Setup a Secondary Zone with STACKIT DNS

In this tutorial you will learn how to setup a secondary zone within the STACKIT DNS anycast network.

By following this guide you will set up a STACKIT Instance with Linux Ubuntu and a bind9 DNS server as a hidden primary. Access from the internet will be denied by security groups. Only the STACKIT DNS anycast name server are allowed to query the node and transfer zones by AXFR protocol. With this setup you can manage your zones at the hidden primary while having them globally distributed and protected by the STACKIT DNS anycast servers at the same time.

This guide uses a standalone bind9 DNS primary for demonstration purpose - it is not configured for production environments.

Prerequisites

• You have a STACKIT customer account: Create a customer Account
• You have a STACKIT user account: Create a user account
• You have a STACKIT project: Create a project
• You have basic knowledge of the STACKIT Compute Engine.

Setup hidden primary

Create server instance

For the purpose of this guide create a Server Instance with latest Ubuntu Image. A small boot volume of 5-10GB as well as a small flavor is sufficient. Upload your SSH public key and attach a public IP to your Instance. Ensure you can access the instance from your SSH client by allowing access to tcp port 22 from your client IP.

For further information see Creating a new STACKIT Server instance.

Install the DNS primary

Use following commands to install the DNS primary with bind9:

sudo apt update -y
sudo apt install -y bind9 bind9utils

Configure bind9 and your primary DNS zone

Enable extended logging and configure the primary DNS zone as master. We use myzone.test. for the purpose of this tutorial. Configure notify to the STACKIT anycast name server and allow zone update from localhost. Create the file /etc/bind/named.conf.local with the following content:

logging {
  category xfer-out { default_syslog; };
  category xfer-in { default_syslog; };
  category notify { default_syslog; };
  category lame-servers { default_syslog; };
  category general { default_syslog; };
  category default { default_syslog; };
};

zone "myzone.test" IN {
  type master;
  file "/var/cache/bind/myzone.test.db";
  notify explicit;
  also-notify  { 83.136.34.51; };
  allow-update { 127.0.0.1; };
};

Create the initial content of your primary zone in the file /var/cache/bind/myzone.test.db:

; Zone file for myzone.test.
;
; The full zone file
;
$ORIGIN myzone.test.
@   3600 IN SOA myzone.test. hostmaster.myzone.test. 2023051000 7200 3600 1209600 30
    3600 IN NS ns1.stackit.cloud.
    3600 IN NS ns2.stackit.zone.

www     IN A     127.0.0.1
        IN AAAA  ::1

Check the configuration, reload bind9 and verify your configured zone is working:

named-checkconf
systemctl reload named
dig +short myzone.test. SOA @127.0.0.1

You should get:

myzone.test. hostmaster.myzone.test. 2023051000 7200 3600 1209600 30

And do a second test:

dig +short www.myzone.test. @127.0.0.1

You should get:

127.0.0.1

Allow access for zone transfer

To enable the STACKIT DNS Anycast server to transfer DNS zones from your primary name server please allow network zone transfer and query access from the following IP:

• Add Security rule to allow tcp ingress Port 53 for 83.136.34.51
• Add Security rule to allow udp ingress Port 53 for 83.136.34.51

Create secondary zone

Create a new secondary zone in the STACKIT Portal, add your public IP as primary DNS server. For more information see Manage DNS Zones.

Verify initial zone transfer

You can verify the successful initial zone transfer in the logs of your primary:

journalctl --unit named --follow

There you should see two lines which are similiar to this one:

May 16 12:08:06 primary named[2172]: client @0x7f780c1d1208 83.136.34...#51029 (myzone.test): transfer of 'myzone.test/IN': AXFR started (serial 2023051000)
May 16 12:08:06 primary named[2172]: client @0x7f780c1d1208 83.136.34...#51029 (myzone.test): transfer of 'myzone.test/IN': AXFR ended: 1 messages, 6 records, 213 bytes, 0.004 secs (53250 bytes/sec) (serial 2023051000)

Resolve your zone from public

Now your zone can be resolved globally from the STACKIT DNS anycast network, while direct access to your primary is protected. Check from any other internet facing host:

dig +short myzone.test. SOA @ns1.stackit.cloud.

You should get the following output:

myzone.test. hostmaster.myzone.test. 2023051000 7200 3600 1209600 30

dig +short www.myzone.test. @ns1.stackit.cloud.

You should get the following output:

127.0.0.1

dig +short myzone.test. SOA @<your-public-primary-ip>

You should get the following output:

;; connection timed out; no servers could be reached

dig +short www.myzone.test. @<your-public-primary-ip>

You should get the following output:

;; connection timed out; no servers could be reached

Add a record

Lets add the record www2.myzone.test. to the zone at your primary and verify that it resolves locally:

nsupdate
> server 127.0.0.1
> zone myzone.test.
> update add www2.myzone.test. 600 IN A 192.0.2.1
> send
> quit
dig +short www2.myzone.test. @127.0.0.1

You should get the following output:

192.0.2.1

Note bind9 is sending out notifies for the updated zone, afterwards the zone is transferred again from the STACKIT DNS network:

journalctl --unit named --follow

There you should see three lines which are similiar to this one:

May 16 12:10:17 rc0-primary-docs named[2496]: zone myzone.test/IN: sending notifies (serial 2023051002)
May 16 12:10:17 rc0-primary-docs named[2496]: client @0x7f8f880a9508 83.136.34.30#36005 (myzone.test): transfer of 'myzone.test/IN': AXFR started (serial 2023051002)
May 16 12:10:17 rc0-primary-docs named[2496]: client @0x7f8f880a9508 83.136.34.30#36005 (myzone.test): transfer of 'myzone.test/IN': AXFR ended: 1 messages, 8 records, 250 bytes, 0.001 secs (250000 bytes/sec) (serial 2023051002)

Resolve new record from public

Now the new record can also be resolved globally from the STACKIT DNS anycast network:

dig +short www2.myzone.test. @ns1.stackit.cloud.

You will get the following output:

192.0.2.1