Setting up your own dedicated DNS server provides increased performance, stability, and security for your domains’ DNS infrastructure. cPanel DNS Only is a free and a great option for running an authoritative DNS server on Linux.
This guide will walk you through installing and configuring cPanel DNS Only on Linux. We’ll cover:
- The benefits of using DNS Only
- Detailed requirements and prerequisites
- Step-by-step installation on Ubuntu or AlmaLinux
- Post-install configuration
- Securing your DNS server
- Enabling DNSSEC
- Integrating with DNS clusters
- Troubleshooting common problems
By the end, you’ll have extensive knowledge for deploying DNS Only on Linux. Let’s get started!
Why Use cPanel DNS Only?
Before we dive into the installation, let’s discuss why you may want to use cPanel DNS Only for your authoritative DNS:
Lightweight and Fast
DNS Only includes only the DNS services and management tools without all the extra components in cPanel. This optimized codebase makes it quick and lightweight.
Easy DNS Management
- User-friendly web interface for managing DNS zones, records, and settings easily.
Advanced DNS Features
- Supports modern DNS like DNSSEC for security and anycast for performance.
Integrates with cPanel
- Can join clusters with cPanel WHM servers and synchronize DNS zones.
Actively Developed
- cPanel has a long history of actively maintaining their software with frequent updates.
PowerDNS or BIND
- Can choose between PowerDNS or BIND as the DNS server backend.
By leveraging DNS Only for your authoritative DNS, you can take back control over this critical infrastructure for your domains and build a faster, more robust DNS system.
Now let’s go over the requirements and prerequisites.
DNS Only Requirements and Prerequisites
Before installing cPanel DNS Only, you need a Linux server that meets these requirements:
Supported Linux Distribution
- Ubuntu 20.04 LTS – The latest Ubuntu LTS release is recommended.
- AlmaLinux 8 – The community fork of RHEL 8.
Older outdated distributions are not recommended.
Fresh Minimal Install
Start with a fresh minimal install of your Linux distribution, without any existing configuration or software. DNS Only should be the only application installed.
Root Access
You must have root level SSH access to install and configure the software.
Assign FQDN
Set your server’s hostname to be a proper FQDN like ns1.example.com
instead of a short name.
Edit /etc/hostname
and update it to your desired FQDN hostname.
Open Firewall Ports
The following TCP ports must be opened in your Linux firewall:
- 53 – Standard DNS queries
- 953 – DNS over TLS encrypted queries
- 2087 – DNS Only web interface
- 80/443 – If integrating with cPanel server
On Ubuntu, use UFW to open the ports:
$ ufw allow 53
$ ufw allow 953
$ ufw allow 2087
$ ufw allow 80/443
On AlmaLinux, use Firewalld:
$ firewall-cmd --permanent --add-port=953/tcp
$ firewall-cmd --reload
Meet Minimum System Resources
The server should have at least:
- 2 GB RAM
- 2 CPU cores
- 10 GB storage space
For production use, 4+ cores, 8GB+ RAM, and RAID-10 HDDs or SSDs are recommended.
Resolvable Hostname
Ensure your server’s hostname is resolvable either via local DNS or an /etc/hosts
entry pointing it to a local IP address.
Test resolving it from the server itself:
$ ping $(hostname)
Access to cPanel Repositories
Your server must be able to reach cPanel’s repositories directly or through a local mirror in order to install the software.
That covers the key requirements and prerequisites. Next we’ll go through the installation process.
Step-by-Step Guide to Installation
With your Linux server ready, let’s go through the installation process step-by-step:
Download Installation Script
First, SSH to your server as root and change to the /home directory:
$ cd /home
Next, use curl to download the latest cPanel DNS Only installation script:
$ curl -o latest-dnsonly -L https://securedownloads.cpanel.net/latest-dnsonly
This will save the script to latest-dnsonly
in your current working directory.
Make Script Executable
We need to make the script executable before running it:
$ chmod +x latest-dnsonly
Run Installer Script
Now execute the script to begin the installation process:
$ ./latest-dnsonly
This will start the interactive installer that installs PowerDNS, configures it for DNS Only mode, installs the web interface, and performs other setup steps.
Accept License Agreement
During the installation, you will be prompted to accept the cPanel license agreement. This is mandatory, so accept it to continue.
The rest of the installation will proceed automatically. It usually takes around 5-10 minutes depending on your server’s Internet connection speed.
Once finished, DNS Only will be installed but we need to complete the initial configuration next.
Post-Installation Configuration
After installation, there are some important post-install steps to perform for initial configuration:
Update Hostname
Even though we already set the hostname earlier, let’s update it again in /etc/hostname to ensure it matches the server’s FQDN:
$ vim /etc/hostname
ns1.example.com
Define Hostname in /etc/hosts
Next, make sure your server’s hostname is defined in /etc/hosts mapping to 127.0.0.1:
127.0.0.1 localhost ns1.example.com
This allows properly resolving the hostname locally.
Reboot Server
With the hostname configured, reboot your server for the changes to take effect:
$ reboot
Verify Web Interface Access
Once your server has rebooted, test that you can access the DNS Only web interface at:
https://your_server_fqdn:2087
For example:
https://ns1.example.com:2087
Accept the SSL certificate warning and enter your admin username and password.
Remove Default Test Zone
A default test zone called “localhost.localdomain” is created during installation. This sample zone should be removed:
- In the DNS Only interface, go to Configure -> Zones
- Find the localhost.localdomain zone and delete it.
This completes post-installation configuration! Next we’ll discuss securing your DNS Only server.
Securing Your DNS Only Server
Since DNS is a critical infrastructure component, it’s important to follow security best practices for your DNS Only server:
Use a Dedicated Server
Don’t install additional software beyond DNS Only. This server should be 100% dedicated to DNS services.
Disable Root SSH Login
Prevent direct root SSH logins by setting PermitRootLogin no
in your SSH daemon config.
Use SSH Keys Over Passwords
For any SSH access, use key-based authentication instead of passwords.
Follow OS Security Recommendations
Refer to your Linux distribution’s security guides for additional ways to harden the OS.
Install a Host Firewall
Consider installing CSF, Firewalld, or UFW to lock down access. Allow only required ports.
Regular Updates
Apply security patches by regularly updating DNS Only, PowerDNS, and the OS packages.
Monitor for Anomalies
Use monitoring tools like Fail2ban to alert on abnormal activity like brute force attacks.
Following security best practices ensures your DNS infrastructure stays safe and secure.
Now let’s look at enabling DNSSEC.
Setting Up DNSSEC
DNSSEC provides additional security for your DNS data through cryptographic signing of records.
Here is how to enable DNSSEC for a domain with DNS Only:
- In the web UI, go to Configure -> Zones
- Select the domain zone you want to activate DNSSEC for
- Go to the DNSSEC section and click “Enable DNSSEC”
- Follow the steps to generate and activate a new DNSSEC key
Once enabled, the parent domain (i.e. .com) will also need to have DNSSEC active and publish a DS record. This allows end-to-end validation.
See the cPanel DNSSEC documentation for more details on configuring it.
Integrating with a DNS Cluster
For redundancy, you can join your DNS Only server to an existing cPanel WHM cluster. This synchronizes zones between the servers.
To enable cluster synchronization:
- On your cPanel WHM server, install a Cluster Sync license
- Go to Home >> Clustering Services >> Manage Sync Cluster
- Click “Add server to cluster” and input your DNS Only server’s IP
- Copy the /etc/dns_cluster.conf auth key from WHM to your DNS Only server
Once joined, DNS zones in WHM will automatically sync to your DNS Only server. See the cPanel clustering docs for more details.
Troubleshooting Common Problems
Here are some tips for resolving common issues with DNS Only:
Can’t access web interface:
- Verify connecting to correct hostname and port 2087
- Check firewall allows port 2087
- Try restarting the cpsrvd service
Zone changes not working:
- Increment the DNS zone serial when editing
- Flush DNS cache on clients and test again
- Restart PowerDNS service to load new zone data
DNSSEC validation failures:
- Ensure DS record is published at registrar
- Verify parent zone (.com, .net) has DNSSEC active
- Use dig to check DNSKEY and DS records are available
Cluster synchronization failures:
- Confirm /etc/dns_cluster.conf has auth key from WHM
- Check firewall allows traffic on port 40000 for clustering
- Look for errors in /var/log/cpdnsrsync.log
- Force push zones from WHM to sync changes
This covers the most common troubleshooting steps. See the cPanel docs for additional debugging tips.
Conclusion
In this comprehensive guide, we covered the benefits of using cPanel DNS Only for authoritative DNS, outlined the installation requirements and prerequisites, provided step-by-step installation instructions for Ubuntu and AlmaLinux, discussed post-install configuration like setting an admin password and hostname, explained important security considerations for hardening your DNS server, detailed how to enable advanced DNSSEC functionality, and described integrating DNS Only into an existing DNS cluster. Additionally, troubleshooting tips were provided for common issues. By now you should have all the knowledge needed to get a full-featured DNS Only server up and running on Linux, ready to start taking your domains’ DNS infrastructure to the next level! Let me know in the comments if you have any other questions.