Nameserver

Nameserver configuration on the UTM

Last adaptation to the version: 14.1.0 (08.2025)

New:

If there is a Cloud Shield configuration via the USC, no DNS forwarding can be configured locally

DNS Forwarding possible with DNS over TLS (DoT)
Individual domains can be excluded from the DNSSEC-Verification
The EDNS-option is removed in favor of the option to ignore domains during DNSSEC verification
Client names can be resolved if the host is in a DHCP-Pool with domain names
The mDNS-Repeater is no longer configured in the name server but has receives its own own Menu
The setting Use the provider's DNS server is now configured in the DNS-Forwarding

Last updated:

Updated hints for PTR-RR

notempty

This article refers to a Beta version

v14.0 v12.6.1 v12.2.2 v11.6

Introduction

The nameserver of the UTM offers:

Forward zones: Name resolution (FQDN) in IP addresses
Reverse zones: IP addresses into FQDN)
Relay zones: Forwarding of queries belonging to a specific domain
DNS Forwarding: Forwarding of all DNS queries

To use the nameserver, a rule must exist in the packet filter with the respective network as the source and the destination

xy-Interface.
As a service, at least

dns must be allowed (Port 53 for TCP and UDP).
However, it is generally recommended to use the service group

proxy. This opens additional ports for services such as the transparent proxy, webcache, or a ping.

Prerequisites

Set Firewall as Namesever

Server settings UTMuser@firewall.name.fqdnNetwork Nameserver IP The first step is to define the UTM itself as the nameserver of the firewall.

Configuration under Network Server settings Area Server settings section
DNS Server
Field Primary nameserver set the IP to 127.0.0.1 (localhost) as IP.
Save with

If no nameserver is stored, DNS queries are resolved via the root DNS servers and the DNS servers stored there for the top-level domains

Forward-Zone

A forward zone is used to convert domain names into IP addresses.
This implementation is possible in both IPv4 (A) and IPv6 (AAAA). The following setup example shows the creation of an A-RR for a public domain.
If the DNS of the firewall is used for resolution, a private IP from the internal network should be returned.

This setting is required, among other things, if a domain whose public IP is that of the firewall is accessed from the internal network.
Without this entry, a complicated port forwarding would be required, but this way the request can be sent directly to the server without any detours.
Setup under Applications Nameserver Area Zones button Add forward zone.

notempty

If a NAT router is available, a forward zone must be set up.

Create A-RR

Step 1

Zone name: webserver.anyideas.de
Domain that is managed by an internal DNS server

Step 2

Nameserver Hostname: localhost
The UTM itself serves as the nameserver

Step 3

IP address:

The IP address is only required if the nameserver is located in the zone that is currently being created and is not the localhost, i.e. the UTM itself

Complete the wizard with the Done button

Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplication Zones overview

Edit The zone can be edited by clicking on the wrench

Settings

Type: Normal Setting for Forward-Zones Edit zone UTMuser@firewall.name.fqdnApplicationNameserver Edit zone

Update: 10000 Seconds Frequency with which the entry is updated

Retry: 1800 Seconds Repeat update in case of failure

Expires: 3600000 Seconds Expiry period of the entry (starts again after successful update)

Minimum: 3600 Seconds

Entries

Type NS localhost. There is already an NS entry (with a period at the end!)

Edit Opens the record entry for editing

Delete Deletes the record entry

Add entry Add another record entry

Name: webserver.anyideas.de. Desired domain name
A dot "." is appended to the domain (=Top-Level) Add entry UTMuser@firewall.name.fqdnApplicationNameserverEdit zone Add entry

Type: A Select A-Record entry

Type	Description
NS	An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions: It defines which name servers are officially responsible for this zone It links zones to form a zone tree (delegation). Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone. If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.
A	An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
AAAA	An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name. This is the IPv6 equivalent of the A resource record.
TXT	A TXT resource record can be used to store a freely definable text in a DNS zone. TXT records can be used for tunnelling via DNS, among other things.
PTR	PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record. PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses), in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
MX	The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service. An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.
CNAME	A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name). In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

Value: 192.168.222.2 IP of the server to which the domain should point

Closes the dialog for the DNS record

Closes the dialog for editing the zone

Test A-RR

Testen des angelegten A-RR über die Tool-Leiste mit Netzwerkwerkzeuge Bereich Host

Settings

Query type A Query type of the created DNS record

Hostname: webserver.anyideas.de Web server address as entered in the record entry under Name (with or without the final dot)

Nameserver: 127.0.0.1 Localhost address of the UTM

Response

If everything has been set up correctly, the domain is resolved to the correct IP address in the lower window.

Alternative testing using a nslookup webserver.anyideas.de from a computer in the UTM network

Reverse-Zone

Reverse DNS lookup (rDNS) refers to a DNS query in which the name is to be determined for an IP address

Only PTR resource records are permitted as RR types
A PTR-RR has an IP address as the request basis and a name as the result - in contrast to the A Resource Record, where a name represents the request and an IP address the result.

An rDNS lookup is often used in connection with spam filters.
Many spam mails are sent from fake domains.
The recipient can use a reverse resolution of the IP to determine whether the domain really belongs to the incoming IP; if this is not the case, the mail is rejected.

Create PTR-RR

A PTR record (Pointer Record) assigns a domain name to an IP address and is required for reverse DNS queries. The in-addr.arpa domain organizes IP addresses in reverse order (e.g., 1.2.0.192.in-addr.arpa for the IP 192.0.2.1) to enable efficient resolution.

Create reverse zone:
1. Navigate to Applications → Nameserver in the navigation bar.
2. Select Add Reverse Zone from the dropdown menu.
3. In Step 1, enter the subnet (e.g., 192.0.2.0/24).
4. In Step 2, enter localhost under Nameserver and click Finish.

(The zone name is generated automatically, e.g., 2.0.192.in-addr.arpa.)

Configure PTR record:
1. Edit the newly created zone by clicking the wrench icon.
2. In the dialog, click Add Entry.
3. Name field: Enter the last number of the IP address (e.g., 1 for 192.0.2.1).
4. Type: Select PTR.
5. Value field: Enter the target domain (e.g., example.com.).

(The dot at the end of the domain is required.)

1. Confirm by clicking Add and then Save.

Note: For other subnets (e.g., /16), adjust the levels of the in-addr.arpa domain accordingly.

Application Nameserver Area Zones button Add reverse zone

Step 1

The desired subnet in which the IP address for the desired domain is located

Step 2

Nameserver is the localhost, i.e. the UTM itself
Complete the wizard with the Done button

The newly created entry Edit and Add entry

Caption Value Description Add entry UTMuser@firewall.name.fqdnApplicationNameserverEdit zone Add PTR-RR entry

Name: 60 The last number block of the host IP that belongs to the desired domain (in the example 60)

Type: PTR PTR (Pointer)-Record

Type	Description
NS	An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions: It defines which name servers are officially responsible for this zone It links zones to form a zone tree (delegation). Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone. If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.
A	An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
AAAA	An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name. This is the IPv6 equivalent of the A resource record.
TXT	A TXT resource record can be used to store a freely definable text in a DNS zone. TXT records can be used for tunnelling via DNS, among other things.
PTR	PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record. PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses), in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
MX	The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service. An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.
CNAME	A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name). In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

Value: mail.anyideas.de. The domain to which the IP address should point
A dot "." is appended to the domain (=Top-Level)

Closes the dialog for the DNS record

Closes the dialog for editing the zone

The creation of the PTR-RR is now complete and the firewall will change the IP to the desired domain on request!

Test PTR-RR

Testen des angelegten PTR-RR über die Tool-Leiste mit Netzwerkwerkzeuge Bereich Host

Settings

Query type PTR Query type of the created DNS record

Hostname: 192.168.222.60 IP address of the desired server

Nameserver: 127.0.0.1 Localhost address of the UTM

Response

In the lower window, if everything has been set up correctly, the IP address is resolved to the correct domain.

Alternatively by a nslookup 192.168.222.60 from a computer in the UTM network

Relay-Zone

A relay zone is responsible for forwarding requests that belong to a specific domain.
Application example:

The firewall is used as a nameserver by all clients in the internal network
In addition, a nameserver is integrated in the internal network which is responsible for the internal domain administration (anyideas.local)
If a client now wants to resolve an internal name (e.g.: uma.anyideas.local), this DNS request is sent to the firewall
By forwarding all queries to anyideas.local to the internal nameserver, they can be resolved by the latter without any problems

Requests that do not belong to the internal domain are still resolved by the firewall itself

Create Relay

Area Zones button Add Relay-Zone

Caption Value Description Add Relay-Zone UTMuser@firewall.name.fqdnApplicationNameserver

Zone name: anyideas.local Domain that is managed by an internal DNS server

Type Relay Zone type is Relay

Server
Add server

IP address: 192.168.222.5 IP address (IPv4 or IPv6) of the internal DNS server Add server UTMuser@firewall.name.fqdnApplicationNameserverAdd Relay-Zone

Port: 53 Default: 53 for DNS queries

Saves the information and closes the dialog

Nameserver UTMuser@firewall.name.fqdnApplication Nameserver with relay zones for IPv4 and IPv6

DNS Forwarding

A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.

Cloud Shield Cloud Shield notempty New as of v14.1.0
If a Cloud Shield configuration is available via the USP (Unified Security Portal), a ‘’'configuration of ‘'DNS Forwarding’ on the UTM itself is not possible' The settings from the USP are displayed, but can only be changed here https://portal.securepoint.cloud Unified Security Console UTM Profile / Select profile Tab Cloud Shield Options Activate Cloud Shield or /li> Option Allow Fallback DNS activate or deactivate The section on the UTM is deactivated			Nameserver UTMuser@firewall.name.fqdnApplication 42 Cloud Shield configuration available in the USP

DNS Forwarding
Add DNS Forwarding Add DNS Forwarding Menu Applications Nameserver Area DNS Forwarding button + Add DNS Forwarding
Caption	Value	Description	Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver Creating a DNS Forwarding
Type:	DNSDoT	DNS: classic unencrypted DNS-resolution
IP address:	203.0.113.113	IP address of a DNS server to which the DNS requests should be forwarded.

notempty New as of v14.0
Type:	DNSDoT	DoT: DNS over TLS DNS queries are encrypted with TLS	Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver DNS over TLS notempty New as of v14.0
IP address:	1.1.1.1 Example value	IP address of a DNS server to which the DNS requests should be forwarded.
Hostname	cloudflare-dns.com Example value	The hostname is required fot thr verification of the TLS certificate
		Saves the entry

Provider-DNS Provider-DNS
Use the provider's DNS server	Off	When On is activated, the DNS server of the internet provider is used	Nameserver UTMuser@firewall.name.fqdnApplication
If a TLS-Forwarder (DoT) is configured, DNS Forwarder will not be used			Nameserver UTMuser@firewall.name.fqdnApplication

Domain forwarding through a VPN tunnel

Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.

Set the name server of the firewall

Caption	Value	Description	Server settings UTMuser@firewall.name.fqdnNetwork Name server IP
Check name server before local cache:	Yes	Should be enabled
Primary name server:	127.0.0.1	The IP of the UTM itself (localhost=127.0.0.1)
Secondary name server:		Can remain empty or designate another DNS in the VPN
		Saves the entry

Create relay

notempty

For this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way.

Menu Applications Name server Area Zones button + Add Relay-Zone.

Caption	Value	Description	Add relay zone UTMuser@firewall.name.fqdnApplicationNameserver Creating the relay zone
Zone name:	relay.test.local	Zone name of the desired domain
Type::	Relay	Select this type
IP address:	192.168.8.5	Click on Add server and in the IP address field the address of the remote name server is entered Edit the entry trash Delete the entry
		Saves the entry

Create network object

Menu Firewall Network Objects button + Add Object. A network object must be created for the IPSec network.

Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object Network object
Name:	IPSec-Network	Choose unique name
Type::	VPN network	Select this type
Address:	192.168.8.0/24	The IP address corresponds to that of the IPSec network
Zone:	vpn-ipsec	Suitable zone must be selected
		Saves the entry

Add Rule

In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
Menu Firewall Packetfilter button + Add Rule.

Caption	Value	Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter
Aktive:	On
Source:	external-interface
Destination:	IPSec-Netzwerk
Service:	domain-udp
[-] NAT
Type::	HIDENAT
Network object:	internal-interface
	Saves the rule and closes the dialogue. The rules must then be updated.

Safe Search with external DHCP server

If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
Menu Applications Nameserver button + Add Forward Zone.

Caption	Value	Zone bearbeiten UTMuser@firewall.name.fqdnApplicationNameserver The forward zone set up for www.google.com
Zone name:	www.google.com
Name server hostname:	localhost
Name server IP address:
In the Name server window, click in the www.google.de zone. In the Edit Zone window click Add entry.
Name:	www.google.com
Type::	A
Value:	216.239.38.120
Save and click again on Add entry.
Name:	www.google.com
Type::	AAAA
Value:	2001:4860:4802:32::78
	Saves the entry

DNA rebinding attack and prevention

This type of attack attempts to gain access to internal resources using falsified DNS responses.

The attacker needs nothing more than a domain with malicious code and a name server that answers all DNS queries for the attacker site.

The attack is carried out in several steps:
1. the victim is lured to a prepared website whose IP address is only marked as valid for a few seconds.
2. Malicious code is loaded on the website, which starts a new call after the IP address has expired,
3. but which now uses a modified, proprietary DNS server to display an address from the victim's local network as the destination
4. The attacker now has access to the host with the internal IP through his malicious code (e.g. Java script)

DNS rebinding prevention prevents internal IP addresses from the local network from being issued in response to a DNS query.

Configuration

DNS Rebinding Prevention is configured under Applications Nameserver Area DNS Rebinding Prevention.

Caption	Value	Description	Nameserver UTMuser@firewall.name.fqdnApplications DNS Rebinding Prevention tab
DNS Rebinding Prevention:	On default	Activates DNS rebinding prevention
Mode:	Automatic	In the factory settings, all private IP addresses (class A, B and C) are blocked. The corresponding private IPv6 addresses and the unique local unicast address are also protected in automatic mode.
Mode:	Custom	The addresses can be set manually.
Protected addresses:		All addresses that are protected by the prevention are displayed here.
		Saves the settings
Protected aliases
The DNS entries already configured are activated as protected aliases by default. Only zones for which a relay is configured are displayed. notempty As of v14.0.1 If the aliases already configured in the Zones tab are to be excluded from protection, they can be deactivated. Off

mDNS-Repeater

notempty

The menu access has been moved

to

and therefore, the Wiki Eintrag as well.

General Settings
General settings are made under Applications Nameserver Area General.
Caption	Value	Description	Nameserver UTMuser@firewall.name.fqdnAnwendungen Tab General
DNSSEC validation in resolver:	Off	notempty Caution! If DNSSEC Validation is enabled alongside Forward-Zones, it must be ensured that the domains corresponding to the forward zones can be validated within the global DNS or that they are added to the ignore domains list below. Replies corresponding to not globally registered domains are refused and lead to SERVFAIL replies for the domain in question. When this function is activated, all DNS entries are resolved with DNSSEC without exception. This would also attempt a validation in the DNS hierarchy for only local addresses. However, due to the lack of uniqueness of the local address, it cannot be registered with higher-level DNS servers. An error message appears, the address is not resolved and the zone is therefore not accessible (using DNS). This applies, for example, to .local domains! Further information on the implementation of DNSSEC can be found here.
Allow DNS queries only from routed and VPN networks:	On Default	By default, only DNS queries from the following sources are answered: localhost local networks Networks that are routed via another gateway but do not contain a default route (or shared default route) VPN transfer networks or Roadwarrior address pools
Allow DNS queries only from routed and VPN networks:	Off	If DNS queries are to be answered from other external networks as well, this option must be disabled
Ignore Domains during DNSSEC Verificationnotempty New as of v14.0		Domains that should not be validated with DNSSEC
Resolve DHCP Domain names: notempty New as of v14.0	anyideas.local (Pool: Local-Pool1	If a domain is specified in the DHCP pool configuration Unter Network Network Configuration Area DHCP-Pools button section Einstellungen these domains are selectable here. When a domain is selected, the DHCP hosts can be resolved either by the assigned name of the static lease or, if none is defined, by the client name with which the client registers with the DHCP server.
Resolve DHCP Domain names: notempty New as of v14.0	The domain is always redirected. For example, if the domain .de is configured for your DHCP pool, you will no longer be able to resolve .de domains on the internet.

Disable EDNS for the following servers notempty New as of v14.0 notempty Update v14.0.1	The EDNS option is omitted in favor of the option Ignore domains during DNSSEC verification If EDNS was configured in a previous version, a warning will be displayed after login. Inhalte in der extc-Variablen EDNS_SERVERS_OFF Clicking the button Yes will open the nameserver dialog, where values for Ignore domains during DNSSEC verification can be set. Inhalte in der extc-Variablen EDNS_SKIP_DOMAINS Don't forget to save! If the warning is dismissed (Schaltfläche No), it will be ignored for the time being. However, the message will appear again at the next login. The old values are temporarily entered under Ignore domains in DNSSEC verification, but they are marked as invalid and need to be changed		Dialog at login after an update Nameserver UTMuser@firewall.name.fqdnApplications Example of invalid IP addresses from previous configuration
Use DNS server specified by the provider: This setting is applied in the section DNS-Forwarding

Introduction

Prerequisites

Set Firewall as Namesever

Forward-Zone

Create A-RR

Test A-RR

Reverse-Zone

Create PTR-RR

Test PTR-RR

Relay-Zone

Create Relay

DNS Forwarding

Cloud Shield

Add DNS Forwarding

Provider-DNS

Domain forwarding through a VPN tunnel

Set the name server of the firewall

Create relay

Create network object

Add Rule

Safe Search with external DHCP server

DNA rebinding attack and prevention

Configuration

mDNS-Repeater

General Settings