DNS cluster arch

jon.uriona

• July 10, 2020 11:22

Hi, We have 6 independent whm/cpanel installations in one datacenter and we would like to have the DNS service of all the domain accounts hosted clustered between them and to other cpanel dnsonly offsite (to fulfill the "different autonomous systems" condition of two of the name servers for all the domains). We would like all of them to be DNSSEC compliant, but now this is a secondary objective. We have some questions about the architecture and steps we have to follow: - About the arch: -- The 7 cpanels dns should be on the same cluster? Or should the clustering be made two by two on a per domain or group of domains basis (always having the offsite DNSonly as a member of any of the clusters)? -- Does the existence of all of the "domain accounts" in each cpanel consume licenses on each cpanel? It shouldn't!! -- About the role of all DNS servers on each domain, is there any dependence on which of them could have "write permissions" on each zone? This is a point that we don't really mind, as we will only edit zones on the cpanel that hosts (web and mail) the account, which could be the "primary nameserver" of the concrete domain. Wouldn't mind that the rest of cpanels couldn't edit others servers accounts zones -- About compatibility with funtionalities like AutoSSL with LetsEncypt, we don't see any problem with this deployment, as the "primary nameserver" would be the only one to create the necessary entries... -- About the guide on clustering DNS (Guide to DNS Cluster Configurations | cPanel & WHM Documentation), we don't quite understand some of the terminus explained there that seem to condition the arch to choose... --- What does "direct link" mean between webserver and "dns server"? --- Why does it say that a "webserver sends directly DNS information to DNS servers" and "the web server syncs the primary nameserver"? Web service and DNS service are completely different services that don't exchange information, even if normally you invoke one after another... - About DNSSEC, we will switch to PowerDNS on all the cpanels and see how to configure everything after we see the implications of enabling DNSSEC (have to read more about the standards)... With all this, we understand that we should: - switch to powerDNS on the 7 cPanels - enable dns clustering on all of them - create 6 "reverse trust relationship" on all of the cpanels, so everyone has a bidirectional relationship with any of the other cpanels (set all of the API tokens) - manage any of the DNS zones from the primary nameservers - publish for each domain at the registrar a pair of the names of these 7 cpanels as the NS records, always the one offsite and the primary for the domain at the verey least Is this ok? Are we wrong in any of the points? Thanks in advance!!

• 

  andrew.n

  • July 11, 2020 06:41

  1. The 7 servers can be part of the same cluster 2. cPanel bills after the accounts hosted on a the server and not per DNS entry 3. For DNS roles and explanations have a look at DNS Cluster | cPanel & WHM Documentation under "DNS Role" 4. With proper setup and DNS roles SSLs shouldn't be a problem 5. Direct link means that you should NOT link multiple servers together like: web server 1 to web server 2 to DNS only server for example but directly (web server 1 to DNS only server) 6. On the web server you host the accounts so if you add a new account/terminate an account etc.. it will initiate DNS changes so there is a connection between the web server (where you host the accounts) and for example the DNS only server. I hope I could clarify the questions a bit.

  0
• 

  cPanelLauren

  • July 13, 2020 21:01

  Let us know if you have any further questions beyond @andrew.n's response

  0

Please sign in to leave a comment.