SOLVED Can I benefit from one DNSOnly or do I need two?

[ronaldst]

I have a small VPS in another datacenter, and cosider running DNS Only on it. I have read up a little on the DNS cluster configuration, and it seem that any logical setup requires two DNS Only servers. I'm having a hard time to wrap my head around this, dns is probably my weakest area of expertise.

I got two dedicated servers with their own nameservers running. My current setup:
server1.domain.com (running ns5.domain.com, ns6.domain.com)
server2.domain.com (running ns7.domain.com, ns8.domain.com)

vps1.domain.com (dnsonly, ns1.domain.com, ns2.domain.com)

Is there any benefit of running this kind of setup and how would it best be configured?

 

[cPanelMichael]

Hello,

There's still a benefit from using DNS clustering with a single DNSOnly server. It adds redundancy in the event the web server fails because the name server is hosted outside of the primary web server. You would enable clustering and then configure NS5, NS6, NS7, and NS8 to IP addresses associated with the DNSOnly server.

Guide to DNS Cluster Configurations - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[ronaldst]

I apologize for my clumsyness on this one. How exactly is this done?

If I understand this correctly I am to enable clustering ("DNS Cluster" in WHM) on server1.domain.com and server2.domain.com, and on vps1.domain.com.

This leaves me with the option "Add a new server to the cluster", where I am prompted to enter "Remote cPanel & WHM DNS host", "Remote server username" and "Remote server API token or access hash". Once I type in a host, I am also given a "Generate API Token" option, so I assume this is the way to go.

These things aren't explained in the documentation, and as I said before, understanding how the DNS cluster and configurations are set is something I'm not grasping at the moment.

 

[cPanelMichael]

Hello,

You actually only need to configure clustering on the two web servers using the "WHM >> DNS Cluster" option. Use this option via WHM on each web server to add the DNSONLY server. You can choose "Synchronize" or "Write-Only" as the DNS role when doing this:

Synchronize — This method synchronizes records between the local server and the remote server.
Write-only — This method pushes the local server's records to write to the remote server, but does not query records from the remote server to write to the local server.

If you use "Synchronize" instead of "Write-Only" as the DNS roles, then it will prevent the creation of a DNS zone on any hosting server in the cluster if it already exists (e.g. Customer on Web Server 1 can't create addondomain123.tld if a customer on Web Server 2 has already created addondomain123.tld).

Also, remember to enable "Setup Reverse Trust Relationship" for the DNSONLY server you add when configure clustering using the "WHM >> DNS Cluster" option on the web servers. If you select this option, you will not need to log in to WHM's DNS Cluster interface on the remote DNSONLY server.

As far as the authentication credentials, that's explained on the following document:

DNS Cluster - Version 70 Documentation - cPanel Documentation

Let us know if you have any additional questions.

Thank you.

 

[ronaldst]

That makes things a lot clearer, thank you.

Once this is set, do I assume correctly if my server domain should point from my registrar (godaddy) to ns1/ns2 on vps1?

Am I correct to keep running ns6/7 on server1, and ns7/8 on server2?

Do I change the nameservers in WHM on server1 to use ns1/ns2/ns6, and server2 to use ns1/ns2/ns8? Or do I keep them as is once the cluster is set up?

 

[cPanelMichael]

Hello,

The most common approach would be to create two name servers at the domain registrar. EX:

ns1.domain.tld - DNS-Only IP Address
ns2.domain.tld - DNS-Only IP Address

Then, set ns1.domain.tld and ns2.domain.tld as your default name servers for both hosting servers in "WHM >> Basic WebHost Manager Setup". Once you do this, you would change the name servers for each domain name at their domain registrars so they use
"ns1.domain.tld" and "ns2.domain.tld". This way, if you ever want to transfer an account from one hosting server to another, the customer does not have to alter their name servers.

That said, as long as the existing name servers are setup at the domain registrar to point to the DNS-Only IP addresses, you can continue using the existing name servers (e.g. NS6/NS7) without issue. EX:

ns1.domain.tld - DNS-Only IP 10.1.1.2
ns2.domain.tld - DNS-Only IP 10.1.1.3
ns6.domain.tld - DNS-Only IP 10.1.1.2
ns7.domain.tld - DNS-Only IP 10.1.1.3

It's acceptable to use the same IP address for multiple name servers at the registrar.

Thank you.

 

[ronaldst]

Thank you, appreciate the detailed guidance on this.

I have set everything up on server1.domain.com and vps1.domain.com (dnsonly) for testing. Things seem to be working fine, I do however have issues on the main domain now, and a few questions still. Let me explain.

First off, I've enabled DNS Cluster on vps1.domain.com, and I've created API Tokens on the vps1.domain.com (dnsonly) with the privileges "Account Information, DNS, Clustering" (recursive, all options in those categories).

On server1.domain.com I've added ns1.domain.com and ns2.domain.com in the DNS Cluster configuration. I've choosen "Setup Reverse Trust Relationship" and enabled "Debug mode". I've chosen "Write Only" for DNS Role.

I have not done anything on the DNS Only server other than that. Have not linked any API Tokens located on server1.domain.com.

I've changed nameservers at the registrar to ns1.domain.com and ns2.domain.com on the main domain (domain.com). I've also "Edited DNS Zone" on domains bound to accounts on server1.domain.com (example.account1.com, example.account2.com and so on) to use ns1.domain.com and ns2.domain.com.

The result is good, the domain server2.domain.com, server3.domain.com, and the account domains are resolving, email is working and so on.

However, my main domain is not resolving. I got an account on server1.domain.com where the server domain's website is hosted from (www.domain.com, shared ip to server1.domain.com) and this, is not resolving. I am thinking I have missed something, but I am not able to figure out what.

I've edited the nameservers in "Edit DNS Zone" for www.domain.com to use ns6.domain.com and ns7.domain.com (which still runs and points to server1.domain.com dns server), and it is now working.

Is this normal behaviour or have I missed something?

Thanks again.

 

[cPanelMichael]

On server1.domain.com I've added ns1.domain.com and ns2.domain.com in the DNS Cluster configuration. I've choosen "Setup Reverse Trust Relationship" and enabled "Debug mode". I've chosen "Write Only" for DNS Role.

To clarify, did you add two servers to the cluster? You should have only added the single DNS-Only server here since both NS1 and NS2 point to the DNS-Only server.

I've edited the nameservers in "Edit DNS Zone" for www.domain.com to use ns6.domain.com and ns7.domain.com (which still runs and points to server1.domain.com dns server), and it is now working.

Generally, there's no separate DNS zone for the "www" subdomain. Instead, "www" is simply an alias an exists as a record in the DNS zone of the parent domain (e.g. domain.com). Were you just using "www" as an example? If so, then it's possible that updating the zone is what solved the issue as opposed to changing the name servers in the zone. For instance, if you change the name servers back to NS1 and NS2 in the zone, does the issue occur again?

Thank you.

 

[ronaldst]

To clarify, did you add two servers to the cluster? You should have only added the single DNS-Only server here since both NS1 and NS2 point to the DNS-Only server.

That does make sense now, I should have realized. I have removed ns2.domain.com from the Cluster.

Generally, there's no separate DNS zone for the "www" subdomain. Instead, "www" is simply an alias an exists as a record in the DNS zone of the parent domain (e.g. domain.com). Were you just using "www" as an example? If so, then it's possible that updating the zone is what solved the issue as opposed to changing the name servers in the zone. For instance, if you change the name servers back to NS1 and NS2 in the zone, does the issue occur again?

It was only an example. I was referring to domain.com. I have changed the zone back to ns1/ns2 and it does seem to be working as intended now.

I tested domain.com in pingdom's dns check tool, and some errors shows up.
Delegation
Name servers listed at parent: ns1.domain.com,ns2.domain.com
Name servers listed at child: ns7.domain.com,ns8.domain.com
Superfluous name server listed at parent: ns1.domain.com
Superfluous name server listed at parent: ns2.domain.com
Total parent/child glue mismatch.
Additional name server listed at child: ns7.domain.com
Additional name server listed at child: ns8.domain.com
No IPv6 name servers found.
Parent glue for domain.com found: ns1.domain.com (ip.ip.ip.213)
Parent glue for domain.com found: ns2.domain.com (ip.ip.ip.214)
Checking glue for ns1.domain.com (ip.ip.ip.213).
Child glue for domain.com found: ns1.domain.com (ip.ip.ip.213)
Checking glue for ns2.domain.com (ip.ip.ip.214).
Child glue for domain.com found: ns2.domain.com (ip.ip.ip.214)
Parent glue for domain.com found: ns1.domain.com (ip.ip.ip.213)
Parent glue for domain.com found: ns2.domain.com (ip.ip.ip.214)

At this point I have not done anything with ns7/ns8. These are running on their separate IP's and have zones listed on server1. Are you able to shed any light on this?

Thanks again!

 

[cPanelMichael]

Hello,

I'm glad to see the DNS is propagating well now. The warning messages from that online checker appear because the DNS zone for that domain name uses NS7/NS8 instead of NS1/NS2. You can update the name servers for this domain name at the domain registrar or in it's DNS zone to ensure they match. That said, those are just warning messages and shouldn't actually affect DNS propagation unless the IP addresses were different.

Thank you.

 

[ronaldst]

Great. You have helped me in so many ways in this thread, and I want you to know I appreciate you have taken time to look at this. Thanks!