DNS Infrastructure
Comprehensive documentation of MDHosting Ltd's DNS infrastructure, zone management procedures, and PowerDNS migration planning.
Overview
MDHosting operates authoritative DNS servers providing name resolution services for all hosted domains. DNS is a critical component of the infrastructure, handling domain-to-IP mapping for websites and email services.
Current DNS Infrastructure: - Nameservers: ns1.mdhosting.co.uk, ns2.mdhosting.co.uk - DNS Software: cPanel DNS (BIND-based) - Servers: CX22 instances at Hetzner Germany - Architecture: Master-Slave configuration - Managed Zones: ~30 client domains + MDHosting infrastructure - Future Platform: PowerDNS (migration planned with ApisCP)
Key Features: - Redundancy: Dual nameserver setup for high availability - Geographic Distribution: Both servers in Hetzner Germany (same datacenter) - Automated Management: Zone creation via cPanel/WHM integration - DNSSEC Ready: PowerDNS migration will enable DNSSEC support
Current DNS Architecture
DNS Server Configuration
graph TB
subgraph "Current DNS Infrastructure - cPanel/BIND"
NS1[ns1.mdhosting.co.uk<br/>CX22 - Primary DNS<br/>4GB RAM, 2 vCPU<br/>Hetzner Germany]
NS2[ns2.mdhosting.co.uk<br/>CX22 - Secondary DNS<br/>4GB RAM, 2 vCPU<br/>Hetzner Germany]
EU1[eu1.cp<br/>CPX31 Hosting Server<br/>Zone Master Source]
end
subgraph "DNS Clients"
CLIENT[Client Resolvers<br/>Worldwide]
end
CLIENT -->|Query ns1| NS1
CLIENT -->|Query ns2| NS2
EU1 -.->|cPanel DNS Cluster| NS1
EU1 -.->|cPanel DNS Cluster| NS2
NS1 <-->|Synchronisation| NS2
classDef dns fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef source fill:#f39c12,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef client fill:#95a5a6,stroke:#2c3e50,stroke-width:2px,color:#fff
class NS1,NS2 dns
class EU1 source
class CLIENT clientDNS Query Distribution: - Most resolvers query ns1 (primary) - ns2 provides fallback and load distribution - Both nameservers serve identical zone data
DNS Server Specifications
ns1.mdhosting.co.uk: - Server Type: Hetzner CX22 - Location: Hetzner Germany - CPU: 2 vCPU (AMD EPYC) - RAM: 4 GB - Storage: 40 GB NVMe SSD - Bandwidth: 20 TB/month - IPv4: [NS1_IP_ADDRESS] - Operating System: AlmaLinux 8 - DNS Software: cPanel DNS (BIND) - Cost: £5.50/month (€6.30)
ns2.mdhosting.co.uk: - Server Type: Hetzner CX22 - Location: Hetzner Germany - CPU: 2 vCPU (AMD EPYC) - RAM: 4 GB - Storage: 40 GB NVMe SSD - Bandwidth: 20 TB/month - IPv4: [NS2_IP_ADDRESS] - Operating System: AlmaLinux 8 - DNS Software: cPanel DNS (BIND) - Cost: £5.50/month (€6.30)
Combined DNS Infrastructure Cost: £11/month (€12.60)
cPanel DNS Cluster Configuration
DNS Cluster Overview: - Master: eu1.cp (hosting server) - Slaves: ns1, ns2 (dedicated DNS servers) - Synchronization Method: cPanel DNS Cluster (via HTTPS API) - Update Propagation: Near-instant (within seconds)
How it Works: 1. DNS zone created/modified on eu1.cp (via cPanel/WHM) 2. cPanel DNS cluster automatically pushes update to ns1 and ns2 3. Changes take effect immediately on both nameservers 4. Client resolvers honour TTL for cache expiry
Configuration Path (WHM): - WHM → Clusters → DNS Cluster - Configured nodes: ns1.mdhosting.co.uk, ns2.mdhosting.co.uk - Authentication: cPanel API tokens - Synchronization: Automatic
DNS Zone Structure
Standard Zone Configuration (Example: clientdomain.com):
$TTL 14400
@ IN SOA ns1.mdhosting.co.uk. admin.mdhosting.co.uk. (
2026010901 ; Serial (YYYYMMDDNN)
86400 ; Refresh (24 hours)
7200 ; Retry (2 hours)
3600000 ; Expire (1000 hours)
86400 ) ; Minimum TTL (24 hours)
; Nameserver Records
@ IN NS ns1.mdhosting.co.uk.
@ IN NS ns2.mdhosting.co.uk.
; A Records
@ IN A [EU1_IP_ADDRESS]
www IN A [EU1_IP_ADDRESS]
mail IN A [EU1_IP_ADDRESS]
ftp IN A [EU1_IP_ADDRESS]
; CNAME Records
webmail IN CNAME clientdomain.com.
cpanel IN CNAME clientdomain.com.
; MX Records
@ IN MX 0 mail.clientdomain.com.
; TXT Records (SPF, DKIM, DMARC)
@ IN TXT "v=spf1 a mx ip4:[EU1_IP_ADDRESS] ~all"
default._domainkey IN TXT "v=DKIM1; k=rsa; p=[DKIM_PUBLIC_KEY]"
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:admin@clientdomain.com"
Common Record Types: - SOA: Start of Authority (zone metadata) - NS: Nameserver records (ns1, ns2) - A: IPv4 address records - AAAA: IPv6 address records (future) - CNAME: Canonical name aliases - MX: Mail exchange records - TXT: Text records (SPF, DKIM, DMARC, verification) - SRV: Service records (rarely used)
DNS Management Procedures
Creating a New DNS Zone
Via WHM (Automatic with Account Creation):
When creating a new cPanel account, DNS zone is created automatically with default records.
- Log in to WHM at
https://eu1.mdhosting.co.uk:2087 - Navigate to Account Functions → Create a New Account
- Enter domain name (e.g.,
newdomain.com) - Complete account creation
- DNS zone automatically:
- Created on eu1.cp
- Synced to ns1 and ns2
- Populated with default records (A, MX, TXT)
Manual DNS Zone Creation:
- Log in to WHM
- Navigate to DNS Functions → Add a DNS Zone
- Enter domain name:
newdomain.com - Enter IP address: [EU1_IP_ADDRESS]
- Click Add Zone
- Zone syncs automatically to ns1 and ns2
Editing DNS Records
Via cPanel (Client Access):
- Log in to cPanel (account holder)
- Navigate to Domains → Zone Editor
- Select domain to edit
- Add Record:
- Click Add Record (A, CNAME, MX, TXT)
- Enter record details
- Click Add Record
- Edit Record:
- Click Edit next to existing record
- Modify values
- Click Edit Record
- Delete Record:
- Click Delete next to record
- Confirm deletion
Via WHM (Administrator Access):
- Log in to WHM
- Navigate to DNS Functions → Edit DNS Zone
- Select domain from dropdown
- Edit zone file directly or use graphical editor
- Save changes
- Changes sync automatically to ns1 and ns2
Important DNS Records to Configure:
SPF Record (Email Authentication):
DKIM Record (Email Signing): - Enable via cPanel → Email → Email Deliverability - DKIM record automatically added to DNS zone - Verify DNS propagation after enabling
DMARC Record (Email Policy):
DNS Propagation
Propagation Timeline: - Zone Creation: Immediate on ns1/ns2 - Record Updates: Immediate on ns1/ns2 - Client Cache Expiry: Varies by TTL (typically 4-24 hours) - Global Propagation: 4-48 hours (depends on resolver TTL caching)
Checking DNS Propagation:
Via Command Line:
# Query ns1 directly
dig @ns1.mdhosting.co.uk clientdomain.com A
# Query ns2 directly
dig @ns2.mdhosting.co.uk clientdomain.com A
# Query public resolvers
dig @8.8.8.8 clientdomain.com A
dig @1.1.1.1 clientdomain.com A
# Check MX records
dig clientdomain.com MX +short
# Check TXT records (SPF)
dig clientdomain.com TXT +short
# Check nameservers
dig clientdomain.com NS +short
Via Online Tools: - WhatIsMyDNS.net - Global DNS propagation checker - DNSChecker.org - Multi-location DNS checker - MXToolbox.com - MX and email DNS verification
Common Propagation Issues: 1. Old DNS cached: Wait for TTL expiry 2. Nameservers not updated at registrar: Update NS records at domain registrar 3. Zone not syncing: Check cPanel DNS cluster status in WHM 4. Typo in records: Verify record syntax
DNS Zone Transfers (AXFR/IXFR)
Current Configuration: - Zone Transfer Method: cPanel DNS cluster (proprietary, HTTPS-based) - AXFR Support: Not exposed publicly (security) - IXFR Support: Not used in current setup
Future with PowerDNS: - AXFR: Full zone transfer from master to slaves - IXFR: Incremental zone transfer (only changed records) - TSIG: Transaction signatures for secure transfers - NOTIFY: Automatic slave notification on zone changes
DNSSEC Support
Current Status: Not Implemented - cPanel DNS does not have production-ready DNSSEC support - Requires manual BIND configuration (high complexity) - Not practical for multi-domain environment
Future with PowerDNS: - Native DNSSEC support - Automated key management - Key signing key (KSK) and zone signing key (ZSK) generation - DS record management for registrar updates - Automatic key rotation
DNSSEC Benefits: - Protection against DNS cache poisoning - Verification of DNS response authenticity - Enhanced security for email (DANE) - Increased client trust
Implementation Timeline: - Phase 1 (Q2 2026): PowerDNS migration - Phase 2 (Q3 2026): DNSSEC enablement for MDHosting domains - Phase 3 (Q4 2026): DNSSEC enablement for client domains (optional)
DNS Monitoring and Troubleshooting
Monitoring DNS Health
Daily Checks:
# Check DNS service status on ns1
ssh ns1.mdhosting.co.uk
systemctl status named
# Check DNS service status on ns2
ssh ns2.mdhosting.co.uk
systemctl status named
# Query sample domains
dig @ns1.mdhosting.co.uk mdhosting.co.uk A
dig @ns2.mdhosting.co.uk mdhosting.co.uk A
# Check DNS query statistics
rndc stats
cat /var/named/data/named_stats.txt | tail -50
WHM DNS Cluster Monitoring: 1. Log in to WHM on eu1.cp 2. Navigate to Clusters → DNS Cluster 3. Verify both ns1 and ns2 show "Synchronized" 4. Check for sync errors or warnings
DNS Query Monitoring: - Monitor query volume via BIND statistics - Alert on query rate spikes (potential DDoS) - Monitor for SERVFAIL responses - Track zone transfer success/failure
Common DNS Issues
Issue 1: DNS Not Resolving
Symptoms: - Domain not resolving to IP address - "Server not found" errors - Email delivery failures
Troubleshooting:
# Check if nameservers respond
dig @ns1.mdhosting.co.uk clientdomain.com A
dig @ns2.mdhosting.co.uk clientdomain.com A
# Check nameserver delegation
dig clientdomain.com NS +trace
# Check if zone exists
ssh ns1.mdhosting.co.uk
named-checkzone clientdomain.com /var/named/clientdomain.com.db
Resolution: 1. Verify zone exists on ns1/ns2 2. Check nameservers set correctly at registrar 3. Verify DNS sync from cPanel cluster 4. Check for zone file syntax errors
Issue 2: DNS Changes Not Propagating
Symptoms: - DNS changes made but not visible - Old IP addresses still resolving
Troubleshooting:
# Query authoritative nameservers directly
dig @ns1.mdhosting.co.uk clientdomain.com A
dig @ns2.mdhosting.co.uk clientdomain.com A
# Check public resolvers (cached)
dig @8.8.8.8 clientdomain.com A
# Check TTL
dig clientdomain.com A | grep "^clientdomain.com" | awk '{print $2}'
Resolution: 1. Verify changes saved in cPanel/WHM 2. Check cPanel DNS cluster sync status 3. Wait for TTL expiry (typically 4 hours) 4. Flush local DNS cache on client machine 5. Use online DNS checkers to monitor propagation
Issue 3: Email Not Receiving (MX Records)
Symptoms: - Email bounce messages - "No MX record found" errors
Troubleshooting:
# Check MX records
dig clientdomain.com MX +short
# Verify mail server resolves
dig mail.clientdomain.com A +short
# Test SMTP connectivity
telnet mail.clientdomain.com 25
Resolution: 1. Verify MX record exists and points correctly 2. Ensure mail.clientdomain.com A record exists 3. Check SPF record includes mail server 4. Verify firewall allows port 25 5. Test email delivery from external service
Issue 4: DNS Server Down
Symptoms: - All domains not resolving - DNS service not responding - High query failure rate
Immediate Actions:
# SSH to affected server
ssh ns1.mdhosting.co.uk
# Check DNS service
systemctl status named
# Restart if needed
systemctl restart named
# Check logs for errors
journalctl -u named -n 100 --no-pager
# Verify listening on port 53
ss -tulpn | grep :53
Escalation: - If restart fails, check disk space and memory - Review BIND error logs - Check for firewall blocks (CSF) - Failover relies on ns2 (redundancy) - Contact Hetzner if hardware issue
DNS Performance Optimization
Current Performance: - Query Response Time: <20ms (local queries) - Query Response Time: 50-150ms (international queries) - Uptime: 99.9%+ target
Optimization Strategies:
1. TTL Tuning: - Standard TTL: 14400 seconds (4 hours) - Lower TTL before DNS changes: 300 seconds (5 minutes) - Increase TTL for stable zones: 86400 seconds (24 hours)
2. Query Rate Limiting:
3. Caching: - Recursive queries disabled (authoritative only) - No caching required on authoritative servers
4. Geographic Distribution: - Current: Both servers in Germany - Future consideration: Add anycast DNS or third location (UK/US)
PowerDNS Migration Planning
Migration Overview
Current Platform: cPanel DNS (BIND-based) Target Platform: PowerDNS Authoritative Server Migration Timeline: Q2 2026 (aligned with ApisCP migration) Estimated Duration: 2-3 weeks Risk Level: Medium (comprehensive testing planned)
Why PowerDNS?
Advantages over cPanel DNS: - Native ApisCP Integration: Seamless control panel integration - DNSSEC Support: Production-ready DNSSEC implementation - API-Driven: RESTful API for automation - Modern Features: IXFR, NOTIFY, TSIG, DANE - Better Performance: Optimized for high query volumes - No Licensing Dependency: Eliminates cPanel DNS requirement - Hidden Master Support: Enhanced security architecture
Technical Improvements: - SQL backend (MySQL/MariaDB) for zone storage - Incremental zone transfers (IXFR) reduce bandwidth - TSIG authentication for secure zone transfers - Native DNSSEC key management and signing - Better logging and monitoring capabilities
Planned PowerDNS Architecture
graph TB
subgraph "Future PowerDNS Infrastructure (Q2 2026)"
HM[Hidden Master<br/>PowerDNS Authoritative<br/>ApisCP-Integrated<br/>Not Public]
NS1P[ns1.mdhosting.co.uk<br/>PowerDNS Authoritative<br/>Public Slave<br/>CX22 Server]
NS2P[ns2.mdhosting.co.uk<br/>PowerDNS Authoritative<br/>Public Slave<br/>CX22 Server]
end
subgraph "Management"
APISCP[ApisCP Control Panel<br/>PowerDNS API Integration]
end
subgraph "Clients"
CLIENT[DNS Resolvers<br/>Worldwide]
end
APISCP -->|Zone Management<br/>PowerDNS API| HM
HM -->|AXFR/IXFR + NOTIFY<br/>TSIG Authenticated| NS1P
HM -->|AXFR/IXFR + NOTIFY<br/>TSIG Authenticated| NS2P
CLIENT -->|DNS Queries| NS1P
CLIENT -->|DNS Queries| NS2P
NS1P -.->|NOTIFY| HM
NS2P -.->|NOTIFY| HM
classDef master fill:#e74c3c,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef slave fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef mgmt fill:#8e44ad,stroke:#2c3e50,stroke-width:2px,color:#fff
classDef client fill:#95a5a6,stroke:#2c3e50,stroke-width:2px,color:#fff
class HM master
class NS1P,NS2P slave
class APISCP mgmt
class CLIENT clientHidden Master Architecture: - Hidden Master: Not listed in public NS records - Public Slaves: ns1 and ns2 serve queries - Security: Hidden master not exposed to internet attacks - Flexibility: Change master location without client impact
Migration Phases
Phase 1: Hidden Master Deployment (Week 1)
-
Deploy PowerDNS on Hidden Master:
-
Configure PowerDNS Master:
-
ApisCP PowerDNS Integration:
- Configure ApisCP DNS module for PowerDNS
- Set API endpoint and authentication
- Test zone creation and updates
Phase 2: Slave Server Configuration (Week 1-2)
-
Install PowerDNS on ns1 and ns2:
-
Configure PowerDNS Slaves:
-
Configure TSIG Keys for Secure Transfers:
-
Configure Zone Transfer ACLs:
- Allow zone transfers only from hidden master IP
- Require TSIG authentication
- Block all other transfer attempts
Phase 3: Zone Migration (Week 2)
-
Export Zones from cPanel:
-
Import Zones to PowerDNS:
-
Verify Zone Data:
-
Test Zone Transfers:
Phase 4: Parallel Operation (Week 2-3)
- Run Dual DNS (cPanel + PowerDNS):
- cPanel DNS remains authoritative (ns1/ns2 still using BIND)
- PowerDNS operates in parallel (different test domains)
-
Monitor both systems for comparison
-
Testing Checklist:
- All zones present in PowerDNS
- Records match cPanel DNS exactly
- Zone transfers working (master → slaves)
- NOTIFY triggers immediate slave updates
- ApisCP zone management functional
- TTL values preserved
- SOA serial numbers incrementing correctly
-
TSIG authentication working
-
Performance Testing:
- Query response time comparison
- Zone transfer speed (AXFR vs IXFR)
- Load testing (simulate high query rate)
Phase 5: Cutover (Week 3)
- Final Preparation:
- Lower TTL on all zones (4 hours → 5 minutes)
- Wait 24 hours for cache expiry
-
Schedule maintenance window
-
Cutover Steps:
-
Verification:
- Query all critical domains
- Check email delivery (MX records)
- Monitor query logs for errors
-
Check cPanel/ApisCP zone management
-
Rollback Plan (if needed):
-
Post-Cutover:
- Monitor for 48-72 hours
- Restore TTL to normal (5 minutes → 4 hours)
- Decommission cPanel DNS cluster
- Update internal documentation
Phase 6: DNSSEC Enablement (Future - Q3 2026)
-
Enable DNSSEC for MDHosting Domains:
-
Update Registrar DS Records:
- Log in to domain registrar (internet.bs)
- Add DS records from PowerDNS
-
Wait for DS propagation (24-48 hours)
-
Verify DNSSEC:
-
Client Domain DNSSEC (Optional):
- Offer DNSSEC as premium feature
- Client requests DNSSEC enablement
- Provide DS records for their registrar
- Enable monitoring for DNSSEC validation failures
Migration Risks and Mitigation
Risk 1: DNS Resolution Failures - Likelihood: Low - Impact: High (complete service outage) - Mitigation: - Comprehensive pre-cutover testing - Parallel operation phase (validate before cutover) - Immediate rollback plan prepared - Maintenance window during low-traffic period
Risk 2: Zone Data Loss/Corruption - Likelihood: Low - Impact: High - Mitigation: - Multiple backups of zone files before migration - Automated zone comparison scripts - Manual verification of critical domains - Retain cPanel DNS configuration for 30 days post-migration
Risk 3: Email Delivery Disruption - Likelihood: Medium - Impact: Medium - Mitigation: - Verify MX records in PowerDNS match cPanel - Test email send/receive before cutover - Monitor email queue during/after migration - Lower TTL before cutover to reduce cache issues
Risk 4: Performance Degradation - Likelihood: Low - Impact: Medium - Mitigation: - Performance testing during parallel phase - Monitor query response times - Tune PowerDNS configuration if needed - CX22 servers adequate for query volume
Risk 5: Client Management Interface Issues - Likelihood: Medium - Impact: Medium - Mitigation: - Test ApisCP DNS management thoroughly - Document new procedures for clients - Provide fallback WHM access if needed - Staff training on PowerDNS/ApisCP integration
Post-Migration Benefits
Operational Improvements: - Reduced cPanel licensing dependency (DNS decoupled) - Modern API for automation and integration - Better monitoring and logging capabilities - DNSSEC support for enhanced security
Security Improvements: - Hidden master architecture (reduced attack surface) - TSIG authentication for zone transfers - DNSSEC protection against cache poisoning - Better access control and audit logging
Cost Benefits: - No additional costs (same CX22 servers) - Potential savings from reduced cPanel license tier - Reduced operational overhead (simpler architecture)
Performance Benefits: - Faster zone transfers (IXFR vs AXFR) - Optimized query handling - Better support for high query volumes - Lower latency with tuned configuration
DNS Best Practices
Zone Management
1. Always Use TTL Wisely: - Stable Records: 86400 seconds (24 hours) - Standard Records: 14400 seconds (4 hours) - Pre-Change: 300 seconds (5 minutes) - set 24 hours before planned change
2. Maintain SOA Serial Numbers: - Always increment when making changes - Use YYYYMMDDNN format (e.g., 2026010901) - Automated in cPanel/PowerDNS
3. Verify Changes: - Query authoritative nameservers directly after changes - Use online propagation checkers - Test from multiple locations
4. Backup Zones: - Export zones monthly - Store backups securely - Test restore procedures quarterly
Email DNS Configuration
Essential Email Records:
1. MX Record:
2. SPF Record:
3. DKIM Record:
4. DMARC Record:
Testing Email DNS:
# Check MX records
dig clientdomain.com MX +short
# Check SPF
dig clientdomain.com TXT | grep spf
# Check DKIM
dig default._domainkey.clientdomain.com TXT +short
# Check DMARC
dig _dmarc.clientdomain.com TXT +short
# Test email authentication
# Send test email and check headers
Security Best Practices
1. Restrict Zone Transfers: - Only allow zone transfers to known slaves - Use TSIG authentication (PowerDNS) - Monitor zone transfer attempts - Block unauthorized AXFR queries
2. Rate Limiting: - Implement query rate limiting to prevent abuse - Monitor for DDoS attacks (high query volume) - Use Fail2Ban for repeated abusive queries
3. Regular Audits: - Review DNS logs weekly - Check for unauthorized zone modifications - Monitor for suspicious query patterns - Verify nameserver delegation at registrars
4. Access Control: - Limit WHM/ApisCP access to authorized staff - Use API tokens instead of root passwords - Enable two-factor authentication - Audit API access logs
Additional Resources
Internal Documentation: - Network Architecture - Complete network diagrams and DNS flow - Client Onboarding - DNS configuration for new clients - ApisCP Migration - PowerDNS migration details - Server Maintenance - DNS server maintenance procedures
External Resources: - PowerDNS Documentation - Official PowerDNS guides - BIND Documentation - Current DNS software (cPanel DNS) - DNSSEC Guide - DNSSEC implementation guide - DNS RFC 1035 - DNS specification
DNS Tools: - dig - DNS query tool - nslookup - DNS lookup utility - WhatIsMyDNS.net - Global DNS propagation checker - DNSChecker.org - Multi-location DNS verification - MXToolbox.com - Email DNS diagnostics
WHM/cPanel: - WHM DNS Functions - DNS zone management - cPanel Zone Editor - Client DNS management
Last updated: January 2026