DNS cluster and upgrading DNS Only servers
I've read the cPanel documentation about DNS clustering. It is still a mystery for me. Our DNS cluster is working. I find the documentation is poorly written, not a beginner friendly and confusing. As the most of the cPanel documentation.
I've got a setup:
DNS ONLY servers:
- ns1.domain.tld
- ns2.domain.tld
Hosting servers:
- hosting1.domain.tld
- hosting2.domain.tld
- hosting3.domain.tld
- etc.
- maybe in the future there is hosting10.domain.tld, who knows.
These are all existing servers. Currently all the hosting-servers has DNS clustering enabled, using API tokens and using "write-only" role. All the hosting-servers have two DNS Only servers set up this way in the cluster.
I guess this setup is called "direct links" by the documentation. All the hosting-servers have DNS services (pdns or bind) disabled. The hosting-servers use only the cluster DNS.
Question 1:
Is the "write-only" role correct choice at this setup?
The role has been problem for us couple of times when admin created an account and the domain was already used in the cluster. Not a huge problem.
Question 2:
Can I change the role on fly? If "synchronize changes" or "standalone" option is better one? I don't really understand the meaning of these roles. The descriptions are so confusing and really doesn't say anything.
Question 3:
I'm wondering how the "synchronize changes" role would work because there is no DNS service on the hosting-servers at all? What does it synchronize back when there is no DNS service? Have I done a mistake when I disabled the DNS services on the hosting-servers?
Question 4:
What would "standalone" role do in this setup? Would my hosting-servers break up?
Question 5:
There is no DNS cluster settings made on the DNS Only servers. I mean ns1.domain.tld and ns2.domain.tld has clustering disabled. Is this a correct setup?
Question 6:
This is the big one. Both of the DNS Only servers has CentOS 7 (soon EOL) and I have to upgrade them both. I have to replace CentOS 7 with Almalinux 9. Re-install both DNS servers from scratch. I have no clue how to do that and not mess up all the zones and whole cluster.
I expect downtime of course, but how to upgrade DNS Only servers without breaking whole cluster? Can I or should I copy all the zones manually from the old DNS servers to newer ones? Please advice.
Question 7:
The setting "setup reverse trust relationship" is a complete mystery for me. Please explain what it does and why it's recommended? The setting is grayed out (disabled or read-only, I can't enable it) in my DNS cluster settings. Should I enable this setting on the hosting-server's cluster settings? And how to enable it?
Thank you.
-
Hey there! I'll go through and answer these in order to make sure I don't miss anything.
Question 1:
That is the correct mode, yes. If you use the sync option, you'll end up with all the DNS zones on all the machines, leading to confusion. It's normal that the domain has to be removed from all servers in the cluster before it can be created/recreated.Question 2:
Yes, they can be changed at anytime without needing to make any other changes. I'm hoping the details I included in step 1 help clarify this.Question 3:
I think we've covered this one now, but let me know if you need more details. Even though the DNS service is disabled on the web hosts, you still have zone files created in /var/named which can be activated at any time.Question 4:
Additional details about the roles and their descriptions can be found here:
https://support.cpanel.net/hc/en-us/articles/8183166768279-What-are-the-different-DNS-Cluster-roles-
In short, if things are working with multiple machines, you're good, and don't want to make any changes.Question 5:
I don't understand this question - can you get me more details?Question 6:
In a DNS Cluster, you don't need to worry about updating or migrating data. You would just add new DNS servers to the cluster, and then shut down the old ones whenever you're ready. This could mean that you are using ns3 and ns4.yourdomain.com instead of ns1 and ns2, which is completely fine.Question 7:
If the cluster is working properly, the reverse trust has likely already been configured. This trust just allows the servers to talk to one another with a key.0 -
Question 6:
You can also keep using ns1 & ns2.
Create a new DNSONLY server, set ns1 to point to it's IP address, (remember to change IP in the registrar also), remove the old ns1 from the cluster and add the new ns1 to the cluster.
Then same with ns2.0 -
Thank you for the reply.
Question 5:
I mean when I login to the WHM at the ns1 or ns2 (DNS Only servers, our DNS servers). And check the DNS cluster settings on those servers. The DNS cluster options are disabled. I'm asking this because I'm pretty confused how the DNS cluster works.Question 6:
I can't just replace the domain's DNS servers with new ones? Can I? How would that work? I mean if I make new ns3 and ns4 servers and then close the old ns1 and ns2. How come the domains would still work if their DNS servers are shutdown? The domain Whois information says the DNS servers are ns1 and ns2.As far as I understand that would make all domains unreachable or they would give DNS error. I think I have to replace/upgrade ns1 and ns2 servers. The DNS server names can't change. If the server names change then I have to change the new names for every domain we have. Or am I missing something?
Question 7:
I haven't configured any reverse trusts as far as I know. I have only created API tokens at the ns1 and ns2. The hosting servers use those API tokens.0 -
5 - Thanks for the clarification. That's normal since they are all being controlled on the webserver side of things.
6 - You totally can :D. You would just add them to the cluster the same way you did with ns1 and ns2. The DNS zones would then get copied over to the new machines. Then you'd want to update the DNS at the nameserver to remove ns1 and ns2 for the domains and then you're working live off ns3 and ns4. But you're correct, this would require changing data at the registrar for every domain.
7 - If the API tokens are working, that's fine. You may have configured this cluster before we had that reverse trust option, but there's no need to change that now.
0 -
Another option would be to create the new DNS servers, and then just update the IP address at the registrar for the nameservers themselves, so you don't need to edit every domain manually.
0 -
It seems like you have a comprehensive set of questions regarding your cPanel DNS clustering setup. Let's break them down:
### Question 1:
Is the "write-only" role the correct choice?- **Answer:** Yes, in the context of your setup, the "write-only" role is appropriate. This role allows the hosting servers to make changes, but they won't receive zone transfers, preventing conflicts.
### Question 2:
Can I change the role on the fly?- **Answer:** Changing the role dynamically can be complex. It is recommended to make such changes during a maintenance window. The "synchronize changes" option ensures changes made locally on hosting servers are pushed to the cluster.
### Question 3:
How does the "synchronize changes" role work without DNS services on hosting servers?- **Answer:** In this context, it means changes made to DNS zones on hosting servers are pushed to the DNS cluster. If DNS services are entirely disabled on hosting servers, consider the "standalone" role instead.
### Question 4:
What would the "standalone" role do in this setup?- **Answer:** The "standalone" role is for servers that aren't part of a cluster. Changing roles may require reconfiguration, so test this carefully in a controlled environment to ensure it doesn't disrupt your setup.
### Question 5:
Is it correct that DNS clustering settings are disabled on DNS Only servers?- **Answer:** Yes, that's correct. DNS Only servers don't need DNS clustering settings because they operate as a cluster.
### Question 6:
How to upgrade DNS Only servers without breaking the cluster?- **Answer:** Before upgrading, take full backups of DNS zones. Install the new servers, configure cPanel DNS clustering, and copy zones. Transition DNS traffic gradually, monitor for discrepancies, and finalize the switch.
### Question 7:
What does "setup reverse trust relationship" do, and why is it recommended?- **Answer:** This establishes a trust relationship between DNS servers for secure zone transfers. It's recommended for better security. If it's disabled on your DNS cluster settings, ensure that DNS Only servers trust the hosting servers by allowing zone transfers in their configurations.
i hope you will get answer for your Question as this issue happens to me Last time For my game website & thanks I solved it
0 -
Question 6:
The name and the server IP address needs to be same for the new replacement server. Everything needs to be same after the upgrade is done. For both DNS servers ns1 and ns2. So what is the upgrade path if that is a requirement?I hope you understand what I mean.
Question 7:
The plan is to replace the ns1 and ns2 servers (DNS Only servers). So the reverse trust option is there today. I'm pretty sure I need to create the cluster again and generate new API keys for every hosting-server as well. I need to understand what that reverse trust means and where or how do I configure it.0 -
Thank you Benjamin Boss for the answer.
Question 6:
Is there a tool in WHM which would make sure the zones are working and zones are ok? Is there a way to check and be sure the zones are up to date after the transition?I'm expecting some down time because of maintenance and that is ok. That means the customers can't do any changes to their zones while the maintenance. Everything should be fine when I backup all the zones and copy the zones to a new server. But if there is a way to check that would be nice.
More questions.
Question 8:
What is something goes wrong and some domain is missing or the zone is not up to date. Is there a command to re-write the zone for a domain?
Question 9:
Is there a command to sync all the zones? My cluster role is "write-only" so is there a way to "write-only" all the zones and be sure new DNS servers has the latest zones?0 -
6 - No, there's no such tool. Standard DNS checking tools (dig, whois) would be enough to confirm this.
8 - Yes. You can manually run the "/scripts/dnscluster" command to sync all zones or just certain ones. Run it with no additional options to see all the available tools.
9 - See above, but this sync would happen immediately when a new server is added to the cluster, so it shouldn't be necessary.
0
Please sign in to leave a comment.
Comments
9 comments