These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Exchange of Secondary DNS service ? on the new forum.
Web Hosting and Cloud Computing Control Panels
is this offer still valid ?
Sure it is :) Where are you based ? I'm in Europe here :)
Europe, too - how would you prefer this to be set up, via webmin DNS clustering or just a one-time bind setup ?
Well, WEbmin DNS clustering would be better as it would allow us to add domains in our respective Virtualmin and get them automatically duplicated as secondary on other Virtualmin system no ? I'm not familiar with the one-time bind setup !!!
Okay, so if I am not mistaken, we only need to set up new restricted accounts just for DNS: http://doxfer.webmin.com/Webmin/ClusterWebminServers?sortcol=table;up=#E...
Maybe we can get 2-3 more people involved in this (mutual secondary DNS), no need for any additional IPs or workarounds ...
In the meantime, I looked through this: http://www.frankb.us/dns/
And ended up adding these two:
http://www.buddyns.com/ https://puck.nether.net/dns/login
These took only 3 minutes to set up.
So anybody looking for secondary DNS should consider these.
If I recall correctly, I had asked about this quite a while ago already, and received the answer that a Webmin user that can act as a DNS Cluster Slave user needs the "Can accept RPC Calls" right.
I haven't really tried this, but I think through RPC the user is basically a root user who can do anything. You might want to test that first, before there's any surprises. And/or Eric or Jamie might shed some more light on this.
I was also concerned about this, but according to the webmin docs, this feature seems explicitly designed to be also used by non-privileged users, i.e. having a dedicated "DNS" user. Not sure if RPC really does require root access though. On the other hand, it should be also possible to use SSH/pubkey authentication instead of Web RPC - i.e. having a separate "slavedns" group with privileged users that may be used for DNS clustering.
The whole "mutual secondary DNS" is a common thing obviously, and it would be great if people could offer their services via webmin (continent/country) to team up with folks who need another DNS.
I agree the RPC issue is a real concern ! Would be nice to get a feature in Virtualmin itself that would allow to setup such configurations without compromising security of server or needing too much trust between people exchanging DNS services ;)
Its not a security risk so long as you restrict the IP's that are allowed to access the slave DNS webmin and you also setup a valid SSL cert so webmin and virtualmin can talk in private... unless the NSA is listening.
it's a risk if you need root access in Webmin to allow ACL access as if remote server is compromised you compromise your own server :(
Why do you need root access in webmin to edit dns ? You don't.. you create a normal user that only has access to the BIND module and you restrict access to the dns user role. There is nothing risky in this.
Unahppy it's not enough, you need also to allow RPC access to webmin to remote webmin so virtualmin can automatically create the secondary DNS zone when you create a new domain on your account !
Thanks for the updates !
I haven't yet tried it, but I would also prefer NOT going over HTTP/HTTPS for the RPC stuff and instead use SSH on a non-default port for this. I have yet to check the docs/forum (or code) to see if (and how) that could work though ...
Currently, the webmin/server index panel reads "Link Type" and only seems to support HTTP/HTTPS-style RPC. On the other hand, virtualmin does have extensive CLI tools which should be also possible to run over SSH instead, as as we know it also supports SSH for various things.
Maybe some of the webmin devs can briefly comment on this ?
thanks
Perhaps a feature to add in a next update of Virtualmin to allow secondary DNS communication easily between servers :)
People are over thinking this.
RPC isn't root access... it only allows a particular user access to certain commands that root would have and coupled with IP restrictions and SSL your safe.
It's not brain surgery
okay, here's what I've done so far, and it's working nicely:
On the Slave DNS server
On the master server:
Further details at: http://doxfer.webmin.com/Webmin/WebminUsers
http://doxfer.webmin.com/Webmin/WebminServersIndex
http://doxfer.webmin.com/Webmin/ClusterWebminServers
Perfect !!
ya, it only took 2 minutes to set up actually - i.e. much less time than we spent here talking about it... it would be even better if webmin could show the status line without having to edit the entry first :-)
But a really awesome feature would be "pairing" of volunteers who are willing to offer mutual slave DNS - i.e. if people who need slave DNS could just browse a list of other volunteers and select them by location/domain.
The whole concept could be generalized and even provide redundancy for other features like mail (postfix) or httpd clustering - there are so many people in this community, why not leverage all that power and allow them to easily team up with each other to increase their redundancy and get rid of SPOFs
(it only just occurred to me that the whole could be fully automated by directly using the "cluster" feature in webmin using a little helper module)
In the meantime, it would be great if we could have a wiki page or sticky forum thread for people to offer mutual DNS.
It's not feasible. There are plenty of free secondary dns services out there.
most I've seen, are pretty restricted actually - mutual DNS however would be a win/win for all parties involved, and would not need to be restricted in the same sense. Also, such a "give & take" arrangement would not need to be restricted to just bind/named (DNS) - it could involve other services that would benefit from redundancy, such as postfix or httpd clustering.
Fully agree with you Wocul on share capabilities between all Virtualmin users, it would be really great :) as your RPC solution is nice but it stills gives remote site full access to your Bind configuration which is not very nice !
vincen please refrain from spreading false info about RPC -- its rubbish and your only causing panic for no reason. RPC IS NOT A SECURITY ISSUE
What you should test before doing this in production use is whether via RPC that new user can do more than those things you defined with local access rights.
It's sure possible that I'm mistaken, but I seem to recall that, when I asked those same questions a while ago, the Virtualmin team told me that via RPC, the local module access restrictions don't apply.
It'd be nice to see though if I'm wrong there and the restriction to the BIND module DOES apply also for RPC calls. I'd do the same for my DNS cluster slaves then! :)