How to Set Up Authoritative DNS Servers with Webmin

In previous tutorials, we explained how to set up authoritative DNS servers and edit DNS records from the command line. However, some folks prefer to use a web GUI to edit DNS records. This tutorial is going to show you how to set up authoritative DNS servers with Webmin, which is a free open-source web-based control panel, so you can edit DNS records with a web interface.

What’s An Authoritative DNS Server?

If you own a domain name and want your own DNS server to handle name resolution for your domain name instead of using your domain registrar’s DNS server, then you will need to set up an authoritative DNS server, which is also known as a name server.

An authoritative DNS server is used by domain name owners to store DNS records. It provides authoritative answers to DNS resolvers (like 8.8.8.8 or 1.1.1.1), which query DNS records on behalf of end-users on a PC, smartphone, or tablet.

Webmin uses BIND as the DNS server. BIND (Berkeley Internet Name Domain) is an open-source, flexible and full-featured DNS software widely used on Unix/Linux due to its stability and high quality.

Prerequisites

This tutorial assumes you are a domain name owner and you want to use your own authoritative DNS server to store DNS records for your domain name. I registered my domain name at NameCheap because the price is low and they provide whois privacy protection free for life.

You also need two servers. One server is for the master DNS server and the other is for the slave DNS server. Ideally, the two servers should be located at different physical locations. If one DNS server is offline, the other DNS server can still respond to DNS queries for your domain name.

Each server needs at least 1GB RAM and here are the hosting providers that I recommend. I have used all of them.

• Vultr: Start at $2.5/month. Credit card required. You can create an account at Vultr via my referral link to get $50 free credit.
• DigitalOcean: Start at $5/month. No credit card is required. You can use Paypal. You can create an account at DigitalOcean via my referral link to get $100 free credit.

Once you have bought two servers, you need to install Webmin on the two servers.

• How to Install Webmin on Ubuntu 20.04 Server
• How to Install Webmin on CentOS 8/RHEL 8 Server

Then follow the instructions below.

Master DNS Server Configuration

Pick one of the two servers as the master DNS server. We will name it ns1.example.com.

The master DNS server holds the master copy of the zone file. Changes of DNS records are made on this server. A domain can have one or more DNS zones. Each DNS zone has a zone file which contains every DNS record in that zone. For simplicity’s sake, this article assumes that you want to use a single DNS zone to manage all DNS records for one domain name.

Log into the Webmin dashboard of the master DNS server. Go to Servers -> BIND DNS server and click create master zone.

If you can’t find BIND DNS Server under the Servers menu, it means BIND isn’t installed yet. Go to the Un-used Modules menu and install BIND.

After clicking the Creating master zone button, you need to enter the details of this zone.

• Leave the Zone type field set to Forward. A forward zone translates hostnames to IP addresses. A reverse zone translates IP addresses to hostnames.
  
• In the Domain name/Network field, enter the name of this zone such as your domain name (without any trailing dot).
• Leave the Records file filed set to Automatic.
• In the Master server field, enter the full hostname of the master DNS server for this zone such as ns1.example.com.
• In the Email address field, enter the address of the person responsible for this zone.
• Leave other fields to the default settings.

Click the Create button at the bottom of the page. You will be taken to the Edit master zone page where you can add DNS records to this zone.

Here are some DNS records you might want to add to your zone.

• NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS records in a zone file.
• A (Address) record: Converts DNS names into IPv4 addresses.
• AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
• MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name, i.e. the hostnames of your mail server.
• CNAME record (Canonical Name): It’s used to create an alias for a DNS name.
• TXT record: SPF, DKIM, DMARC, etc.

And I will show you how to add the above DNS records.

NS Record

Click the Name Server box to edit NS record. By default, there’s only one NS record for a new zone. We need to add another NS record.

• In the Zone name field, enter your domain name.
• In the name server field, enter ns2.example.com.. Note you need to add a trailing slash for the name server.

Click the Create button to create this record. Then click the Return to recod types button to add other DNS records.

A Record

Click the Address box to create A record.

You need to add at least two A records in your zone for ns1.example.com and ns2.example.com.

• In the Name field, enter the hostname of your master DNS server.
• In the Address field, enter the public IPv4 address of your master DNS server.
• Choose No for update reverse?, because we don’t need to translate the IP address to a hostname.

Then click the Create button to create this record and do the same for your slave DNS server. After creating A records for your name servers, you can add A record for your other hostnames, like www.example.com and example.com.

AAAA Record

If your server has a public IPv6 address, you can click the IPv6 address box to create AAAA record.

• In the Name field, enter a hostname.
• In the Address field, enter the public IPv6 address.
• Choose No for update reverse?, because we don’t need to translate the IP address to a hostname.

MX Record

Click the Mail Server box to create MX record.

• In the Name field, enter the apex domain name such as linuxbabe.org. An apex domain name is a domain name without sub-domain.
• In the Mail Server field, enter the hostname of your mail server such as mail.linuxbabe.org.
• In the Priority field, enter 0. It can be any number between 0 and 65,356. A small number has a higher priority than a big number. It’s recommended that you set the value to 0, so this mail server will have the highest priority for receiving emails.

After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server has public IPv6 address, be sure to add AAAA record.

CNAME record

CNAME is used to create an alias for a DNS name. If you have multiple hostnames that point to the same IP address, you can create CNAME record, so when you change the IP address of your server, you just need to change one A record.

Click the Name Alias box to create a CNAME record.

• In the Name field, enter the hostname for which you want to create alias.
• In the Real Name field, enter the alias hostname.

SPF Record

SPF (Sender Policy Framework) record is a type of TXT record. It specifies which hosts or IP addresses are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain.

Click the Sender Permitted From box to create an SPF record.

• In the Name field, enter your apex domain name.
• Select Yes for Allow sending from domain’s MX hosts.
• You can also enter the IP address of your mail server in the Additional allowed sender IP addresses/networks field.
• Choose Discourage (~all) for Action for other senders.

DKIM Record

DKIM (DomainKeys Identified Mail) record is a type of TXT record. It allows your mail server to use a private key to add a signature to emails sent from your domain. Receiving SMTP servers verify the signature by using the corresponding public key, which is published in your DKIM record.

Click the Text box to create a DKIM record.

• In the Name field, enter the subdomain for your DKIM key like dkim._domainkey.example.com.
• In the Message field, enter your DKIM public key. You need to delete all double quotes and line breaks in your DKIM public key.

DMARC Record

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used by email spoofing.

To create a DMARC record, click the DMARC box. You just need to changes two things for DMARC record.

• Set the percentage to 100%.
• Enter an email address to receive aggregate feedback. (This email address should exist.)

The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.

• Creating DMARC Record to Protect Your Domain Name From Email Spoofing

After creating the necessary DNS records, click the Check records button to check the syntax of your DNS zone. If there are syntax errors in the zone file, you need to fix them, or this zone won’t be loaded. Also, click the Apply Zone or Apply Configuration button in the upper-right corner to apply your changes.

Allow Zone Transfer From Slave DNS Server

Click Edit Zone Options box on the Edit Master Zone page, then turn on Notify slaves of changes and enter the slave DNS server’s IP address in the Allow transfer from field. Also, enter 0.0.0.0/0 in the Allow queries from field so the Internet is allowed to send DNS queries.

Save your changes. Then restart BIND9 on the master DNS server.

sudo systemctl restart bind9

or

sudo systemctl restart named

Also, you need to open TCP and UDP port 53 in the firewall. If you are using the uncomplicated firewall (UFW), run the following two commands.

sudo ufw allow 53/tcp

sudo ufw allow 53/udp

If you use Firewalld, then run the following two commands.

sudo firewall-cmd --permanent --add-port={53/udp,53/tcp}

sudo systemctl reload firewalld

Slave DNS Server Configuration

Now we use the other server as the slave DNS server, which will be named ns2.example.com.

Log into the Webmin dashboard of the slave DNS server. Go to Servers -> BIND DNS server and click create slave zone.

If you can’t find BIND DNS Server under the Servers menu, it means BIND isn’t installed yet. Go to the Un-used Modules menu and install BIND.

After clicking the Creating slave zone button, you need to enter the details of this zone.

• Leave the Zone type field set to Forward. A forward zone translates hostnames to IP addresses. A reverse zone translates IP addresses to hostnames.
  
• In the Domain name/Network field, enter the name of this zone such as your domain name (without any trailing dot).
• Leave the Records file filed set to Automatic.
• In the Master server field, enter the IP address of the master DNS server for this zone.
• Leave other fields to the default settings.

Click the Create button and the slave zone will be created. Next, click Edit Zone Options box on the Edit Slave Zone page, then turn on Notify slaves of changes and enter the slave DNS server’s IP address in the Allow transfer from field. Also, enter 0.0.0.0/0 in the Allow queries from field so the Internet is allowed to send DNS queries.

Save the changes. Then restart BIND9 on the slave DNS server.

sudo systemctl restart named

or

sudo systemctl restart bind9

Also, you need to open TCP and UDP port 53 in the firewall. If you are using the uncomplicated firewall (UFW), run the following two commands.

sudo ufw allow 53/tcp

sudo ufw allow 53/udp

If you use Firewalld, then run the following two commands.

sudo firewall-cmd --permanent --add-port={53/udp,53/tcp}

sudo systemctl reload firewalld

The zone file on the slave DNS server is loaded from a zone transfer, which is used to synchronize DNS record changes from the master DNS server to the slave DNS server. After BIND9 restarts, zone transfer will start immediately. You can also manually start a zone transfer by clicking the Apply Zone or Apply Configuration button in the upper-right corner on the master DNS server.

Checking Zone Transfers

Check the BIND9 log with the following command.

sudo journalctl -eu named

or

sudo journalctl -eu bind9

You can see messages like below, which indicates the zone transfer is successful.

named[31518]: transfer of 'example.com/IN' from 12.34.56.78#53: Transfer completed: 1 messages, 16 records, 886 bytes, 0.004 secs (221500 bytes/sec)

If you see the following error in the log, it’s probably because you didn’t restart BIND9.

bad zone transfer request: 'example.com/IN': non-authoritative zone (NOTAUTH)

More about Zone Transfer

The slave DNS server will contact the master again when the refresh time in SOA record is reached and if the serial number on the master is greater than that on the slave, a zone transfer will be initiated. There are two types of zone transfers:

• Full zone transfer (AXFR): The full copy of the zone file is transferred.
• Incremental zone transfer (IXFR): Only DNS records that are changed are transferred.

Both types of zone transfer use TCP port 53. By default, BIND on the slave DNS server will request an incremental zone transfer and BIND on the master DNS server will only allow incremental zone transfer when the zone is dynamic.

The zone transfer interval is a major factor of the propagation speed of DNS record changes. Instead of waiting for the slave DNS server to make contact, the BIND master will notify the slave when changes are made to the zone. This can considerably reduce the time to propagate zone changes to the Internet.

Reverse Zone

A reverse zone contains PTR record that maps an IP address to a DNS name. It is the counterpart of DNS A record. PTR record often is necessary for mail servers to pass spam filters. This record does not belong to a domain. You need to create PTR record at your hosting provider’s control panel, or ask your ISP, so I’m not going to cover creating reverse zones in BIND.

Change NS Record and Create Glue Record

Now you need to go to your domain registrar’s website to change the NS record for your domain, so the Internet would know that you are now using your own DNS server. Normally you use hostnames in the NS record like ns1.example.com and ns2.example.com.

name server 1:     ns1.example.com
name server 2:     ns2.example.com

If you have a domain name example.com and you use a subdomain for the authoritative DNS servers (ns1.example.com and ns2.example.com), then you also need to create a glue record at your domain registrar, so the Internet can know the IP address of your DNS server. The glue record is an A record for ns1.example.com and ns2.example.com.

ns1.example.com        IP-address-of-master-server
ns2.example.com        IP-address-of-slave-server

The above information will be sent to a registry operator who runs TLD DNS servers via the Extensible Provisioning Protocol (EPP), so that TLD DNS servers know the hostnames and IP addresses of the authoritative DNS servers for your domain name. Depending on the domain registrar you use, your NS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io to check if your new NS record is active.

I will show you how to do this at NameCheap.

If you bought a domain name at NameCheap, then log into your NameCheap account. Select the Domain list menu on the left sidebar, then click the Manage button on the far right.

Select Advanced DNS.

Scroll to the bottom of the page, you will find the personal DNS server section. Click the Add NameServer button to add your own name servers: ns1.example.com and ns2.example.com. You need to enter the IP addresses of your name servers.

After adding your two name servers, click the search button to check if they are added successfully. If so, the glue records will appear at the bottom of this page.

Now click the Domain tab, and use your custom DNS server.

Depending on the domain registrar you use, your NS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io to check if your new NS record is active.

After the NS record and glue records have been propagated to the Internet, your DNS servers would be responding to DNS queries for your domain name. You can check the query log with:

sudo journalctl -eu bind9

You can also use the dig utility to check the NS record of your domain name.

dig NS example.com

If the NS record and glue record have been propagated to the Internet, you should see your name servers in the answer section. If you see the SERVFAIL error, it’s probably because you didn’t open UDP port 53 on your name servers.

Things to Know

• The term master DNS server only implies that this server stores the master copy of the zone file. It has no higher priority when it comes to DNS resolution.
• Always update the SOA serial number when you make changes to a zone file.

Using Wildcard in BIND Zone File

If you want to point all subdomains to the same IP address, you can use wildcard to achieve that. For example, the following line will make all your subdomains point to 1.2.3.4 IP address.

*.your-domain.com  IN   A   1.2.3.4

Wrapping Up

That’s it! I hope this tutorial helped you set up authoritative DNS server with Webmin. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂