Installation


Upgrades


DTC-Xen Installation


DTC-Xen / Dom0 Howtos

DTC-Xen / DomU Howtos

FAQ


DTC Howtos


Manuals


Features


Roadmap


Devel docs


Wiki - i18n


Wiki - Meta


Setting up redundant MX and NS backups between 2 or more DTC panels

  • 1. Why should I have backup MX and NS?

One of the most important services is a failover MX server (a MX server is simply an SMTP server that receives mail for your hosts). Your web hosting service can be down, but never, ever want your mail system to be down, and this is why most hosts setup a redundant or backup MX server.

When an SMTP server sends mail to another, it looks into the MX records for the domain it's sending it the mail for. That means it will do a DNS query to the DTC panel that it wants to send mail to. If this host is down, then it would send the mail to the backup MX server, and that's why you need to have a backup NS server as well when you want to have MX failover.

Also, you should take care that the backup server is not on the same network as the main server, otherwise it's a server failover, but not a network failover (and so your setup is half good, half bad). What's nice here, is that if you have a friend that is running a server using DTC, you can ask him if you can exchange backup NS/MX service, as it's rather safe and secure.

  • 2. IP check, login and password: why and how?

We are currently talking about the field 'Allow those servers to list this server domain names for doing backup:'.

The backup server you will setup needs to know the list of the domains for which it will do the backup. This list is transfered over HTTPS. One thing that most hosts don't want to is reveal to the world the list of customer they have (for obvious reasons). That's why there is both IP checks, logins and passwords.

The easy way is to use a single login/pass on both sides (on the final server side and on the backup server side), this way you wont be able to mix them. In fact, in the latest version of DTC, you HAVE to set the IP checks on both sides with the same login and password, otherwise the updates will fail. As this is password you will only use once during the setup, we suggest that you generate the password with the password generator of DTC (the gear icon).

Once you have the login and password ready on both of your panels (the master and the slave), you have to enter the IP of the server. The IP that is used will be the one that is more or less the 'main' IP of your server (let's say eth0 for example). This is not 'for sure' the IP of the control panel itself, and it's not either the IP of your NS1/NS2. It's the IP that php will browse with, most of the time the first ip in the list when you do ifconfig. It could be a different IP, so take care of it.

  • 3. Editing your /etc/hosts

This step is not mandatory, but recommended.

One very common thing is to setup ns1/ns2 of the same domain on different servers. If you do that, remember that you have to setup /etc/hosts with the IP of your other server (on both sides), otherwise there wont be any way for the script to download the list of domains to backup (it would need to download the list to be able to download the list). What it needs here is let's say 'dtc.backup.your-domain.com' on the 'dtc.main.your-domain.com' server, and 'dtc.main.your-domain.com' on the 'dtc.backup.your-domain.com'. In other words, your servers have to know the IP of the one it wish to talk with. This should be something like this:

   root@GPLHost:testVPS>_ ~# cat /etc/hosts
   # Local loopback
   127.0.0.1       localhost.localdomain   localhost
   # My own IP
   1.2.3.4         testvps.gplhost.com
   # The IP of the control panel that will do backup MX.
   203.174.86.120  dtc.node6503.gplhost.com
   66.251.193.20   dtc.gplhost.com

In this case, we want that the control panel does a query to dtc.gplhost.com and dtc.node6503.gplhost.com that are the 2 control panels that will be doing the backup NS (ns1.gplhost.com and ns2.gplhost.com).

If you do this, it's safer, because you know that even if the DNS is down, it's still resolving, which is much needed in case you want to do domain list transfers before the zones are actually loaded.

Repeat this operation on all your backup NS.

  • 4. Inserting URL for requesting updates to the backup server

Once IP checks and /etc/hosts are both setup, you can start adding each other servers. On the "main" server, you have to enter the URL of the backup one in the field 'Tell the following servers when a domain is added or removed:'

Remember, this URL is the URL/address to each dtc panel. For example, something like "https://dtc.mydomain.com(approve sites)" is what you would enter.

Also, if your backup server is running Postfix, you need to enter exactly the same under 'Tell the following servers when an email is added or removed:'. You don't need to do it if your server is running Qmail, as Qmail can't check for user existance when doing backup.

  • 5. Ask the backup server to act as backup NS and MX

On your backup server, in the field 'Act as backup mail server for the following servers:' enter 'https://dtc.main.your-domain.com(approve sites)', set the login and password, and click on save. Do the same for DNS. Of course, use the same login and pass as what you used for setting-up the IP checks.

  • 6. Named Zonefiles configuration

You should take a big care when setting this up. All field has to be filled with the correct value, and especially the 'List here DNS server IPs allowed to do zone transfers'. If you don't, your backup NS server, wont be able to do the zonefile transfer. Remember that the zones are NOT transfered by DTC itself, but only the list of domains. Zones will be transfered by named, and that's why you need to tell named what server is allowed to do transfer.

  • 7. Last words

What we showed here is a system using 2 servers. But you can play with a lot more servers, and have backups the way you want, operating with how much servers you need. There is no restriction, it can go from any server to any server, with a virtually unlimited number of name servers and MX servers.

Also, after you have done the setup, we STRONGLY encourage you to do tests. You should first go in the 'Daemons configuration files generation', and ask for both generation of mail and dns files, and you can then have a look in the 'console output'. You can also cd to DTC_PATH/admin and issue a 'php cron.php' to see what's going on. Also, you can check your syslog after the cron is launched: it will show all requests of zonefile transfers and the zone transfers themself. If you see that named is sending error about transferring zonefiles, it might mean that you didn't filled the 'List here DNS server IPs allowed to do zone transfers' field.

When you have completed the setup, any domains that you will add will automatically be added on the backup server for doing backup (no need to do anything). Also, the scripts will try again and again until the messages are sent, so you don't need to worry about network outages that could occur (or any other things that would make your server down).

  • 8. Using a non-DTC backup NS

Since there is sometimes cause for not running a full DTC instance on the secondary nameserver, or secondary MX, you can automate this from the command line as follows.

Create the cron file to run every 5 (or 10) minutes:

  /etc/cron.d/slavezoneupdate

  */5 * * * * root (/usr/local/bin/updateslavezones.sh)

Create the script file itself, replacing DTCHOSTNAME, BACKUSERNAME and BACKUPPASSWORD:

  /usr/local/bin/updateslavezones.sh

  #!/bin/bash
  /usr/bin/wget --no-check-certificate -O /tmp/slave_zones "https://DTCHOSTNAME/dtc/list_domains.php?login=BACKUSERNAME&pass=BACKUPPASSWORD&action=list_dns(approve sites)"

  # make sure you enable queries
  /bin/cat /tmp/slave_zones | /bin/sed -e 's/\(type slave;\)/\1\n\tallow-query { any; };/' > /tmp/named.slavezones.conf

  /bin/cp /etc/bind/named.slavezones.conf /etc/bind/named.slavezones.conf.bak
  FILESIZE=0
  FILESIZE=$(/usr//bin/stat -c%s "/tmp/named.slavezones.conf")
  # don't overwrite the working slavezones.conf if the generated one is zero bytes
  if [ $FILESIZE -gt 0 ]; then
	/bin/mv /tmp/named.slavezones.conf /etc/bind/named.slavezones.conf
	/usr/sbin/rndc reload
  fi


Editing this page means accepting its license.

Page last modified on October 05, 2010, at 11:49 PM EST