Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is BIND supposed to copy its config to slave DNS servers? #848

Open
neosonic2 opened this issue Jul 1, 2024 · 5 comments
Open

Is BIND supposed to copy its config to slave DNS servers? #848

neosonic2 opened this issue Jul 1, 2024 · 5 comments

Comments

@neosonic2
Copy link

Hello,

I'm not sure if I've found a potential bug, intended behavior, or just something messed up on my system, but either way I figured it's worth a report.

I'm running Virtualmin 7.10.0 Pro on a Ubuntu 22.04 system that has three configured DNS slave servers by way of the Cluster Slave Servers feature. DNS zones for my virtual servers get copied to these slaves just fine, but apparently so does the contents of global BIND configuration files.

For example, rather than putting allow-transfer and also-notify blocks in each zone definition block inside /etc/bind/named.conf.local, I manually added them to /etc/bind/named.conf.options and instructed Virtualmin (through the server template) not to add them automatically.

After adding a virtual server's DNS zone to my slaves, I noticed these blocks were in the /etc/bind/named.conf.options file on the slaves - in fact the entire file had the same contents as the one on the master, and also had the same modification date, ownership and permissions on the filesystem as well:

options {                                                                                                                                              
                                                                                                                                

        directory "/var/cache/bind";                                                                                                                   
                                                                                                                                

                                                                                                                                                       
                                                                                                                                

        // If there is a firewall between you and nameservers you want                                                                                 
                                                                                                                                

        // to talk to, you may need to fix the firewall to allow multiple                                                                              
                                                                                                                                

        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113                                                                                   
                                                                                                                                

                                                                                                                                                       
                                                                                                                                

        // If your ISP provided one or more IP addresses for stable                                                                                    
                                                                                                                                

        // nameservers, you probably want to use them as forwarders.                                                                                   
                                                                                                                                

        // Uncomment the following block, and insert the addresses replacing                                                                           
                                                                                                                                

        // the all-0's placeholder.                                                                                                                    
                                                                                                                                

                                                                                                                                                       
                                                                                                                                

        // forwarders {                                                                                                                                
                                                                                                                                

        //      0.0.0.0;                                                                                                                               
                                                                                                                                

        // };                                                                                                                                          
                                                                                                                                

                                                                                                                                                       
                                                                                                                                

        //========================================================================                                                                     
                                                                                                                                

        // If BIND logs error messages about the root key being expired,                                                                               
                                                                                                                                

        // you will need to update your keys.  See https://www.isc.org/bind-keys                                                                       
                                                                                                                                

        //========================================================================                                                                     
                                                                                                                                

        dnssec-validation auto;                                                                                                                        
                                                                                                                                

                                                                                                                                                       
                                                                                                                                

        listen-on-v6 { any; };                                                                                                                         
                                                                                                                                

                                                                                                                                                       
                                                                                                                                

    // Define the list of slave servers                                                                                                                
                                                                                                                                

    allow-transfer { 192.168.148.115; 192.168.147.181; 192.168.148.185; };                                                                             
                                                                                                                                

    also-notify { 192.168.148.115; 192.168.147.181; 192.168.148.185; };                                                                                
                                                                                                                                

    notify yes;                                                                                                                                        
                                                                                                                                

};                                                                                                                                                      

I've been able to reproduce this consistently by blowing away BIND on the slaves using apt purge, clearing out /etc/bind and /var/lib/bind, reinstalling BIND, and then telling Virtualmin to re-add all slaves, at which time the contents of files like /etc/bind/named.conf.options appear on each slave again.

Is this expected behavior?

@neosonic2 neosonic2 changed the title Should BIND copy its config to slave DNS servers? Does BIND copy its config to slave DNS servers? Jul 1, 2024
@neosonic2 neosonic2 changed the title Does BIND copy its config to slave DNS servers? Is BIND supposed to copy its config to slave DNS servers? Jul 1, 2024
@iliajie
Copy link
Collaborator

iliajie commented Jul 1, 2024

Hello,

Thanks for the heads up! It does seem like a bug.

Though Jamie fixed a few bugs related to DNS, let's wait for his reply to see if it was already addressed for the upcoming Virtualmin 7.20.0.

@jcameron
Copy link
Collaborator

jcameron commented Jul 2, 2024

Also, check that you haven't added the master system as a slave of itself.

@neosonic2
Copy link
Author

As far as I know the master system isn't a slave of itself. Whenever I add a new virtual server and corresponding DNS zone or update an existing one, Virtualmin says it's updating the zone on slave servers and only lists my three slaves rather than also listing the master.

This issue occurred again yesterday though, and this time, in addition to the BIND options file being duplicated, /etc/webmin/miniserv.conf was duplicated as well. I figured this out because I have two-factor authentication set up on my Virtual server (the master DNS server), but do not have it set up on the three Webmin servers (the DNS slaves that do not run Virtualmin). Yet when I tried to log into one of them I noticed a two-factor token field present on the login screen, and "twofactor_provider=totp" present in miniserv.conf.

@jcameron
Copy link
Collaborator

jcameron commented Jul 3, 2024

That is very unusual! I don't think we have any facility for duplicating the miniserv.conf file to another system, even via a mis-configuration.

Was the entire file copied across verbatim?

@neosonic2
Copy link
Author

I believe it was, though didn't look at it extremely closely to know for sure. I noticed though it was the same size and even had the same last modified date and permissions as the file on the master server. So did /etc/bind/named.conf.options.

I've since reinstalled Webmin completely but I think the files will get copied again relatively soon. I'm moving all of my virtual servers over to LDAP which requires me to delete and restore them so Virtualmin will create the user accounts in the LDAP database, and so far I've done this in batches to more easily catch errors (i.e. Virtualmin likes to throw a "broken pipe" from postfix/postfix-lib.pl while creating mail aliases every few runs).

So far, the file duplication problem has popped up after every few deletions/restores of virtual servers, though I haven't noticed any pattern or anything else that stands out to let me know exactly what triggers it. I've got more than 20 left though so it's bound to come up again very soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants