwise installing out of the box when creating public nameservers is broken.

How did you enabled DNSSEC since is not supported in cpanel or?

 

[cPanelMichael]

Installing cPanel DNSONLY on Amazon Linux 2016.03

Hello,

Could you verify the steps you took to install Amazon Linux? Did you use the Amazon AMI offered by cPanel?

Thank you.

 

[kbisignani]

I was able to confirm this is still the case today - I was able to set up Amazon Linux AMI on an Amazon EC2 instance (I think a perfect and inexpensive option for something like cPanel DNSONLY). The installation went pretty smooth. But I ran in to the same issues that @oldchili did.

The fix worked, but don't forget that you also need to restart the DNS service on the DNSONLY machine in order to for the changes to take effect.

 

[oldchili]

Hello,

Could you verify the steps you took to install Amazon Linux? Did you use the Amazon AMI offered by cPanel?

Thank you.

No I did not user the Amazon Linux AMI offered by cPanel because it's rarely up to date. Kinda disappointing this platform seems to lag behind CentOS compatibility.

 

[cPanelMichael]

No I did not user the Amazon Linux AMI offered by cPanel because it's rarely up to date. Kinda disappointing this platform seems to lag behind CentOS compatibility.

Thank you for the valued feedback. There are plans to streamline updated images in the future. In the meantime, we recommend installing the older version of cPanel included with the official AMI offered by cPanel and then manually updating cPanel to the newer version.

Thank you.