External DNS. Do you (currently want or have to) use it?

For the test and purpose you’re describing you do not need the External DNS feature. As you describe it, you only need to list the IPs puck.nether.net provides you as their DNS servers as secondary name servers on the Custom DNS page in MiaB. Doing that will cause NSD (MiaB’s name server) to notify them all when there is any change and they will in turn request a transfer from your server. That’s all automated and catered for in the normal flow of things related to DNS.

Some DNS providers give you a list of name server names to publish in addition to your own and also a list of IP’s to notify and allow transfers to. You’re suppose to specify all of them on your Custom DNS page as additional servers. Those with names you specify by name (MiaB will resolve their IPs and do the honours, but the names will be added to the zone file as additional name servers) and additional IP specified by your DNS provider goes onto the list using the xfr: notation which results in the IP getting notifications and being allowed to ask for transfers, but not getting listed as a name server. The DNS protocols and conventions makes full provision for primary and secondary servers, the mechanisms to validate who’s allowed to request aone transfers and what triggers those transfers. So even though you’re using a secondary DNS service that is external to MiaB, none of what you set up on the Custom DNS page involves what MiaB calls External DNS.

The MiaB term External DNS is a slightly different story primarily for when your hosting environment makes it impossible or undesirable to expoe MiaB as your primary name server because it isn’t reachable on TCP/UDP port 53 from the Internet. In that case you are instructed to manually take the zone file MiaB produced and feed that to a public DNS provider who then serves as master for your zone.

That’'s the important distinction. While MiaB is reachable (at least most of the time) for DNS queries and you’re happy or it to serve as master server for your zones any other servers you may elect to involve are simply secondary servers and there is no External DNS involved. The moment MiaB is no longer master for your zone `(i.e. the active SOA record you get when querying the zone from the internet does not specify ns1.box.yourdomain.tld as master for the domain and ns1.box adn ns2.box is not listed as NS records for the domain) then you’re having an External DNS situation.

I’ve noticed that some MiaB users that are using External DNS didn’t really notice that when they give the zone file to their external DNS provider, that provider will not allow you to specify your own SOA and NS records for the domain (or simply ignore those in the zone file) because they would specify their own. By implication, when you’re using External DNS, i.e. when you’ve downloaded zone files and/or transferred the records onthe External DNS page one-by-one to another DNS provider, then as far as MiaB is concerned it is happily carrying on as if it is the master for the zones except that nobody seems to be quering it on TCP/UDP port 53.

Like I said, that is quite a different scenario to what you’re describing as what and why you’re testing External DNS. At the moment it seems there are far fewer people having any trouble with manual External DNS than I though might be the case because MiaB never or rarely changes the DNS records it produces for any new zone. Largely, when you’ve set up a zone in MiaB, taken the downloaded zone file to your DNS provider, you don;t have to think about it again. Not until you introduce a new domain or make changes to the Custom DNS records that are also included in your zone.

For your casse, which is simply adding additional DNS servers as one or more secondaries, I cannot predict what improvement you can expect as a result in terms of failover and performance as per your reasoning. I’d be surprised if it’s substantial because your own server remains in the mix so will get its fair share of queries to respond to (actually double it’s fair share because by default it is listed twice as nameserver, as ns1.box.yourdomain.tld and ns2.box.yourdomain.tld) so any addditional servers will impove things statistically from there but won’t change the uptime of your box. So if your box is down it can’t accept email anyway. The good news is that the email protocols are patient and will retry many times before even reporting a problem. When your MiaB server is also involved in resolving other names to IP addresses served through load balancers to highly available clusters of machines it quickly becomes a SPoF in access to that web site and neither browsers nor apps nor the people who you them online can be mistaken for patient. MiaB is designed to serve mail purposes exclusively. When your use case involves a web site which outlives the box MiaB is running on you have to accept that you no longer fit within the target audience for MiaB and have to arrange for your own alternatives. I chose to do that by keeping MiaB believing it’s the master of my DNS domains but implementing an out of band mechanism to automate the changes I make in MiaB with regards to Custom DNS records. For me that’s the best of both worlds and at the moment it seems that I am the only one with that use case.

Thanks for your long response to my original description. I have been using MIAB for around 6 years and the recommended Ubuntu version was 18.04 by then. It has been hosting my email service, including storage and activities since then. It counts as part of my efforts on decentralization from public cloud services, and has been working so nicely that I cannot think of an alternative to it, so far and maybe always.

Besides email service I also use MIAB as my DNS server providing it offers such functionality. I have hundreds of all types of DNS records for Custom DNS. But for External DNS, before reading your response I guess I don’t have a comprehensive idea on it. By the way, only after reading it I notice I did not use External DNS but just used the secondary DNS inside Custom DNS. Sorry for any confusion caused.

Which secondary DNS are you using? I use buddydns for free and they have secondary servers all over the world. This is a simple solution and there is no need to download zone files or replicating the entries one by one as in the case of External DNS.

[quote=“gaobo, post:20, topic:11924”]
puck.nether.net.
[/quote] so far so good. I have not tried BuddyDNS.

In case I didn’t make it clear enough. While everyone’s happy for the MiaB server to visibly act as the master for your zones you don’t have to touch the External DNS page - the automatic updates that happens between master and slave DNS servers works perfect and requires almost no setup other than enlisting the services of some provider to serve as secondaries for you. The config is done on the Custom DNS page under “Using a seondary name server” and that’s usually that.

External DNS only gets involved if it’s impossible or undesirable for your MiaB server to be advertised as the authoritative name server for your domain / zone. In that case getting the records from MiaB to the external provider is your own responsibility and in most cases, even if you’re not fully aware of it, going that route overwrites your SOA and NS records with what your External DNS provider requires in there.

For the sake of completeness, I found it essential for my situation to use External DNS but I didn’t like having to manually take records to my DNS provider each time I change something in DNS which I do rather more often than most because of the web services I develop and which uses the same email servers for verification emails, password resets etc. For myself I automated it so any changes made to the MiaB controlled DNS entries gets pushed through to my External DNS provider without any delay or human error. So far I’m a lone ranger as far as that type of need goes, so though my offer stands to share it with other would-be users it does not look likely that there’ll be any takers.

I use AWS R53 for my DNS needs. Only because I have a CloudFront distribution using a subdomain and, when it was configured in AWS, I was unable to receive mail on that subdomain. It was like AWS took over the DNS of that subdomain and ignored the MX record that was setup in MiaB. Once I moved it to R53 everything has been fine.

I’m using DNSSEC as well, but R53 doesn’t support some record types that MiaB has… can’t recall which record off the top of my head. SSHFP and TLSA… had to look.

That is an interesting scenario, thanks for sharing it. I’m not 100% sure though whether or not you’re using External DNS or not. If you are, it’s probably why the MX record MiaB set up didn’t survive, but it could be many others things as well.

If you do use External DNS I must admit to finding it quite intriguing that you’re using DNSSEC as well. AWS Route53 has their own ideas about DNSSEC which is differs quite a bit from the assumptions MiaB makes about it. To use theirs, you need to buy rotating keys from them as well and then some DNS monitoring to make sure you know if and when it breaks. Kudos if you can afford and managed to set that up all tightly enough for your needs. I’m web-centric so even a small chance of DNS outages has such high impact for me that I have to consider it too high overall risk.

It’s also possible that you’re not actually using External DNS, or rather, that you could accomplish what you needed to by using Route53 as secondary server and having MiaB update them through the tried and tested DNS means. In that case using DNSSEC means you’re not really dependent on Route53’s approach to DNSSEC and MiaB is resigning your records often enough at least for email purposes.

Let me know if you could if you’re using Route53 as actual External DNS or as secondary DNS.

P.S.
About:

I’m assuming you meant to write …when it was configured in CloudFront…

Yes. The nameservers for the domains point to AWS and I imported records from MiaB using the export tool.

Honestly, it’s hard for me to remember exactly, but I believe had to setup a hosted zone for the domain in r53 anyway because I wanted AWS to manage TLS for the subdomain I wanted to use. Once I noticed that email sent to blah@user.domain.com no longer worked (even with an MX record in r53 pointing back to MiaB), I just relinquished all control to r53 for the domain.

My aws bill is $5 and change/mo with 5 hosted zones, a couple S3/CloudFront distros and the s3 bucket being used for MiaB backups.

My risk appetite is pretty high for a personal SMTP/IMAP server. I don’t need five nines of uptime.

That’s perfect. Mail is patient and forgiving. The web and its users are not.

Must’ve been frustrating, if not scary, but I don’t get how giving Route53 full control of the domain end up solving the problem? Were there multiple MX records for user.domain.com perhaps with long TTL values that hadn’t expired yet floating around the DNS servers of the world perhaps? Can’t imagine anything else causing that and if it was that, it wasn’t so much giving Route53 all control that solved it but the fact that the incorrect MX records eventually expired. Route53 does use an array of out-of-band techniques to push through zone updates faster than normal DNS can achieve but there’s a massive gotcha attached - they don’t use date-based SOA serial numbers. They start each zone at 1 and increase by one every time an update is made. Their out-of-band mechanisms deal with it, but it’s not guaranteed to be pervasive immediately all the time. It’s quite possible for the updates happening at the data-based serial to have lingered a lot longer than intended because inthe standard DNS protocol it is inredibly hard to recover a serial number that you accidently set too high.

Anyhow, thanks for sharing your experiences. It sounds like your DNS zones eventually reached the “set-and-forget” state. Therefore you’re likely not going to beneft from having External DNS where the updates are automatically taken from MiaB and adapted to what the DNS provider needs.

This topic was automatically closed after 61 days. New replies are no longer allowed.