A Step-by-Step Guide to install cPanel DNS Only on Linux

By Posted on

A Step-by-Step Guide to install cPanel DNS Only on Linux

setup cPanel DNS Only Linux installation guide cPanel DNS Only Ubuntu cPanel DNS Only AlmaLinux cPanel DNS Only RHEL

Setting up your own dedicated DNS server provides increased performance, stability, and security for your domains’ DNS infrastructure. cPanel DNS Only is a free and a great option for running an authoritative DNS server on Linux.

This guide will walk you through installing and configuring cPanel DNS Only on Linux. We’ll cover:

  • Why Use cPanel DNS Only?
  • DNS Only Requirements and Prerequisites
  • Step-by-Step Guide to Installation
  • Post-Installation Configuration
  • Securing Your DNS Only Server
  • Setting Up DNSSEC
  • Integrating with a DNS Cluster
  • Troubleshooting Common Problems

By the end, you’ll have extensive knowledge for deploying DNS Only on Linux. Let’s get started!

Why Use cPanel DNS Only?

Before we dive into the installation, let’s discuss why you may want to use cPanel DNS Only for your authoritative DNS:

Lightweight and Fast

DNS Only includes only the DNS services and management tools without all the extra components in cPanel. This optimized codebase makes it quick and lightweight.

Easy DNS Management

  • Web interface for managing DNS zones and records
  • API access for automation
  • DNS zone templates

Advanced DNS Features

  • DNSSEC support
  • Clustering support
  • IPv6 support
  • Zone editor with advanced options

Integrates with cPanel

  • Seamless integration with cPanel/WHM servers
  • Centralized management of DNS for multiple servers

Actively Developed

  • Regular updates and security patches
  • Continuous improvements to features and performance

PowerDNS or BIND

  • Choose between PowerDNS or BIND as the DNS server

By leveraging DNS Only for your authoritative DNS, you can take back control over this critical infrastructure for your domains and build a faster, more robust DNS system.

Now let’s go over the requirements and prerequisites.

DNS Only Requirements and Prerequisites

Before installing cPanel DNS Only, you need a Linux server that meets these requirements:

Supported Linux Distribution

  • AlmaLinux 8 or newer
  • Red Hat Enterprise Linux (RHEL) 8 or newer
  • CentOS 7 or 8 (End of Life)
  • CloudLinux 7 or 8
  • Ubuntu 20.04 LTS or newer

Older outdated distributions are not recommended.

Fresh Minimal Install

Start with a fresh minimal install of your Linux distribution, without any existing configuration or software. DNS Only should be the only application installed.

Root Access

You must have root level SSH access to install and configure the software.

Assign FQDN

Set your server’s hostname to be a proper FQDN like ns1.example.com instead of a short name.

Edit /etc/hostname and update it to your desired FQDN hostname.

Open Firewall Ports

The following TCP ports must be opened in your Linux firewall:

  • 53 (DNS)
  • 953 (rndc)
  • 2087 (cPanel DNSAdmin)
  • 80/443 (web interface)

On Ubuntu, use UFW to open the ports:

$ ufw allow 53
$ ufw allow 953
$ ufw allow 2087
$ ufw allow 80/443

On AlmaLinux, use Firewalld:

$ firewall-cmd --permanent --add-port=953/tcp
$ firewall-cmd --reload

Meet Minimum System Resources

The server should have at least:

  • 1 GHz CPU
  • 1 GB RAM
  • 20 GB Disk Space

For production use, 4+ cores, 8GB+ RAM, and RAID-10 HDDs or SSDs are recommended.

Resolvable Hostname

Ensure your server’s hostname is resolvable either via local DNS or an /etc/hosts entry pointing it to a local IP address.

Test resolving it from the server itself:

$ ping $(hostname)

Access to cPanel Repositories

Your server must be able to reach cPanel’s repositories directly or through a local mirror in order to install the software.

That covers the key requirements and prerequisites. Next we’ll go through the installation process.

Step-by-Step Guide to Installation

With your Linux server ready, let’s go through the installation process step-by-step:

Download Installation Script

First, SSH to your server as root and change to the /home directory:

$ cd /home

Next, use curl to download the latest cPanel DNS Only installation script:

$ curl -o latest-dnsonly -L https://securedownloads.cpanel.net/latest-dnsonly

This will save the script to latest-dnsonly in your current working directory.

Make Script Executable

We need to make the script executable before running it:

$ chmod +x latest-dnsonly

Run Installer Script

Now execute the script to begin the installation process:

$ ./latest-dnsonly

This will start the interactive installer that installs PowerDNS, configures it for DNS Only mode, installs the web interface, and performs other setup steps.

Accept License Agreement

During the installation, you will be prompted to accept the cPanel license agreement. This is mandatory, so accept it to continue.

The rest of the installation will proceed automatically. It usually takes around 5-10 minutes depending on your server’s Internet connection speed.

Once finished, DNS Only will be installed but we need to complete the initial configuration next.

Post-Installation Configuration

After installation, there are some important post-install steps to perform for initial configuration:

Update Hostname

Even though we already set the hostname earlier, let’s update it again in /etc/hostname to ensure it matches the server’s FQDN:

$ vim /etc/hostname
ns1.example.com

Define Hostname in /etc/hosts

Next, make sure your server’s hostname is defined in /etc/hosts mapping to 127.0.0.1:

127.0.0.1   localhost ns1.example.com

This allows properly resolving the hostname locally.

Reboot Server

With the hostname configured, reboot your server for the changes to take effect:

$ reboot

Verify Web Interface Access

Once your server has rebooted, test that you can access the DNS Only web interface at:

https://your_server_fqdn:2087

For example:

https://ns1.example.com:2087

Accept the SSL certificate warning and enter your admin username and password.

Remove Default Test Zone

A default test zone called “localhost.localdomain” is created during installation. This sample zone should be removed:

  1. Log into the cPanel DNS Only web interface.
  2. Navigate to "DNS Functions" -> "Edit DNS Zone".
  3. Select the "localhost.localdomain" zone.
  4. Click "Delete".

This completes post-installation configuration! Next we’ll discuss securing your DNS Only server.

Securing Your DNS Only Server

Since DNS is a critical infrastructure component, it’s important to follow security best practices for your DNS Only server:

Use a Dedicated Server

Don’t install additional software beyond DNS Only. This server should be 100% dedicated to DNS services.

Disable Root SSH Login

Prevent direct root SSH logins by setting PermitRootLogin no in your SSH daemon config.

Use SSH Keys Over Passwords

For any SSH access, use key-based authentication instead of passwords.

Follow OS Security Recommendations

Refer to your Linux distribution’s security guides for additional ways to harden the OS.

Install a Host Firewall

Consider installing CSF, Firewalld, or UFW to lock down access. Allow only required ports.

Regular Updates

Apply security patches by regularly updating DNS Only, PowerDNS, and the OS packages.

Monitor for Anomalies

Use monitoring tools like Fail2ban to alert on abnormal activity like brute force attacks.

Following security best practices ensures your DNS infrastructure stays safe and secure.

Now let’s look at enabling DNSSEC.

Setting Up DNSSEC

DNSSEC provides additional security for your DNS data through cryptographic signing of records.

Here is how to enable DNSSEC for a domain with DNS Only:

  1. Log into the cPanel DNS Only web interface.
  2. Navigate to "DNS Functions" -> "DNSSEC".
  3. Select the domain you want to enable DNSSEC for.
  4. Click "Enable DNSSEC".
  5. Follow the instructions to publish the DS record with your domain registrar.

Once enabled, the parent domain (i.e. .com) will also need to have DNSSEC active and publish a DS record. This allows end-to-end validation.

See the cPanel DNSSEC documentation for more details on configuring it.

Integrating with a DNS Cluster

For redundancy, you can join your DNS Only server to an existing cPanel WHM cluster. This synchronizes zones between the servers.

To enable cluster synchronization:

  1. Log into WHM on your primary cPanel server.
  2. Navigate to "Clusters" -> "DNS Cluster".
  3. Add the DNS Only server to the cluster by entering its IP address and root password.

Once joined, DNS zones in WHM will automatically sync to your DNS Only server. See the cPanel clustering docs for more details.

Troubleshooting Common Problems

Here are some tips for resolving common issues with DNS Only:

Can’t access web interface:

  • Verify that the DNS Only service is running.
  • Check your firewall rules to ensure ports 2087, 80, and 443 are open.
  • Make sure your server’s hostname is resolvable.

Zone changes not working:

  • Ensure the DNS service is running.
  • Check for errors in the DNS server logs.
  • Verify that DNS zone files are properly configured.

DNSSEC validation failures:

  • Make sure DNSSEC is enabled for both the domain and the parent zone.
  • Verify that the DS record is published correctly with your domain registrar.
  • Check the DNSSEC chain of trust.

Cluster synchronization failures:

  • Verify that the DNS cluster is properly configured in WHM.
  • Check the connection between the DNS Only server and the WHM server.
  • Examine the DNS cluster logs for errors.

This covers the most common troubleshooting steps. See the cPanel docs for additional debugging tips.

Conclusion

In this comprehensive guide, we covered the benefits of using cPanel DNS Only for authoritative DNS, outlined the installation requirements and prerequisites, provided step-by-step installation instructions for Ubuntu and AlmaLinux, discussed post-install configuration like setting an admin password and hostname, explained important security considerations for hardening your DNS server, detailed how to enable advanced DNSSEC functionality, and described integrating DNS Only into an existing DNS cluster. Additionally, troubleshooting tips were provided for common issues. By now you should have all the knowledge needed to get a full-featured DNS Only server up and running on Linux, ready to start taking your domains’ DNS infrastructure to the next level! Let me know in the comments if you have any other questions.

Alternative Solutions for DNS Management

While cPanel DNS Only offers a convenient solution for managing DNS, several alternatives cater to different needs and preferences. Here are two such alternatives:

1. Using a Managed DNS Provider (e.g., Cloudflare, AWS Route 53, Google Cloud DNS)

Explanation: Managed DNS providers offer robust, scalable, and highly available DNS infrastructure as a service. Instead of hosting your own DNS servers, you delegate your domain’s DNS management to the provider. These providers typically offer advanced features such as DNSSEC, DDoS protection, traffic management, and global distribution networks, all managed through a user-friendly interface or API.

Benefits:

  • High Availability and Redundancy: Managed DNS providers operate globally distributed networks of DNS servers, ensuring high availability and resilience against outages.
  • Scalability: They can handle massive DNS query volumes without performance degradation.
  • Security: Built-in DDoS protection and DNSSEC features protect against common DNS attacks.
  • Advanced Features: Traffic management features like geo-routing and load balancing enhance performance and user experience.
  • Simplified Management: The provider handles server maintenance, updates, and security patches, freeing up your resources.

Implementation:

The implementation typically involves creating an account with the provider, adding your domain, and updating your domain’s name servers at your registrar to point to the provider’s name servers. The specific steps vary depending on the provider.

Example (using Cloudflare):

  1. Create a Cloudflare account and add your domain.
  2. Cloudflare will scan your existing DNS records. Review and confirm the records.
  3. Cloudflare will provide new name servers (e.g., ella.ns.cloudflare.com, john.ns.cloudflare.com).
  4. Update your domain’s name servers at your domain registrar with the name servers provided by Cloudflare.

No specific code is required, as the configuration is done through Cloudflare’s web interface.

2. Setting up BIND9 Manually

Explanation: BIND9 (Berkeley Internet Name Domain) is one of the most widely used open-source DNS server software. Setting up BIND9 manually on a Linux server gives you full control over the DNS configuration, but it requires more technical expertise than using cPanel DNS Only.

Benefits:

  • Full Control: You have complete control over the DNS server configuration and can customize it to your specific needs.
  • Cost-Effective: BIND9 is free and open-source software.
  • Flexibility: You can integrate BIND9 with other systems and automate tasks using scripts.

Implementation:

The implementation involves installing BIND9 on a Linux server, configuring the DNS zone files, and setting up the necessary network settings.

Example (on Debian/Ubuntu):

  1. Install BIND9:
sudo apt update
sudo apt install bind9 bind9utils bind9-doc dnsutils
  1. Configure BIND9:

Edit the /etc/bind/named.conf.options file to set up forwarding and DNSSEC.

options {
        directory "/var/cache/bind";

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
  1. Configure Local Zone (e.g., example.com):

Create a zone file for your domain in /etc/bind/named.conf.local.

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.0";
};
  1. Create Zone Files:

Create the forward zone file /etc/bind/zones/db.example.com.

$TTL    86400
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2024010101 ; Serial
                        3600       ; Refresh
                        1800       ; Retry
                        604800     ; Expire
                        86400 )      ; Minimum TTL
; Name Server Records
@       IN      NS      ns1.example.com.

; A Records
@       IN      A       192.168.0.10
ns1     IN      A       192.168.0.10
www     IN      A       192.168.0.10

; MX Records
@       IN      MX      10 mail.example.com.
mail    IN      A       192.168.0.11

Create the reverse zone file /etc/bind/zones/db.192.168.0.

$TTL    86400
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2024010101 ; Serial
                        3600       ; Refresh
                        1800       ; Retry
                        604800     ; Expire
                        86400 )      ; Minimum TTL
; Name Server Records
@       IN      NS      ns1.example.com.

; PTR Records
10      IN      PTR     example.com.
10      IN      PTR     ns1.example.com.
10      IN      PTR     www.example.com.
  1. Check and Restart BIND9:
sudo named-checkconf
sudo named-checkzone example.com /etc/bind/zones/db.example.com
sudo systemctl restart bind9
  1. Update Name Servers at Registrar:

Update the domain’s name servers at your registrar to point to your BIND9 server (e.g., ns1.example.com).

These alternative solutions offer different trade-offs in terms of ease of use, cost, and control. Choosing the right solution depends on your specific requirements and technical expertise.

Related posts: