A Step-by-Step Guide to install cPanel DNS Only on Linux

Setting up your own dedicated DNS server provides increased performance, stability, and security for your domains’ DNS infrastructure. cPanel DNS Only is a free and a great option for running an authoritative DNS server on Linux.

This guide will walk you through installing and configuring cPanel DNS Only on Linux. We’ll cover:

• The benefits of using DNS Only
• Detailed requirements and prerequisites
• Step-by-step installation on Ubuntu or AlmaLinux
• Post-install configuration
• Securing your DNS server
• Enabling DNSSEC
• Integrating with DNS clusters
• Troubleshooting common problems

By the end, you’ll have extensive knowledge for deploying DNS Only on Linux. Let’s get started!

Why Use cPanel DNS Only?

Before we dive into the installation, let’s discuss why you may want to use cPanel DNS Only for your authoritative DNS:

Lightweight and Fast

DNS Only includes only the DNS services and management tools without all the extra components in cPanel. This optimized codebase makes it quick and lightweight.

Easy DNS Management

• User-friendly web interface for managing DNS zones, records, and settings easily.

Advanced DNS Features

• Supports modern DNS like DNSSEC for security and anycast for performance.

Integrates with cPanel

• Can join clusters with cPanel WHM servers and synchronize DNS zones.

Actively Developed

• cPanel has a long history of actively maintaining their software with frequent updates.

PowerDNS or BIND

• Can choose between PowerDNS or BIND as the DNS server backend.

By leveraging DNS Only for your authoritative DNS, you can take back control over this critical infrastructure for your domains and build a faster, more robust DNS system.

Now let’s go over the requirements and prerequisites.

DNS Only Requirements and Prerequisites

Before installing cPanel DNS Only, you need a Linux server that meets these requirements:

Supported Linux Distribution

• Ubuntu 20.04 LTS – The latest Ubuntu LTS release is recommended.
• AlmaLinux 8 – The community fork of RHEL 8.

Older outdated distributions are not recommended.

Fresh Minimal Install

Start with a fresh minimal install of your Linux distribution, without any existing configuration or software. DNS Only should be the only application installed.

Root Access

You must have root level SSH access to install and configure the software.

Assign FQDN

Set your server’s hostname to be a proper FQDN like ns1.example.com instead of a short name.

Edit /etc/hostname and update it to your desired FQDN hostname.

Open Firewall Ports

The following TCP ports must be opened in your Linux firewall:

• 53 – Standard DNS queries
• 953 – DNS over TLS encrypted queries
• 2087 – DNS Only web interface
• 80/443 – If integrating with cPanel server

On Ubuntu, use UFW to open the ports:

$ ufw allow 53
$ ufw allow 953
$ ufw allow 2087
$ ufw allow 80/443

On AlmaLinux, use Firewalld:

$ firewall-cmd --permanent --add-port=953/tcp
$ firewall-cmd --reload

Meet Minimum System Resources

The server should have at least:

• 2 GB RAM
• 2 CPU cores
• 10 GB storage space

For production use, 4+ cores, 8GB+ RAM, and RAID-10 HDDs or SSDs are recommended.

Resolvable Hostname

Ensure your server’s hostname is resolvable either via local DNS or an /etc/hosts entry pointing it to a local IP address.

Test resolving it from the server itself:

$ ping $(hostname)

Access to cPanel Repositories

Your server must be able to reach cPanel’s repositories directly or through a local mirror in order to install the software.

That covers the key requirements and prerequisites. Next we’ll go through the installation process.

Step-by-Step Guide to Installation

With your Linux server ready, let’s go through the installation process step-by-step:

Download Installation Script

First, SSH to your server as root and change to the /home directory:

$ cd /home

Next, use curl to download the latest cPanel DNS Only installation script:

$ curl -o latest-dnsonly -L https://securedownloads.cpanel.net/latest-dnsonly

This will save the script to latest-dnsonly in your current working directory.

Make Script Executable

We need to make the script executable before running it:

$ chmod +x latest-dnsonly

Run Installer Script

Now execute the script to begin the installation process:

$ ./latest-dnsonly

This will start the interactive installer that installs PowerDNS, configures it for DNS Only mode, installs the web interface, and performs other setup steps.

Accept License Agreement

During the installation, you will be prompted to accept the cPanel license agreement. This is mandatory, so accept it to continue.

The rest of the installation will proceed automatically. It usually takes around 5-10 minutes depending on your server’s Internet connection speed.

Once finished, DNS Only will be installed but we need to complete the initial configuration next.

Post-Installation Configuration

After installation, there are some important post-install steps to perform for initial configuration:

Update Hostname

Even though we already set the hostname earlier, let’s update it again in /etc/hostname to ensure it matches the server’s FQDN:

$ vim /etc/hostname
ns1.example.com

Define Hostname in /etc/hosts

Next, make sure your server’s hostname is defined in /etc/hosts mapping to 127.0.0.1:

127.0.0.1   localhost ns1.example.com

This allows properly resolving the hostname locally.

Reboot Server

With the hostname configured, reboot your server for the changes to take effect:

$ reboot

Verify Web Interface Access

Once your server has rebooted, test that you can access the DNS Only web interface at:

https://your_server_fqdn:2087

For example:

https://ns1.example.com:2087

Accept the SSL certificate warning and enter your admin username and password.

Remove Default Test Zone

A default test zone called “localhost.localdomain” is created during installation. This sample zone should be removed:

1. In the DNS Only interface, go to Configure -> Zones
2. Find the localhost.localdomain zone and delete it.

This completes post-installation configuration! Next we’ll discuss securing your DNS Only server.

Securing Your DNS Only Server

Since DNS is a critical infrastructure component, it’s important to follow security best practices for your DNS Only server:

Use a Dedicated Server

Don’t install additional software beyond DNS Only. This server should be 100% dedicated to DNS services.

Disable Root SSH Login

Prevent direct root SSH logins by setting PermitRootLogin no in your SSH daemon config.

Use SSH Keys Over Passwords

For any SSH access, use key-based authentication instead of passwords.

Follow OS Security Recommendations

Refer to your Linux distribution’s security guides for additional ways to harden the OS.

Install a Host Firewall

Consider installing CSF, Firewalld, or UFW to lock down access. Allow only required ports.

Regular Updates

Apply security patches by regularly updating DNS Only, PowerDNS, and the OS packages.

Monitor for Anomalies

Use monitoring tools like Fail2ban to alert on abnormal activity like brute force attacks.

Following security best practices ensures your DNS infrastructure stays safe and secure.

Now let’s look at enabling DNSSEC.

Setting Up DNSSEC

DNSSEC provides additional security for your DNS data through cryptographic signing of records.

Here is how to enable DNSSEC for a domain with DNS Only:

1. In the web UI, go to Configure -> Zones
2. Select the domain zone you want to activate DNSSEC for
3. Go to the DNSSEC section and click “Enable DNSSEC”
4. Follow the steps to generate and activate a new DNSSEC key

Once enabled, the parent domain (i.e. .com) will also need to have DNSSEC active and publish a DS record. This allows end-to-end validation.

See the cPanel DNSSEC documentation for more details on configuring it.

Integrating with a DNS Cluster

For redundancy, you can join your DNS Only server to an existing cPanel WHM cluster. This synchronizes zones between the servers.

To enable cluster synchronization:

1. On your cPanel WHM server, install a Cluster Sync license
2. Go to Home >> Clustering Services >> Manage Sync Cluster
3. Click “Add server to cluster” and input your DNS Only server’s IP
4. Copy the /etc/dns_cluster.conf auth key from WHM to your DNS Only server

Once joined, DNS zones in WHM will automatically sync to your DNS Only server. See the cPanel clustering docs for more details.

Troubleshooting Common Problems

Here are some tips for resolving common issues with DNS Only:

Can’t access web interface:

• Verify connecting to correct hostname and port 2087
• Check firewall allows port 2087
• Try restarting the cpsrvd service

Zone changes not working:

• Increment the DNS zone serial when editing
• Flush DNS cache on clients and test again
• Restart PowerDNS service to load new zone data

DNSSEC validation failures:

• Ensure DS record is published at registrar
• Verify parent zone (.com, .net) has DNSSEC active
• Use dig to check DNSKEY and DS records are available

Cluster synchronization failures:

• Confirm /etc/dns_cluster.conf has auth key from WHM
• Check firewall allows traffic on port 40000 for clustering
• Look for errors in /var/log/cpdnsrsync.log
• Force push zones from WHM to sync changes

This covers the most common troubleshooting steps. See the cPanel docs for additional debugging tips.

Conclusion

In this comprehensive guide, we covered the benefits of using cPanel DNS Only for authoritative DNS, outlined the installation requirements and prerequisites, provided step-by-step installation instructions for Ubuntu and AlmaLinux, discussed post-install configuration like setting an admin password and hostname, explained important security considerations for hardening your DNS server, detailed how to enable advanced DNSSEC functionality, and described integrating DNS Only into an existing DNS cluster. Additionally, troubleshooting tips were provided for common issues. By now you should have all the knowledge needed to get a full-featured DNS Only server up and running on Linux, ready to start taking your domains’ DNS infrastructure to the next level! Let me know in the comments if you have any other questions.