virtualmin check-config Incorrectly Reports Primary DNS Server Does Not Resolve IP Address

[MSSEsq]

System Information:
Webmin version 2.303

Virtualmin version 7.30.7

FreeBSD 14.2-RELEASE-p2 on amd64

Running “virtualmin check-config” in a Unix command shell or opening the “Re-Check Configuration” Virtualmin page incorrectly reports:

BIND DNS server is installed, however, the default primary DNS server ns1.mail.ourdomain.tld does not resolve to an IP address

Running nslookup ns1.mail.ourdomain.tld from the Webmin Terminal Module (using the actual URL) returns the correct IPv4 and IPv6 addresses of our primary DNS server.

[jcameron]

What output do you get if you run host ns1.mail.ourdomain.tld from the CLI?

[MSSEsq]

What output do you get if you run host ns1.mail.ourdomain.tld from the CLI?

The host command returns the correct IPv4 and IPv6 addresses of our primary DNS server the same as the nslookup command does.

[jcameron]

Ok I see the real issue now - the error message in Virtualmin is wrong! What it should really say is that the IP that ns1.mail.ourdomain.tld resolves to isn't one of the IPs active on your system.

Is that correct?

[MSSEsq]

The answer to you question depends upon what you mean by “the IP that ns1.mail.ourdomain.tld resolves to isn't one of the IPs active on your system.“ Bind should be storing the resolved IP addresses of our three authoritative DNS servers locally for the Time To Live (TTL). Our primary DNS server runs on a remote Mail-in-a-Box instance, and our secondary and tertiary DNS servers functioning as slaves to that primary run as NSD on the local system. Bind supports Postfix by providing local IP address resolution for all mail relay servers. I can find no reason why check-config is reporting that the URL of our primary DNS server does not resolve to an IP address. The IP address that our primary DNS server resolves to is not local, but that is not a problem.

[jcameron]

So are you planning to host DNS zones on your Virtualmin system, or will they be entirely remote and managed manually?

[MSSEsq]

So are you planning to host DNS zones on your Virtualmin system, or will they be entirely remote and managed manually?

Yes, DNS zones are hosted on the Virtualmin system, but only as slave zones automatically managed by secure communications between NSD running on our Mail-in-a-Box server, which is primary, and NSD running on the Virtualmin system, which is secondary and tertiary. Bind only runs as a recursive DNS server in support of Postfix. Only NSD responds to DNS requests authoritatively for the hosted domains.

[MSSEsq]

As an aside, a new Webmin Module for managing NSD would be a nice enhancement, if someone is looking for a new development project.

[jcameron]

So if you're not running BIND on the Virtualmin system, the best option would be to disable it at on the Features and Plugins page.

[MSSEsq]

BIND is running on the Virtualmin system. Bind runs as a recursive DNS server only. This supports Postfix. BIND is not authoritative for any domain. The authoritative DNS server on the Virtualmin system is NSD. That enables NSD master to NSD slave communication to reliably keep the NSD zone files on the Virtualmin system synchronized with the primary DNS server running on our Mail-in-a-Box server.

[jcameron]

Right, BIND is running but your not hosting primary DNS zones locally. Hence for your setup, I think it would be simpler to turn off DNS on the Features and Plugins page.

[MSSEsq]

I can ignore the message, but it does seem to be reporting a configuration problem. I suggest changing the message to:

BIND DNS server is installed. The default primary DNS server ns1.mail.ourdomain.tld does not resolve to an IP address of a network interface on this system.

This revised message would be less confusing and more informative.

[jcameron]

Well I think it would be a real error if you were hosting master zones locally on BIND, as it would indicate that the hostname in the NS record doesn't resolve to your machine, and this DNS lookups would fail.

[MSSEsq]

Well I think it would be a real error if you were hosting master zones locally on BIND, as it would indicate that the hostname in the NS record doesn't resolve to your machine, and this DNS lookups would fail.

Yes, that was what I intended the language that I suggested to convey, presuming that the URL should resolve to a local IP address. If I have understood your earlier comments well, then the message appears when the default primary DNS server URL does not resolve to an IP address of a local network interface. The original message reports that the URL does not resolve to an IP address, which was factually incorrect in our circumstance. It would be reasonable and appropriate to extend the message to provide more information when the primary DNS server URL does not resolve to an IP address of a local network interface:

BIND DNS server is installed. The default primary DNS server ns1.mail.ourdomain.tld does not resolve to an IP address of a network interface on this system. If the BIND DNS server will be used as a primary authoritative DNS server for Internet domains hosted by this system, then the addresses of the of the Registered Name Servers should be updated to the correct URLs and IP addresses in the records maintained by the Internet Domain Registrar.

Users who manage DNS servers should be able to understand this message, and should know whether or not the local system is intended to host a registered or authoritative name server.

[jcameron]

OK I will change the error message to be clearer that it's expecting the IP to be one of the interfaces on your system, but I won't make it too wordy.