Jump to:navigation, search
Wiki

Nameserver

From Securepoint Wiki





































De.png
En.png
Fr.png









Nameserver configuration on the UTM

Last adaptation to the version: 14.0.0

New:
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Application Nameserver




















| Expiry period of the entry (starts again after successful update}} }}






































Introduction

The nameserver of the UTM offers:

  • Forward zones: Name resolution (FQDN) in IP addresses
  • Reverse zones: IP addresses into FQDN)
  • Relay zones: Forwarding of queries belonging to a specific domain
  • DNS Forwarding: Forwarding of all DNS queries

 To use the nameserver, a rule must exist in the packet filter with the respective network as the source and the destination Interface.svg xy-Interface.
As a service, at least Service-group.svg dns must be allowed (Port 53 for TCP and UDP).
However, it is generally recommended to use the service group Service-group.svg proxy. This opens additional ports for services such as the transparent proxy, webcache, or a ping.


Prerequisites







Set Firewall as Namesever

Server settings UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver Servereinstellungen-en.pngNameserver IP The first step is to define the UTM itself as the nameserver of the firewall.

  1. Configuration under Network Server settings  Area Server settings section
    DNS Server
  2. Field Primary nameserver set the IP to 127.0.0.1 (localhost) as IP.
  3. Save with
  • If no nameserver is stored, DNS queries are resolved via the root DNS servers and the DNS servers stored there for the top-level domains



    • Forward-Zone

    A forward zone is used to convert domain names into IP addresses.
    This implementation is possible in both IPv4 (A) and IPv6 (AAAA). The following setup example shows the creation of an A-RR for a public domain.
    If the DNS of the firewall is used for resolution, a private IP from the internal network should be returned.

    This setting is required, among other things, if a domain whose public IP is that of the firewall is accessed from the internal network.
    Without this entry, a complicated port forwarding would be required, but this way the request can be sent directly to the server without any detours.
    Setup under Applications Nameserver  Area Zones Button Add forward zone.

    notempty
    If a NAT router is available, a forward zone must be set up.


    Create A-RR

    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 1-en.png
    Step 1
    Zone name: webserver.anyideas.de
    Domain that is managed by an internal DNS server
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 2-en.png
    Step 2
    Nameserver Hostname: localhost
    The UTM itself serves as the nameserver
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 3-en.png
    Step 3
    IP address:    
  • The IP address is only required if the nameserver is located in the zone that is currently being created and is not the localhost, i.e. the UTM itself
    • Complete the wizard with the Done button














    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplication UTM v12.6 Nameserver Zone bearbeiten-en.pngZones overview
    Edit The zone can be edited by clicking on the wrench
    Settings
    Type: Normal Setting for Forward-Zones Edit zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone-en.pngEdit zone
    Update: 10000Link= Seconds Frequency with which the entry is updated
    Retry: 1800Link= Seconds Repeat update in case of failure
    Expires: 3600000Link= Seconds Ablauffrist des Eintrags (beginnt nach erfolgreicher Aktualisierung erneut
    Minimum: 3600Link= Seconds
    Entries
    Type NS localhost. There is already an NS entry (with a period at the end!)
    Edit Opens the record entry for editing
    Delete Deletes the record entry
    Add entry Add another record entry
    Name: webserver.anyideas.de. Desired domain name
  • A dot "." is appended to the domain (=Top-Level)
    		•  Add entry UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Record hinzufügen-en.pngAdd entry
    Type: A Select A-Record entry

































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: 192.168.222.2 IP of the server to which the domain should point
    		Closes the dialog for the DNS record
    		Closes the dialog for editing the zone

    Test A-RR

    Test the created A-RR under: Network Network Tools  Area Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver A-RR testen-en.png
    Query type A Query type of the created DNS record
    Hostname: webserver.anyideas.de Web server address as entered in the record entry under Name (with or without the final dot)
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response

    If everything has been set up correctly, the domain is resolved to the correct IP address in the lower window.

    Alternative testing using a nslookup webserver.anyideas.de from a computer in the UTM network

    Reverse-Zone

    • Reverse DNS lookup (rDNS) refers to a DNS query in which the name is to be determined for an IP address
  • Only PTR resource records are permitted as RR types
    A PTR-RR has an IP address as the request basis and a name as the result - in contrast to the A Resource Record, where a name represents the request and an IP address the result.
    • An rDNS lookup is often used in connection with spam filters.
      Many spam mails are sent from fake domains.
      The recipient can use a reverse resolution of the IP to determine whether the domain really belongs to the incoming IP; if this is not the case, the mail is rejected.

    Create PTR-RR

    The next step is to create the PTR-RR.

    Here is a brief description to help you understand:

    As it would be extremely time-consuming to search the entire domain tree for the desired IPv4 address for an inverse request, a separate domain was created for inverse access, the in-addr.arpa domain. There are only three subdomain levels below this domain, so that a maximum of three steps are required to resolve an IPv4 address.

    The direct subdomains of in-addr.arpa have a number between 0 and 255 as a label and represent the first component of an IPv4 address. (Example: 64.in-addr.arpa or 192.in-addr.arpa for 64.x.y.z or 192.x.y.z respectively).

    The next level in the tree represents the second component of an IPv4 address (example: 27.64.in-addr.arpa. contains the IPv4 addresses 64.27.x.y) and the lowest level finally the third component (example: 125.27.64.in-addr.arpa contains all known IPv4 addresses of the network 64.27.125.0/24 - e.g. 64.27.125.60).

    As can be seen from the examples, a reverse name contains the IP address components in reverse order. This structure makes it possible to refine the reverse address space in several steps. In our following setup example, we will work with the last address space (/24).

    1. Go to Applications in the navigation bar and click on Nameserver in the drop-down menu.
    2. Click on the Add reverse zone button in the dialogue that appears.
    3. In step 1, enter the desired subnet in which the IP address for the desired domain is located.
    4. Enter ‘localhost’ under Nameserver in Step 2 and click on Done.


    The zone name is created automatically as described in the example above.

    1. Edit the created zone by clicking on the spanner.
    2. Klicken Sie im erscheinenden Dialog auf den Button Eintrag hinzufügen.
    3. Tragen Sie in das Feld "Name", die letzte Zahl der Host-IP ein, die zu der gewünschten Domain gehört (In unserem Beispiel die "60".)
    4. Als Typ wählen Sie "PTR".
    5. In the Value field, enter the domain to which the IP address should point. A dot ‘.’ is appended to the domain!
    6. Click on Add.
    7. Click on save

    Application Nameserver  Area Zones Button Add reverse zone

    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Reverszone Schritt 1.png
    Step 1
    The desired subnet in which the IP address for the desired domain is located
    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Reverszone Schritt 2.png
    Step 2
    Nameserver is the localhost, i.e. the UTM itself
    Complete the wizard with the Done button













    The newly created entry Edit and Add entry
    Caption Value Description Add entry UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver PTR anlegen.pngAdd PTR-RR entry
    Name: 60 The last number block of the host IP that belongs to the desired domain (in the example 60)
    Type: PTR PTR (Pointer)-Record

































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: mail.anyideas.de. The domain to which the IP address should point
  • A dot "." is appended to the domain (=Top-Level)
    		•  Closes the dialog for the DNS record
    		Closes the dialog for editing the zone
    The creation of the PTR-RR is now complete and the firewall will change the IP to the desired domain on request!

    Test PTR-RR

    Test the created PTR-RR under: Network Network Tools  Area Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver PTR testen.png
    Query type PTR Query type of the created DNS record
    Hostname: 192.168.222.60 IP address of the desired server
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response
    In the lower window, if everything has been set up correctly, the IP address is resolved to the correct domain.

    Alternatively by a nslookup 192.168.222.60 from a computer in the UTM network

    Relay-Zone

    A relay zone is responsible for forwarding requests that belong to a specific domain.
    Application example:

    • The firewall is used as a nameserver by all clients in the internal network
    • In addition, a nameserver is integrated in the internal network which is responsible for the internal domain administration (anyideas.local)
    • If a client now wants to resolve an internal name (e.g.: uma.anyideas.local), this DNS request is sent to the firewall
    • By forwarding all queries to anyideas.local to the internal nameserver, they can be resolved by the latter without any problems
  • Requests that do not belong to the internal domain are still resolved by the firewall itself


    • Create Relay

    Application Nameserver  Area Zones Button Add Relay-Zone
    Caption Value Description Add Relay-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Relayzone hinzufuegen.png
    Zone name: anyideas.local Domain that is managed by an internal DNS server
    Type Relay Zone type is Relay
    Server
    Add server
    IP address: 192.168.222.5 IP address (IPv4 or IPv6) of the internal DNS server Add server UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Relayzone Server hinzufuegen.png
    Port: 53Link= Default: 53 for DNS queries
    		Saves the information and closes the dialog
    Nameserver UTMuser@firewall.name.fqdnApplication UTM v12.6 Nameserver Relayzone.pngNameserver with relay zones for IPv4 and IPv6






































    {{var | Nameserver der Firewall festlegen--desc

    | Menü Network Appliance Settings  Area Servereinstellungen Abschnitt {{b|
    DNS-Server
    . | Menu Network Server Settings  Area Server Settings section
    DNS-Server
    .







































    DNS Forwarding

    DNS Forwarding

    A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.


    Add DNS Forwarding

    Add DNS Forwarding

    Menu Applications Nameserver  Area DNS Forwarding Button + Add DNS Forwarding

    Caption Value Description Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver UTM v14.0 Anwendungen Nameserver DNS Forwarding hinzufügen DNS-en.pngCreating a DNS Forwarding
    Type: DNSDoT DNS: classic unencrypted DNS-resolution
    IP address: 203.0.113.113 IP address of a DNS server to which the DNS requests should be forwarded.
    notempty
    New as of v14.0
    Type: DNSDoT DoT: DNS over TLS DNS queries are encrypted with TLS Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver UTM v14.0 Anwendungen Nameserver DNS Forwarding hinzufügen DoT-en.png DNS over TLS notempty
    New as of v14.0
    IP address: 1.1.1.1
    Example value    		 IP address of a DNS server to which the DNS requests should be forwarded.
    Hostname cloudflare-dns.com
    Example value    		 The hostname is required fot thr verification of the TLS certificate
    		Saves the entry

    Provider-DNS

    Provider-DNS
    Use the provider's DNS server Off When On is activated, the DNS server of the internet provider is used Nameserver UTMuser@firewall.name.fqdnApplication UTM v14.0 Nameserver DNS Forwarding Provider-DNS.png

    In previous versions, this option was located in the General Settings

  • If a TLS-Forwarder (DoT) is configured, DNS Forwarder will not be used

    • Domain forwarding through a VPN tunnel

    Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

    It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.


    Set the name server of the firewall

    Caption Value Description Server settings UTMuser@firewall.name.fqdnNetwork UTM v12.6.0 Netzwerk Servereinstellungen DNS Server-en.pngName server IP
    Check name server before local cache: Yes Should be enabled
    Primary name server: 127.0.0.1 The IP of the UTM itself (localhost=127.0.0.1)
    Secondary name server:     Can remain empty or designate another DNS in the VPN
    		Saves the entry


    Create relay

    notempty
    For this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way.

    Menü Menu Applications Name server  Area Zones Button + Add Relay-Zone.

    Caption Value Description Add relay zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver Relay Zone hinzufügen-en.pngCreating the relay zone
    Zone name: relay.test.local Zone name of the desired domain
    Type:: Relay Select this type
    IP address: 192.168.8.5 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    		Saves the entry


    Create network object

    Menu Firewall Network Objects  Button + Add Object. A network object must be created for the IPSec network.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object UTM v12.6.0 Netzwerkobjekt DNS Forwarding-en.pngNetwork object
    Name: IPSec-Network Choose unique name
    Type:: VPN network Select this type
    Address: 192.168.8.0/24 The IP address corresponds to that of the IPSec network
    Zone: vpn-ipsec Suitable zone must be selected
    		Saves the entry


    Add Rule

    In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
    Menu Firewall Packetfilter  Button + Add Rule.

    Caption Value Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter UTM v12.6.0 Paketfilterregel DNS Forwarding-en.png
    Aktive: On
    Source: Interface.svg external-interface
    Destination: Vpn-network.svg IPSec-Netzwerk
    Service: Udp.svg domain-udp

    [-] NAT
    Type:: HIDENAT
    Network object: Interface.svg internal-interface
    		Saves the rule and closes the dialogue. The rules must then be updated.


    Safe Search with external DHCP server

    If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
    In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
    Menu Applications Nameserver  Button + Add Forward Zone.

    Caption Value Zone bearbeiten UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver Zone bearbeiten-en.pngThe forward zone set up for www.google.com
    Zone name: www.google.com
    Name server hostname: localhost
    Name server IP address:    
    In the Name server window, click in the www.google.de zone.
    In the Edit Zone window click Add entry.
    Name: www.google.com
    Type:: A
    Value: 216.239.38.120
    Save and click again on Add entry.
    Name: www.google.com
    Type:: AAAA
    Value: 2001:4860:4802:32::78
    		Saves the entry
















    DNA rebinding attack and prevention

    This type of attack attempts to gain access to internal resources using falsified DNS responses.

    The attacker needs nothing more than a domain with malicious code and a name server that answers all DNS queries for the attacker site.

    The attack is carried out in several steps:
    1. the victim is lured to a prepared website whose IP address is only marked as valid for a few seconds.
    2. Malicious code is loaded on the website, which starts a new call after the IP address has expired,
    3. but which now uses a modified, proprietary DNS server to display an address from the victim's local network as the destination
    4. The attacker now has access to the host with the internal IP through his malicious code (e.g. Java script)

    DNS rebinding prevention prevents internal IP addresses from the local network from being issued in response to a DNS query.



    Configuration

    DNS Rebinding Prevention is configured under Applications Nameserver  Area DNS Rebinding Prevention.

    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplications UTM v14.0.1 Namesever DNS Rebinding Prevention-en.pngDNS Rebinding Prevention tab
    DNS Rebinding Prevention: On
    default    		 Activates DNS rebinding prevention
    Mode: Automatic In the factory settings, all private IP addresses (class A, B and C) are blocked.
    The corresponding private IPv6 addresses and the unique local unicast address are also protected in automatic mode.
    Custom The addresses can be set manually.
    Protected addresses:     All addresses that are protected by the prevention are displayed here.
    		Saves the settings
    Protected aliases
    The DNS entries already configured are activated as protected aliases by default.
    Only zones for which a relay is configured are displayed. notempty
    As of v14.0.1

    If the aliases already configured in the Zones tab are to be excluded from protection, they can be deactivated. Off

    mDNS-Repeater

    mDNS-Repeater
    notempty
    The menu access has been moved
    to Applications MDNS-Repeater
       and therefore, the Wiki Eintrag as well.























    General Settings

    General settings are made under Applications Nameserver  Area General.
    Caption Value Description Nameserver UTMuser@firewall.name.fqdnAnwendungen UTM v14.0 Anwendungen Nameserver Einstellungen-en.pngTab General
    DNSSEC validation in resolver: Off notempty
    Caution!
    If DNSSEC Validation is enabled alongside Forward-Zones, it must be ensured that the domains corresponding to the forward zones can be validated within the global DNS or that they are added to the ignore domains list below. Replies corresponding to not globally registered domains are refused and lead to SERVFAIL replies for the domain in question.

    When this function is activated, all DNS entries are resolved with DNSSEC without exception. This would also attempt a validation in the DNS hierarchy for only local addresses. However, due to the lack of uniqueness of the local address, it cannot be registered with higher-level DNS servers. An error message appears, the address is not resolved and the zone is therefore not accessible (using DNS).
    This applies, for example, to .local domains!
    Further information on the implementation of DNSSEC can be found here.
    Allow DNS queries only from routed and VPN networks: On
    Default    		 By default, only DNS queries from the following sources are answered:
    • localhost
    • local networks
    • Networks that are routed via another gateway but do not contain a default route (or shared default route)
    • VPN transfer networks or Roadwarrior address pools
    Off If DNS queries are to be answered from other external networks as well, this option must be disabled
    Domains bei DNSSEC-Überprüfung ignorierennotempty
    New as of v14.0
    		     Domains, die nicht mit DNSSEC validiert werden sollen
    DHCP Domainnamen auflösen: notempty
    New as of v14.0
    		 anyideas.local (Pool: Local-Pool1 Wird in den DHCP-Pool Konfigurationen ein Domainname angegeben, sind diese Domains hier auswählbar. Wird eine Domain ausgewählt, sind die DHCP-Hosts entweder über den vergebenen Namen des statischen Leases, oder, wenn keines definiert ist, über den Clientnamen mit dem sich der Client beim DHCP Server meldet, auflösbar.
  • Die Domain wird immer umgelenkt. konfiguriert man bspw. für seinen DHCP-Pool die Domain .de, wird man keine .de Domains mehr im Internet auflösen können
    • Disable EDNS for the following servers notempty
    New as of v14.0
     notempty
    Update v14.0.1
    		 Die EDNS-Option entfällt zu Gunsten der Option Domains bei DNSSEC-Überprüfung ignorieren
    • Sollte EDNS in einer vorhergehenden Version konfiguriert worden sein, wird nach dem Login eine Warnung angezeigt.
      Inhalte in der extc-Variablen EDNS_SERVERS_OFF
    • Mit Klick auf die Schaltfläche Ja wird der Nameserverdialog geöffnet und es lassen sich Werte für Domains bei DNSSEC-Überprüfung ignorieren setzen.
      Inhalte in der extc-Variablen EDNS_SKIP_DOMAINS

      Speichern nicht vergessen!
    • Lehnt man die Warnung ab (Schaltfläche Nein), wird diese fürs erste ignoriert.

    Beim nächsten Login taucht auch die Nachricht allerdings erneut auf

  • Die Werte alten Werte sind vorübergehend bei Domains bei DNSSEC-Überprüfung ignorieren eingetragen, werden jedoch als ungültig markiert und müssen geändert werden.
    		•  UTM v14.0 Login EDNS Warnung.png
    Dialog beim Login nach einem Update
    Nameserver UTMuser@firewall.name.fqdnAnwendungen UTM v14.0.1 Nameserver Allgemein Ungültige IPs Beispiel-en.pngBeispiel für ungültige IP Adressen, aus vorheriger Konfiguration
    Use DNS server specified by the provider: Diese Einstellung wird im Abschnitt DNS-Forwarding vorgenommen
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Nameserver&oldid=94827"