vestacp open: /etc/named.conf: permission denied

This was the error I was getting after a doing a little change in the named.conf in my newly installed vesta control panel. While restarting the named, I was getting this error-

[root@vesta2 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2022-08-01 14:37:25 +06; 6s ago
Process: 3478 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE)
Process: 3475 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

Aug 01 14:37:25 vesta2.geospacehosting.com named[3480]: found 2 CPUs, using 2 worker threads
Aug 01 14:37:25 vesta2.geospacehosting.com named[3480]: using 1 UDP listener per interface
Aug 01 14:37:25 vesta2.geospacehosting.com named[3480]: using up to 21000 sockets
Aug 01 14:37:25 vesta2.geospacehosting.com named[3480]: loading configuration from '/etc/named.conf'
Aug 01 14:37:25 vesta2.geospacehosting.com named[3480]: open: /etc/named.conf: permission denied
Aug 01 14:37:25 vesta2.geospacehosting.com named[3480]: loading configuration: permission denied
Aug 01 14:37:25 vesta2.geospacehosting.com systemd[1]: named.service: control process exited, code=exited status=1
Aug 01 14:37:25 vesta2.geospacehosting.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Aug 01 14:37:25 vesta2.geospacehosting.com systemd[1]: Unit named.service entered failed state.
Aug 01 14:37:25 vesta2.geospacehosting.com systemd[1]: named.service failed.

Solution:

Step-1: Execute the following command-

restorecon -RFv /etc/named.conf

Step-2: Setting permission-

chmod 644 /etc/named.conf
Share

Build an openDNS recursive resolver DNS using Bind

It’s a small thing, but someone might feel it to be useful of running a public DNS like google has 8.8.8.8. You actually can build a recursive DNS and serve to the world (instead to your network user only! 🙂 )

Install Bind

apt install bind9 bind9utils -y

It’s pretty simple, all you need is the have your bind package installed and some very basic configurations like below-

nano /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
nano /etc/bind/named.conf.options

Read more

Share

DNS Slave Using Virtualmin

DNS Slave Auto-Configuration Quickstart

A quick guide to assist administrators who want to use Virtualmin’s automatic DNS slave configuration features. This allows for DNS server redundancy.

Introduction

Virtualmin can automatically manage any number of DNS slave servers for you. Once configured, it will create slave zones on other servers and configure them to automatically update when changes are made on your Virtualmin server. For this to work, you need Virtualmin on your primary server and Webmin (a free download) on your slave server(s). Henceforth, all references will refer to the primary server as the “Virtualmin server” and the DNS slave server as the “slave server”.

Getting Webmin for the Slave

If you don’t have Virtualmin installed on your slave server(s), you’ll need to install Webmin. Webmin is available for nearly every UNIX and Linux variant available, and is free to download and use.

Read more

Share

DNS Forwarder and Transfer using Bind and Webmin

To point your BIND based DNS server to use OpenDNS resolvers for external resolution you need to modify the named.conf.options and add the OpenDNS resolvers as forwarders. This can be done in two ways:

via the command line, Shell\SSH
via a GUI if you have Webmin installed on your BIND server

Shell\SSH Instructions

Attach directly to your server or ssh to it. From there, go into /etc/bind/.  This is the default location so you may need to change this based on your configuration.

From there you will need to edit named.conf.options with your favorite text editor.

Read more

Share

BIND ACL to restrict zone trasfer with IP address

You need to define ACL in /etc/named.conf or /etc/bind/named.conf.local file. Let us say IP 1.2.3.4 and 1.2.3.5 are allowed to transfer your zones.

# vi named.conf or vi /etc/bind/named.conf.local

Here is sample entry for domain domain.org.bd (ns1 configuration):

acl trusted-servers {
1.2.3.4; //ns1
1.2.3.5; //ns2
};

zone "domain.org.bd" {
 type master;
 file "/var/lib/bind/domain.org.bd.hosts";
 also-notify {
1.2.3.5; 
 };
 notify yes;
 allow-transfer { trusted-servers; };
 };

Read more

Share

Publishing long domain key SPF TXT records in bind9

If your bind is throwing error with long TXT data, you can do the following means to concatenate: You are using commas to separate your key/value pairs in your record instead of semi-colons. Change it to:

a9d04665528b593d263a6e5256648c99._domainkey IN 1800 TXT (
 "k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2/ZfhxSI/A"
 "bqgh0amM8ylrlosirWeKShUhq7fg12aYmRwOqq9hIzO0Fcz1BzfgHVu6HU++rC5"
 "QoUK0JQK/nk4jwkDgvG2di2ZYmAvEbY/VeiK1x/TG0p1Iczr2k6Bj0gEAb/YGD2"
 "YbwrwAi4bDXwoPsYuuNn9TB3jjyWKu/dvOsqhff1/4Wc+FkOi0ClvgrXiklN28X"
 "TLjyjSyU794ntIoegXxrfwcwkhfPMvuqcnhfIC0Z8L71M4WR4SoHyNHVfBtNlUv"
 "VNROiXlMxtxnNQvfViSwz6LC8bYIxeAba3hSXPTChKu3qZtfR0o3jFwEWAfLQdg"
 "Ixler0jMEoAyJmfQIDAQAB")

 

Share

List all DNS records from a Nameserver using nslookup

Method-1)
How to list all records below some domain name.

Usually it’s done from interactive nslookup mode, not from batch mode

nslookup - your_dns_server
>set q=any
>ls -d domain.name

listing may be prohibited by administrator or by firewall settings, in that case you get empty output or ‘not implemented’ errors.

Method-2)
How to get all records of the domain name itself. In that case you need to run on Windows:

nslookup -"set q=all" yourdomain.com

onUnix:

nslookup -q=any yourdomain.com
Share