UTM/APP/Nameserver-Zonen

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

Last updated:

Updated hints for PTR-RR

notempty

This article refers to a Beta version

11.7 11.6.11

Introduction

The nameserver of the UTM offers:

Forward zones: Name resolution (FQDN) in IP addresses
Reverse zones: IP addresses into FQDN)
Relay zones: Forwarding of queries belonging to a specific domain
DNS Forwarding: Forwarding of all DNS queries

To use the nameserver, a rule must exist in the packet filter with the respective network as the source and the destination

xy-Interface.
As a service, at least

dns must be allowed (Port 53 for TCP and UDP).
However, it is generally recommended to use the service group

proxy. This opens additional ports for services such as the transparent proxy, webcache, or a ping.

Prerequisites

Set Firewall as Namesever

Server settings UTMuser@firewall.name.fqdnNetwork Nameserver IP The first step is to define the UTM itself as the nameserver of the firewall.

Configuration under Network Server settings Area Server settings section
DNS Server
Field Primary nameserver set the IP to 127.0.0.1 (localhost) as IP.
Save with

If no nameserver is stored, DNS queries are resolved via the root DNS servers and the DNS servers stored there for the top-level domains

Forward-Zone

A forward zone is used to convert domain names into IP addresses.
This implementation is possible in both IPv4 (A) and IPv6 (AAAA). The following setup example shows the creation of an A-RR for a public domain.
If the DNS of the firewall is used for resolution, a private IP from the internal network should be returned.

This setting is required, among other things, if a domain whose public IP is that of the firewall is accessed from the internal network.
Without this entry, a complicated port forwarding would be required, but this way the request can be sent directly to the server without any detours.
Setup under Applications Nameserver Area Zones button Add forward zone.

notempty

If a NAT router is available, a forward zone must be set up.

Create A-RR

Step 1

Zone name: webserver.anyideas.de
Domain that is managed by an internal DNS server

Step 2

Nameserver Hostname: localhost
The UTM itself serves as the nameserver

Step 3

IP address:

The IP address is only required if the nameserver is located in the zone that is currently being created and is not the localhost, i.e. the UTM itself

Complete the wizard with the Done button

Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplication Zones overview

Edit The zone can be edited by clicking on the wrench

Settings

Type: Normal Setting for Forward-Zones Edit zone UTMuser@firewall.name.fqdnApplicationNameserver Edit zone

Update: 10000 Seconds Frequency with which the entry is updated

Retry: 1800 Seconds Repeat update in case of failure

Expires: 3600000 Seconds Expiry period of the entry (starts again after successful update)

Minimum: 3600 Seconds

Entries

Type NS localhost. There is already an NS entry (with a period at the end!)

Edit Opens the record entry for editing

Delete Deletes the record entry

Add entry Add another record entry

Name: webserver.anyideas.de. Desired domain name
A dot "." is appended to the domain (=Top-Level) Add entry UTMuser@firewall.name.fqdnApplicationNameserverEdit zone Add entry

Type: A Select A-Record entry

Type	Description
NS	An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions: It defines which name servers are officially responsible for this zone It links zones to form a zone tree (delegation). Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone. If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.
A	An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
AAAA	An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name. This is the IPv6 equivalent of the A resource record.
TXT	A TXT resource record can be used to store a freely definable text in a DNS zone. TXT records can be used for tunnelling via DNS, among other things.
PTR	PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record. PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses), in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
MX	The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service. An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.
CNAME	A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name). In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

Value: 192.168.222.2 IP of the server to which the domain should point

Closes the dialog for the DNS record

Closes the dialog for editing the zone

Test A-RR

Testen des angelegten A-RR über die Tool-Leiste mit Netzwerkwerkzeuge Bereich Host

Settings

Query type A Query type of the created DNS record

Hostname: webserver.anyideas.de Web server address as entered in the record entry under Name (with or without the final dot)

Nameserver: 127.0.0.1 Localhost address of the UTM

Response

If everything has been set up correctly, the domain is resolved to the correct IP address in the lower window.

Alternative testing using a nslookup webserver.anyideas.de from a computer in the UTM network

Reverse-Zone

Reverse DNS lookup (rDNS) refers to a DNS query in which the name is to be determined for an IP address

Only PTR resource records are permitted as RR types
A PTR-RR has an IP address as the request basis and a name as the result - in contrast to the A Resource Record, where a name represents the request and an IP address the result.

An rDNS lookup is often used in connection with spam filters.
Many spam mails are sent from fake domains.
The recipient can use a reverse resolution of the IP to determine whether the domain really belongs to the incoming IP; if this is not the case, the mail is rejected.

Create PTR-RR

A PTR record (Pointer Record) assigns a domain name to an IP address and is required for reverse DNS queries. The in-addr.arpa domain organizes IP addresses in reverse order (e.g., 1.2.0.192.in-addr.arpa for the IP 192.0.2.1) to enable efficient resolution.

Create reverse zone:
1. Navigate to Applications → Nameserver in the navigation bar.
2. Select Add Reverse Zone from the dropdown menu.
3. In Step 1, enter the subnet (e.g., 192.0.2.0/24).
4. In Step 2, enter localhost under Nameserver and click Finish.

(The zone name is generated automatically, e.g., 2.0.192.in-addr.arpa.)

Configure PTR record:
1. Edit the newly created zone by clicking the wrench icon.
2. In the dialog, click Add Entry.
3. Name field: Enter the last number of the IP address (e.g., 1 for 192.0.2.1).
4. Type: Select PTR.
5. Value field: Enter the target domain (e.g., example.com.).

(The dot at the end of the domain is required.)

1. Confirm by clicking Add and then Save.

Note: For other subnets (e.g., /16), adjust the levels of the in-addr.arpa domain accordingly.

Application Nameserver Area Zones button Add reverse zone

Step 1

The desired subnet in which the IP address for the desired domain is located

Step 2

Nameserver is the localhost, i.e. the UTM itself
Complete the wizard with the Done button

The newly created entry Edit and Add entry

Caption Value Description Add entry UTMuser@firewall.name.fqdnApplicationNameserverEdit zone Add PTR-RR entry

Name: 60 The last number block of the host IP that belongs to the desired domain (in the example 60)

Type: PTR PTR (Pointer)-Record

Type	Description
NS	An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions: It defines which name servers are officially responsible for this zone It links zones to form a zone tree (delegation). Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone. If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.
A	An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
AAAA	An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name. This is the IPv6 equivalent of the A resource record.
TXT	A TXT resource record can be used to store a freely definable text in a DNS zone. TXT records can be used for tunnelling via DNS, among other things.
PTR	PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record. PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses), in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
MX	The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service. An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.
CNAME	A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name). In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

Value: mail.anyideas.de. The domain to which the IP address should point
A dot "." is appended to the domain (=Top-Level)

Closes the dialog for the DNS record

Closes the dialog for editing the zone

The creation of the PTR-RR is now complete and the firewall will change the IP to the desired domain on request!

Test PTR-RR

Testen des angelegten PTR-RR über die Tool-Leiste mit Netzwerkwerkzeuge Bereich Host

Settings

Query type PTR Query type of the created DNS record

Hostname: 192.168.222.60 IP address of the desired server

Nameserver: 127.0.0.1 Localhost address of the UTM

Response

In the lower window, if everything has been set up correctly, the IP address is resolved to the correct domain.

Alternatively by a nslookup 192.168.222.60 from a computer in the UTM network

Relay-Zone

A relay zone is responsible for forwarding requests that belong to a specific domain.
Application example:

The firewall is used as a nameserver by all clients in the internal network
In addition, a nameserver is integrated in the internal network which is responsible for the internal domain administration (anyideas.local)
If a client now wants to resolve an internal name (e.g.: uma.anyideas.local), this DNS request is sent to the firewall
By forwarding all queries to anyideas.local to the internal nameserver, they can be resolved by the latter without any problems

Requests that do not belong to the internal domain are still resolved by the firewall itself

Create Relay

Area Zones button Add Relay-Zone

Caption Value Description Add Relay-Zone UTMuser@firewall.name.fqdnApplicationNameserver

Zone name: anyideas.local Domain that is managed by an internal DNS server

Type Relay Zone type is Relay

Server
Add server

IP address: 192.168.222.5 IP address (IPv4 or IPv6) of the internal DNS server Add server UTMuser@firewall.name.fqdnApplicationNameserverAdd Relay-Zone

Port: 53 Default: 53 for DNS queries

Saves the information and closes the dialog

Nameserver UTMuser@firewall.name.fqdnApplication Nameserver with relay zones for IPv4 and IPv6