From 544f06b10042d7ce9a57e847b43c09f6e85f0891 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Wed, 19 May 2021 22:48:21 +0200
Subject: [PATCH] document DNS mods and make DNS options configurable per
 domain

---
 README.md                |  6 +++++-
 management/dns_update.py | 39 +++++++++++++++++++++++++++------------
 2 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 7c36a665..36bbd09b 100644
--- a/README.md
+++ b/README.md
@@ -16,10 +16,14 @@ Functionality changes and additions
 * Add fail2ban filters for web scanners and badbots
 * Add xapian full text searching to dovecot (from https://github.com/grosjo/fts-xapian)
 * Add rkhunter and chkrootkit 
-* Configure domain names for which only www will be hosted. Edit /etc/miabwwwdomains.conf to configure.
+* Configure domain names for which only www will be hosted. Edit /etc/miabwwwdomains.conf to configure. DNS entries are not handled by this box!
 * Add some munin plugins
 * Update nextcloud to 20.0.8
 * Update roundcube carddav plugin to 4.1.1
+* Use shorter TTL values in the DNS server.
+  To be used before moving e.g. DNS provider. Shortening TTL values will propagate changes faster. For reference, default TTL is 1 day, short TTL is 5 minutes. To use, edit file /etc/forceshortdnsttl and add a line for each domain for which shorter TTLs should be used. To use short TTLs for all known domains, add "forceshortdnsttl"
+* Use the box as a Hidden Master in the DNS system
+  Thus only the secondary DNS servers are used as public DNS servers. To use, edit file /etc/usehiddenmasterdns and add a line for each domain for which Hidden Master should be used. To use Hidden Master for all known domains, add "usehiddenmasterdns". At least two secondary servers should be set in the Custom DNS administration page.
 
 Bug fixes
 * Munin routes are ignored for Multi Factor Authentication [see github issue](https://github.com/mail-in-a-box/mailinabox/issues/1865)
diff --git a/management/dns_update.py b/management/dns_update.py
index 381af718..49752516 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -150,7 +150,13 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		secondary_ns_list = get_secondary_dns(additional_records, mode="NS") 
 		
 		# Need at least two nameservers in the secondary dns list
-		useHiddenMaster = os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns_list) > 1
+		useHiddenMaster = false
+		if os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns_list) > 1:
+			with open("/etc/usehiddenmasterdns") as f:
+				for line in f:
+					if line == domain or line == "usehiddenmasterdns":
+						useHiddenMaster = true
+						break
 		
 		if not useHiddenMaster:
 			# Obligatory definition of ns1.PRIMARY_HOSTNAME.
@@ -162,7 +168,6 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		for secondary_ns in secondary_ns_list:
 			records.append((None,  "NS", secondary_ns+'.', False))
 
-
 	# In PRIMARY_HOSTNAME...
 	if domain == env["PRIMARY_HOSTNAME"]:
 		# Define ns1 and ns2.
@@ -509,22 +514,32 @@ $TTL {defttl}          ; default time to live
 	p_expire = "14d"
 	p_negttl = "12h"
 
-	primary_dns = "ns1." + env["PRIMARY_HOSTNAME"]
-
 	# Shorten dns ttl if file exists. Use before moving domains, changing secondary dns servers etc
 	if os.path.exists("/etc/forceshortdnsttl"):
-		p_defttl = "5m"
-		p_refresh = "30m"
-		p_retry = "5m"
-		p_expire = "1d"
-		p_negttl = "5m"
+		with open("/etc/forceshortdnsttl") as f:
+			for line in f:
+				if line == domain or line == "forceshortdnsttl":
+					# Override the ttl values
+					p_defttl = "5m"
+					p_refresh = "30m"
+					p_retry = "5m"
+					p_expire = "1d"
+					p_negttl = "5m"
+					break
 	
+	primary_dns = "ns1." + env["PRIMARY_HOSTNAME"]
+	
+	# Obtain the secondary nameserver list
 	additional_records = list(get_custom_dns_config(env))
 	secondary_ns_list = get_secondary_dns(additional_records, mode="NS")
-	useHiddenMaster = os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns_list) > 1
 	
-	if useHiddenMaster:
-		primary_dns = secondary_ns_list[0]
+	# Using hidden master for a domain if it is configured
+	if os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns_list) > 1:
+		with open("/etc/usehiddenmasterdns") as f:
+			for line in f:
+				if line == domain or line == "usehiddenmasterdns":
+					primary_dns = secondary_ns_list[0]
+					break
 	
 	# Replace replacement strings.
 	zone = zone.format(domain=domain, primary_dns=primary_dns, primary_domain=env["PRIMARY_HOSTNAME"], defttl=p_defttl,