[SOLVED] How I fixed Zimbra with Split DNS

[nosebreaker]

I know everyone links to the split DNS in the wiki, but it doesn't cover how to make it work if you already have DNS on your zimbra server and don't want to muck it up.

It started when my primary server failed, and I thought my secondary worked. It didn't, and I couldn't figure out why. I logged into the webadmin, and found out that it was holding everything in the mail queue, and not delivering it. I then mucked through /opt/zimbra/log/ and found out it had something to the effect of:
Cannot connect to backup.domain.com [PUBLIC_IP] port 7025

So I tried, and sure enough I couldn't connect, since the firewall was blocking it. I tried to ping backup.domain.com and it returned the private ip, because that was in /etc/hosts. So thus I learned Zimbra ignores the hosts file (bad Zimbra). So I then discovered my primary server's firewall allows inside hosts to contact the external IP, whereas Cisco's do not.

So the solution lies with DNS, but the Wiki expects you to not have any DNS there now, and doesn't quite apply.

I found this link:
Two-in-one DNS server with BIND9 | HowtoForge - Linux Howtos and Tutorials

For me, that worked. I had to create a internal zone file and an external, and I used the $include directive to get all the other entries in there so I don't have to maintain 2 duplicate files later. Internal hosts now get the 192.168.x.x IP, whereas external hosts get the public. As soon as I fixed this, the mail queue flushed out and now I have mail coming into my backup server as if it were the primary (when the primary comes back I use imapsync to sync the mail over after I change DNS back).

My named/bind daemon runs in a chroot jail, don't be confused by chroot in there if yours doesn't.

My configs (edited to be nosebreaker.com for domain and 1.2.3.4 for backup and 2.3.4.5 for primary instead of real IP's):

in /var/named/chroot/etc/named.conf after the options{}

Code:

acl internals {
    127.0.0.0/8;
    192.168.1.0/24;
};

view "internal" {
    match-clients { internals; };
        zone "nosebreaker.com." IN {
                type master;
                file "masters/nosebreaker.com.internal.db";
                allow-update { none; };
    };
};

// external is not defined above, only internal is
view "external" {
    match-clients { any; };

zone "." IN {
        type hint;
        file "named.root";
};

zone "localdomain." IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost." IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa." IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa." IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa." IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

        zone "nosebreaker.com." IN {
                type master;
                file "masters/nosebreaker.com.external.db";
                allow-update { none; };
                allow-transfer { 2.3.4.5; }; // This is my primary dns server IP
        };
// if you have other domains, put the zone entries here
};

For my actual zone files, there are 3:
/var/named/chroot/var/named/masters/nosebreaker.com.db
/var/named/chroot/var/named/masters/nosebreaker.com.internal.db
/var/named/chroot/var/named/masters/nosebreaker.com.external.db

Notice that I didn't reference the first, that is because it is included in the internal/external files.

Code:

$TTL 86400
@               IN      SOA     nosebreaker.com. root.nosebreaker.com.      (
                                2010112400      ; Serial (YYYYMMDD##)
                                28800           ; Refresh (8 hours)
                                7200            ; Retry (2 hours)
                                604800          ; Expire (1 week)
                                86400)          ; Min TTL (1 day)
                        NS      ns1.nosebreaker.com.
                        NS      ns2.nosebreaker.com.
                        MX      10 mail.nosebreaker.com.
                        TXT     "My OpenSPF record goes here, you should too"
                        A       173.166.71.42
localhost               A       127.0.0.1
ns1                    A       2.3.4.5
ns2                    A       1.2.3.4

mail                    A       2.3.4.5
primaryserver                   A       2.3.4.5
; do NOT put backupserver here, it is linked in via split dns!

; This line lets anything.nosebreaker.com route to 2.3.4.5
*                       A       2.3.4.5   ; GLOBALOK

Finally, the important internal vs external IP address:
nosebreaker.com.internal.db

Code:

$include "/var/named/masters/nosebreaker.com.db"
@               IN      A       2.3.4.5
backupserver                   A       192.168.1.1

BTW, notice the path is NOT the full path, this is in a chroot jail so it doesn't see above the chroot. Here is nosebreaker.com.external.db

Code:

$include "/var/named/masters/nosebreaker.com.db"
@               IN      A       2.3.4.5
backupserver                   A       1.2.3.4

[skenkin]

Excellent, thank you.

This should probably be converted to wiki. I wasn't aware of that feature in bind9

The link had the basics that you didn't have room to cover.
Very good all round.