{"id":8388,"date":"2025-10-15T01:28:58","date_gmt":"2025-10-14T23:28:58","guid":{"rendered":"https:\/\/www.lrob.fr\/?page_id=8388"},"modified":"2025-10-15T12:30:17","modified_gmt":"2025-10-15T10:30:17","slug":"deploy-secondary-slave-dns-servers-for-plesk","status":"publish","type":"page","link":"https:\/\/www.lrob.fr\/en\/doc\/documentation-serveurs-plesk-infogeres\/deployer-des-serveurs-dns-secondaires-slave-dns-pour-plesk\/","title":{"rendered":"Deploying slave DNS servers for Plesk"},"content":{"rendered":"

The aim is to set up one or more secondary (Slavic) DNS servers, automatically synchronized with a Plesk<\/strong> master DNS.
This architecture improves resilience<\/strong>the DNS propagation speed<\/strong>the simplicity<\/strong>and the overall reliability<\/strong> of your hosting infrastructure.<\/p>\n\n\n\n

This procedure is applied when you subscribe to the DNS slave management option via theLRob outsourcing offer<\/a>. It will give you all the prerequisites and explain the procedure and system in place in this context.<\/p>\n\n\n\n

Prerequisites<\/h2>\n\n\n\n

Hardware and architecture<\/h3>\n\n\n\n
    \n
  • A VPS 1 to 2 vCores<\/strong> and 1 to 2 GB RAM<\/strong> are more than enough (excluding massive traffic: >1M requests\/hour).<\/li>\n\n\n\n
  • 2 to 3 servers slave DNS<\/strong> are recommended for redundancy.<\/li>\n\n\n\n
  • Compatible ARM64<\/strong> or x86_64<\/strong>.<\/li>\n\n\n\n
  • Recommended system : Debian<\/strong> - stable, lightweight, widely supported.<\/li>\n\n\n\n
  • Each slave server must be :\n
      \n
    • Hosted on a network \/ separate supplier<\/strong> (different subnet).<\/li>\n\n\n\n
    • Accessible in IPv4 and IPv6<\/strong>each with its own Dedicated IP<\/strong>.<\/li>\n\n\n\n
    • With a hostname<\/strong> unique and correct.<\/li>\n\n\n\n
    • With a rDNS (reverse DNS)<\/strong> corresponding to its hostname.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

      Naming and domain<\/h3>\n\n\n\n
        \n
      • Dedicate a infrastructure sector<\/strong> for your DNS servers, for example :
        example.net<\/code><\/li>\n\n\n\n
      • Declare the glue records<\/strong> IPv4 and IPv6 with your domain registry<\/strong> :
        Example: ns1.example.net<\/code>, ns2.example.net<\/code>, ns3.example.net<\/code><\/li>\n\n\n\n
      • Define these glue records as DNS servers for your domain.<\/li>\n<\/ul>\n\n\n\n

        These records are essential for DNS resolvers to be able to reach your servers directly.<\/p>\n\n\n\n

        Installation on the DNS slave server<\/h2>\n\n\n\n

        Installation example for Debian 12<\/strong>.<\/p>\n\n\n\n

        1. Installing Bind9<\/h3>\n\n\n\n

        In root :<\/p>\n\n\n\n

        apt update && apt upgrade\napt install bind9 bind9-utils bind9-doc<\/code><\/pre>\n\n\n\n
        2. Configuration named (BIND9)<\/h3>\n\n\n\n
        Let's edit the first configuration file:<\/p>\n\n\n\n
        nano \/etc\/bind\/named.conf.options<\/code><\/code><\/pre>\n\n\n\n
        options {\n    directory \"\/var\/cache\/bind\";\n\n    listen-on { any; };\n    listen-on-v6 { any; };\n\n    dnssec-validation auto; \/\/ default config\n    recursion no; \/\/ no resolver function\n    allow-query { any; }; \/\/ allow public DNS queries\n    allow-transfer { none; }; \/\/ no zone transfers to others\n    allow-new-zones yes; \/\/ required for rndc addzone\n    auth-nxdomain no; \/\/ RFC1035 compliance\n    version \"none\"; \/\/ hide version info\n};<\/code><\/pre>\n\n\n\n
        3. Control configuration rndc<\/code><\/h3>\n\n\n\n
        The rndc protocol is used to authorize control access to DNS slaves.<\/p>\n\n\n\n
        Edit the second configuration file :<\/p>\n\n\n\n
        nano \/etc\/bind\/named.conf.local<\/code><\/pre>\n\n\n\n
        Authorize the IPs of your DNS master (Plesk server) here:<\/p>\n\n\n\n
        controls {\n    inet * port 953 allow { IPv4_PLESK; IPv6_Plesk ; 127.0.0.1; };\n};<\/code><\/pre>\n\n\n\n
        4. Raise the key rndc<\/code><\/h3>\n\n\n\n
        The key is stored in \/etc\/bind\/rndc.key<\/code>.<\/p>\n\n\n\n
        Display and write down the key, which you'll need for Plesk configuration.<\/p>\n\n\n\n
        cat \/etc\/bind\/rndc.key<\/code><\/pre>\n\n\n\n
        key \"rndc-key\" {\n        algorithm hmac-md5;\n        secret \"xxxxxxxxxxxxxxxxxxxxxxxxx==\";\n};<\/code><\/pre>\n\n\n\n
        5. Restart BIND (named)<\/h3>\n\n\n\n
        Restart the service to apply the config. Let's also check that everything is working normally.<\/p>\n\n\n\n
        systemctl restart named\nrndc status<\/code><\/pre>\n\n\n\n
        Repeat this operation for each DNS slave.<\/p>\n\n\n\n
        Plesk configuration (master server)<\/h2>\n\n\n\n
        1. Install extension Slave DNS Manager<\/strong><\/h3>\n\n\n\n
        In the Plesk interface :
        Extensions \u2192 Catalog \u2192 Slave DNS Manager \u2192 Install<\/strong><\/p>\n\n\n\n
        2. Add your Slavic servers<\/h3>\n\n\n\n
        Open Tools & Settings \u2192 Extensions \u2192 Slave DNS Manager \u2192 Settings<\/strong><\/p>\n\n\n\n
        Add each slave server with :<\/p>\n\n\n\n
          \n
        • IP address<\/strong> Master IPv4 (Plesk server)<\/li>\n\n\n\n
        • IP address<\/strong> IPv4 slave server<\/li>\n\n\n\n
        • Port<\/strong> (RNDC): 953<\/li>\n\n\n\n
        • Algorithm<\/strong> : hmac-sha256<\/li>\n\n\n\n
        • Secret key<\/strong> the one recovered in \/etc\/bind\/rndc.key<\/code><\/li>\n\n\n\n
        • Server name<\/strong> (optional) : ns1.example.net<\/code><\/li>\n<\/ul>\n\n\n\n
          The extension will automatically create a local configuration for rndc<\/code>.<\/p>\n\n\n\n
          3. Refresh and resync<\/h3>\n\n\n\n
          On the Plesk DNS Slave management home page :<\/p>\n\n\n\n
            \n
          • Click on Refresh<\/strong><\/li>\n\n\n\n
          • Then click on Resynchronize<\/strong><\/li>\n<\/ul>\n\n\n\n
            If everything is green: then the configuration is probably good.<\/p>\n\n\n\n
            How it works<\/h2>\n\n\n\n
            As soon as a DNS zone is :<\/p>\n\n\n\n
              \n
            • created,<\/li>\n\n\n\n
            • modified,<\/li>\n\n\n\n
            • or deleted<\/li>\n<\/ul>\n\n\n\n
              on the Plesk server, the Slave DNS Manager automatically sends the following commands to each slave server:<\/p>\n\n\n\n
              Action<\/th>Order executed<\/th><\/tr><\/thead>
              Creation<\/td>\/usr\/sbin\/rndc -c slave.config addzone example.com '{ type slave; file \"\/var\/lib\/bind\/example.com\"; masters { ; }; };'<\/code><\/td><\/tr>
              Update<\/td>\/usr\/sbin\/rndc -c slave.config refresh example.com<\/code><\/td><\/tr>
              Delete<\/td>\/usr\/sbin\/rndc -c slave.config delzone example.com<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              \ud83e\uddf1 Structure of a default DNS zone<\/h2>\n\n\n\n
              When a new domain is created on the server, Plesk<\/strong> automatically generates a DNS zone from a default template.
              This model can (and must) be adapted to your hosting infrastructure to ensure consistency, security and smooth running of services.<\/p>\n\n\n\n
              At LRob<\/strong>The default DNS zone contains all records essential for web, e-mail and domain security:<\/p>\n\n\n\n
              Recording<\/th>Type<\/th>Value \/ Example<\/th>Description<\/th><\/tr><\/thead>
              .<\/code><\/td>A<\/strong><\/td><ip><\/code><\/td>Main IPv4 address of the site<\/td><\/tr>
              .<\/code><\/td>AAAA<\/strong><\/td><ipv6><\/code><\/td>Main IPv6 address of the site<\/td><\/tr>
              .<\/code><\/td>MX (10)<\/strong><\/td>mail..<\/code><\/td>Domain mail server<\/td><\/tr>
              .<\/code><\/td>TXT<\/strong><\/td>v=spf1 +mx include:_spf.lrob.net -all<\/code><\/td>SPF policy authorizing shipments via LRob<\/td><\/tr>
              .<\/code><\/td>NS<\/strong><\/td>.<\/code><\/td>DNS master server (Plesk)<\/td><\/tr>
              .<\/code><\/td>CAA (issuewild)<\/strong><\/td>letsencrypt.org<\/code><\/td>Allow Let's Encrypt to issue certificates<\/td><\/tr>
              .<\/code><\/td>TXT<\/strong><\/td>Hosted by www.lrob.fr | WordPress Security Expert<\/td>WordPress Security Expert`<\/td><\/tr>
              .<\/code><\/td>NS<\/strong><\/td>ns1.lrob.net.<\/code><\/td>Secondary DNS server n\u00b01<\/td><\/tr>
              .<\/code><\/td>NS<\/strong><\/td>ns2.lrob.net.<\/code><\/td>Secondary DNS server n\u00b02<\/td><\/tr>
              .<\/code><\/td>NS<\/strong><\/td>ns3.lrob.net.<\/code><\/td>Secondary DNS server no. 3<\/td><\/tr>
              _dmarc..<\/code><\/td>TXT<\/strong><\/td>v=DMARC1; p=reject; sp=reject; aspf=s; rua=mailto:dmarcreport@lrob.fr; ruf=mailto:dmarcreport@lrob.fr; rf=afrf; pct=100; ri=172800<\/code><\/td>Strict DMARC policy for e-mail authentication<\/td><\/tr>
              ftp..<\/code><\/td>CNAME<\/strong><\/td>.<\/code><\/td>Alias for FTP<\/td><\/tr>
              mail..<\/code><\/td>A \/ AAAA<\/strong><\/td><ip><\/code> \/ <ipv6><\/code><\/td>Mail server pointing to main host<\/td><\/tr>
              webmail..<\/code><\/td>CNAME<\/strong><\/td>mail..<\/code><\/td>Alias for webmail access<\/td><\/tr>
              www..<\/code><\/td>CNAME<\/strong><\/td>.<\/code><\/td>Alias for the main site<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              Remarks<\/h3>\n\n\n\n
                \n
              • This configuration guarantees SPF + DMARC compliance<\/strong>the DNS redundancy<\/strong>and compatibility Let's Encrypt<\/strong> thanks to registration CAA<\/code>.<\/li>\n\n\n\n
              • Registration TXT<\/code> \"Hosted by LRob\" adds a touch of identification and transparency.<\/li>\n\n\n\n
              • The servers NS<\/code> must point to your declared secondary DNS servers (including glue records).<\/li>\n<\/ul>\n\n\n\n
                \ud83d\udd0d Testing and validation<\/h2>\n\n\n\n
                Check external resolution<\/h3>\n\n\n\n
                From any station:<\/p>\n\n\n\n
                dig @ns1.example.net example.com\ndig @ns2.example.net example.com<\/code><\/pre>","protected":false},"excerpt":{"rendered":"
                L’objectif est de mettre en place un ou plusieurs serveurs DNS secondaires (slaves) synchronis\u00e9s automatiquement avec un serveur Plesk principal (master DNS).Cette architecture am\u00e9liore la r\u00e9silience, la rapidit\u00e9 de propagation DNS, la simplicit\u00e9, et la fiabilit\u00e9 globale de votre infrastructure d\u2019h\u00e9bergement. Cette proc\u00e9dure est appliqu\u00e9e lors de la souscription \u00e0 l’option de management des slave […]<\/p>\n","protected":false},"author":1,"featured_media":926,"parent":8337,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-8388","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/8388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=8388"}],"version-history":[{"count":8,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/8388\/revisions"}],"predecessor-version":[{"id":8400,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/8388\/revisions\/8400"}],"up":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/8337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/926"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=8388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}