Results 1 to 2 of 2

Thread: [SOLVED] How I fixed Zimbra with Split DNS

  1. #1
    nosebreaker is offline Active Member
    Join Date
    Aug 2010
    Posts
    39
    Rep Power
    4

    Default [SOLVED] How I fixed Zimbra with Split DNS

    I know everyone links to the split DNS in the wiki, but it doesn't cover how to make it work if you already have DNS on your zimbra server and don't want to muck it up.

    It started when my primary server failed, and I thought my secondary worked. It didn't, and I couldn't figure out why. I logged into the webadmin, and found out that it was holding everything in the mail queue, and not delivering it. I then mucked through /opt/zimbra/log/ and found out it had something to the effect of:
    Cannot connect to backup.domain.com [PUBLIC_IP] port 7025

    So I tried, and sure enough I couldn't connect, since the firewall was blocking it. I tried to ping backup.domain.com and it returned the private ip, because that was in /etc/hosts. So thus I learned Zimbra ignores the hosts file (bad Zimbra). So I then discovered my primary server's firewall allows inside hosts to contact the external IP, whereas Cisco's do not.

    So the solution lies with DNS, but the Wiki expects you to not have any DNS there now, and doesn't quite apply.

    I found this link:
    Two-in-one DNS server with BIND9 | HowtoForge - Linux Howtos and Tutorials

    For me, that worked. I had to create a internal zone file and an external, and I used the $include directive to get all the other entries in there so I don't have to maintain 2 duplicate files later. Internal hosts now get the 192.168.x.x IP, whereas external hosts get the public. As soon as I fixed this, the mail queue flushed out and now I have mail coming into my backup server as if it were the primary (when the primary comes back I use imapsync to sync the mail over after I change DNS back).

    My named/bind daemon runs in a chroot jail, don't be confused by chroot in there if yours doesn't.

    My configs (edited to be nosebreaker.com for domain and 1.2.3.4 for backup and 2.3.4.5 for primary instead of real IP's):

    in /var/named/chroot/etc/named.conf after the options{}
    Code:
    acl internals {
        127.0.0.0/8;
        192.168.1.0/24;
    };
    
    view "internal" {
        match-clients { internals; };
            zone "nosebreaker.com." IN {
                    type master;
                    file "masters/nosebreaker.com.internal.db";
                    allow-update { none; };
        };
    };
    
    // external is not defined above, only internal is
    view "external" {
        match-clients { any; };
    
    zone "." IN {
            type hint;
            file "named.root";
    };
    
    zone "localdomain." IN {
            type master;
            file "localdomain.zone";
            allow-update { none; };
    };
    
    zone "localhost." IN {
            type master;
            file "localhost.zone";
            allow-update { none; };
    };
    
    zone "0.0.127.in-addr.arpa." IN {
            type master;
            file "named.local";
            allow-update { none; };
    };
    
    zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
            type master;
            file "named.ip6.local";
            allow-update { none; };
    };
    
    zone "255.in-addr.arpa." IN {
            type master;
            file "named.broadcast";
            allow-update { none; };
    };
    
    zone "0.in-addr.arpa." IN {
            type master;
            file "named.zero";
            allow-update { none; };
    };
    
            zone "nosebreaker.com." IN {
                    type master;
                    file "masters/nosebreaker.com.external.db";
                    allow-update { none; };
                    allow-transfer { 2.3.4.5; }; // This is my primary dns server IP
            };
    // if you have other domains, put the zone entries here
    };
    For my actual zone files, there are 3:
    /var/named/chroot/var/named/masters/nosebreaker.com.db
    /var/named/chroot/var/named/masters/nosebreaker.com.internal.db
    /var/named/chroot/var/named/masters/nosebreaker.com.external.db

    Notice that I didn't reference the first, that is because it is included in the internal/external files.

    Code:
    $TTL 86400
    @               IN      SOA     nosebreaker.com. root.nosebreaker.com.      (
                                    2010112400      ; Serial (YYYYMMDD##)
                                    28800           ; Refresh (8 hours)
                                    7200            ; Retry (2 hours)
                                    604800          ; Expire (1 week)
                                    86400)          ; Min TTL (1 day)
                            NS      ns1.nosebreaker.com.
                            NS      ns2.nosebreaker.com.
                            MX      10 mail.nosebreaker.com.
                            TXT     "My OpenSPF record goes here, you should too"
                            A       173.166.71.42
    localhost               A       127.0.0.1
    ns1                    A       2.3.4.5
    ns2                    A       1.2.3.4
    
    mail                    A       2.3.4.5
    primaryserver                   A       2.3.4.5
    ; do NOT put backupserver here, it is linked in via split dns!
    
    ; This line lets anything.nosebreaker.com route to 2.3.4.5
    *                       A       2.3.4.5   ; GLOBALOK

    Finally, the important internal vs external IP address:
    nosebreaker.com.internal.db
    Code:
    $include "/var/named/masters/nosebreaker.com.db"
    @               IN      A       2.3.4.5
    backupserver                   A       192.168.1.1
    BTW, notice the path is NOT the full path, this is in a chroot jail so it doesn't see above the chroot. Here is nosebreaker.com.external.db
    Code:
    $include "/var/named/masters/nosebreaker.com.db"
    @               IN      A       2.3.4.5
    backupserver                   A       1.2.3.4
    Last edited by nosebreaker; 11-24-2010 at 12:54 PM. Reason: Fixed IP's to be consistent

  2. #2
    skenkin is offline Active Member
    Join Date
    May 2008
    Posts
    45
    Rep Power
    7

    Default

    Excellent, thank you.

    This should probably be converted to wiki. I wasn't aware of that feature in bind9

    The link had the basics that you didn't have room to cover.
    Very good all round.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 03:31 AM
  2. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  3. [SOLVED] Error Installing Zimbra on RHEL 5
    By harris7139 in forum Installation
    Replies: 10
    Last Post: 09-25-2007, 11:39 AM
  4. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •