Jump to:navigation, search
Wiki

UTM/APP/Nameserver-Zonen

From Securepoint Wiki






























De.png
En.png
Fr.png









Last adaptation to the version: 12.6.0

New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Application Nameserver



















| Expiry period of the entry (starts again after successful update}} }}






































Introduction

The nameserver of the UTM offers:

  • Forward zones: Name resolution (FQDN) in IP addresses
  • Reverse zones: IP addresses into FQDN)
  • Relay zones: Forwarding of queries belonging to a specific domain
  • DNS Forwarding: Forwarding of all DNS queries

 To use the nameserver, a rule must exist in the packet filter with the respective network as the source and the destination Interface.svg xy-Interface.
As a service, at least Service-group.svg dns must be allowed (Port 53 for TCP and UDP).
However, it is generally recommended to use the service group Service-group.svg proxy. This opens additional ports for services such as the transparent proxy, webcache, or a ping.


Prerequisites







Set Firewall as Namesever

Server settings UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver Servereinstellungen-en.pngNameserver IP The first step is to define the UTM itself as the nameserver of the firewall.

  1. Configuration under Network Server settings  Area Server settings section
    DNS Server
  2. Field Primary nameserver set the IP to 127.0.0.1 (localhost) as IP.
  3. Save with
  • If no nameserver is stored, DNS queries are resolved via the root DNS servers and the DNS servers stored there for the top-level domains



    • Forward-Zone

    A forward zone is used to convert domain names into IP addresses.
    This implementation is possible in both IPv4 (A) and IPv6 (AAAA). The following setup example shows the creation of an A-RR for a public domain.
    If the DNS of the firewall is used for resolution, a private IP from the internal network should be returned.

    This setting is required, among other things, if a domain whose public IP is that of the firewall is accessed from the internal network.
    Without this entry, a complicated port forwarding would be required, but this way the request can be sent directly to the server without any detours.
    Setup under Applications Nameserver  Area Zones Button Add forward zone.

    notempty
    If a NAT router is available, a forward zone must be set up.


    Create A-RR

    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 1-en.png
    Step 1
    Zone name: webserver.anyideas.de
    Domain that is managed by an internal DNS server
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 2-en.png
    Step 2
    Nameserver Hostname: localhost
    The UTM itself serves as the nameserver
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 3-en.png
    Step 3
    IP address:    
  • The IP address is only required if the nameserver is located in the zone that is currently being created and is not the localhost, i.e. the UTM itself
    • Complete the wizard with the Done button














    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplication UTM v12.6 Nameserver Zone bearbeiten-en.pngZones overview
    Edit The zone can be edited by clicking on the wrench
    Settings
    Type: Normal Setting for Forward-Zones Edit zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone-en.pngEdit zone
    Update: 10000Link= Seconds Frequency with which the entry is updated
    Retry: 1800Link= Seconds Repeat update in case of failure
    Expires: 3600000Link= Seconds Ablauffrist des Eintrags (beginnt nach erfolgreicher Aktualisierung erneut
    Minimum: 3600Link= Seconds
    Entries
    Type NS localhost. There is already an NS entry (with a period at the end!)
    Edit Opens the record entry for editing
    Delete Deletes the record entry
    Add entry Add another record entry
    Name: webserver.anyideas.de. Desired domain name
  • A dot "." is appended to the domain (=Top-Level)
    		•  Add entry UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Record hinzufügen-en.pngAdd entry
    Type: A Select A-Record entry

































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: 192.168.222.2 IP of the server to which the domain should point
    		Closes the dialog for the DNS record
    		Closes the dialog for editing the zone

    Test A-RR

    Test the created A-RR under: Network Network Tools  Area Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver A-RR testen-en.png
    Query type A Query type of the created DNS record
    Hostname: webserver.anyideas.de Web server address as entered in the record entry under Name (with or without the final dot)
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response

    If everything has been set up correctly, the domain is resolved to the correct IP address in the lower window.

    Alternative testing using a nslookup webserver.anyideas.de from a computer in the UTM network

    Reverse-Zone

    • Reverse DNS lookup (rDNS) refers to a DNS query in which the name is to be determined for an IP address
  • Only PTR resource records are permitted as RR types
    A PTR-RR has an IP address as the request basis and a name as the result - in contrast to the A Resource Record, where a name represents the request and an IP address the result.
    • An rDNS lookup is often used in connection with spam filters.
      Many spam mails are sent from fake domains.
      The recipient can use a reverse resolution of the IP to determine whether the domain really belongs to the incoming IP; if this is not the case, the mail is rejected.

    Create PTR-RR

    The next step is to create the PTR-RR.

    Here is a brief description to help you understand:

    As it would be extremely time-consuming to search the entire domain tree for the desired IPv4 address for an inverse request, a separate domain was created for inverse access, the in-addr.arpa domain. There are only three subdomain levels below this domain, so that a maximum of three steps are required to resolve an IPv4 address.

    The direct subdomains of in-addr.arpa have a number between 0 and 255 as a label and represent the first component of an IPv4 address. (Example: 64.in-addr.arpa or 192.in-addr.arpa for 64.x.y.z or 192.x.y.z respectively).

    The next level in the tree represents the second component of an IPv4 address (example: 27.64.in-addr.arpa. contains the IPv4 addresses 64.27.x.y) and the lowest level finally the third component (example: 125.27.64.in-addr.arpa contains all known IPv4 addresses of the network 64.27.125.0/24 - e.g. 64.27.125.60).

    As can be seen from the examples, a reverse name contains the IP address components in reverse order. This structure makes it possible to refine the reverse address space in several steps. In our following setup example, we will work with the last address space (/24).

    1. Go to Applications in the navigation bar and click on Nameserver in the drop-down menu.
    2. Click on the Add reverse zone button in the dialogue that appears.
    3. In step 1, enter the desired subnet in which the IP address for the desired domain is located.
    4. Enter ‘localhost’ under Nameserver in Step 2 and click on Done.


    The zone name is created automatically as described in the example above.

    1. Edit the created zone by clicking on the spanner.
    2. Klicken Sie im erscheinenden Dialog auf den Button Eintrag hinzufügen.
    3. Tragen Sie in das Feld "Name", die letzte Zahl der Host-IP ein, die zu der gewünschten Domain gehört (In unserem Beispiel die "60".)
    4. Als Typ wählen Sie "PTR".
    5. In the Value field, enter the domain to which the IP address should point. A dot ‘.’ is appended to the domain!
    6. Click on Add.
    7. Click on save

    Application Nameserver  Area Zones Button Add reverse zone

    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Reverszone Schritt 1.png
    Step 1
    The desired subnet in which the IP address for the desired domain is located
    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Reverszone Schritt 2.png
    Step 2
    Nameserver is the localhost, i.e. the UTM itself
    Complete the wizard with the Done button













    The newly created entry Edit and Add entry
    Caption Value Description Add entry UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver PTR anlegen.pngAdd PTR-RR entry
    Name: 60 The last number block of the host IP that belongs to the desired domain (in the example 60)
    Type: PTR PTR (Pointer)-Record

































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: mail.anyideas.de. The domain to which the IP address should point
  • A dot "." is appended to the domain (=Top-Level)
    		•  Closes the dialog for the DNS record
    		Closes the dialog for editing the zone
    The creation of the PTR-RR is now complete and the firewall will change the IP to the desired domain on request!

    Test PTR-RR

    Test the created PTR-RR under: Network Network Tools  Area Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver PTR testen.png
    Query type PTR Query type of the created DNS record
    Hostname: 192.168.222.60 IP address of the desired server
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response
    In the lower window, if everything has been set up correctly, the IP address is resolved to the correct domain.

    Alternatively by a nslookup 192.168.222.60 from a computer in the UTM network

    Relay-Zone

    A relay zone is responsible for forwarding requests that belong to a specific domain.
    Application example:

    • The firewall is used as a nameserver by all clients in the internal network
    • In addition, a nameserver is integrated in the internal network which is responsible for the internal domain administration (anyideas.local)
    • If a client now wants to resolve an internal name (e.g.: uma.anyideas.local), this DNS request is sent to the firewall
    • By forwarding all queries to anyideas.local to the internal nameserver, they can be resolved by the latter without any problems
  • Requests that do not belong to the internal domain are still resolved by the firewall itself


    • Create Relay

    Application Nameserver  Area Zones Button Add Relay-Zone
    Caption Value Description Add Relay-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Relayzone hinzufuegen.png
    Zone name: anyideas.local Domain that is managed by an internal DNS server
    Type Relay Zone type is Relay
    Server
    Add server
    IP address: 192.168.222.5 IP address (IPv4 or IPv6) of the internal DNS server Add server UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Relayzone Server hinzufuegen.png
    Port: 53Link= Default: 53 for DNS queries
    		Saves the information and closes the dialog
    Nameserver UTMuser@firewall.name.fqdnApplication UTM v12.6 Nameserver Relayzone.pngNameserver with relay zones for IPv4 and IPv6
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Nameserver-Zonen&oldid=94829"