Jump to:navigation, search
Wiki

Nameserver

From Securepoint Wiki





notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty Der Artikel für die neueste Version steht hier

notempty Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht











































Nameserver configuration on the UTM

Last adaptation to the version: 12.6.1

New:
  • Layout adjustment and port note for the mDNS-Repeater
  • Updated to Redesign of the webinterface

notemptyThis article refers to a Beta version

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Application Nameserver


In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden

























































Introduction

The nameserver of the UTM offers:

  • Forward zones: Name resolution (FQDN) in IP addresses
  • Reverse zones: IP addresses into FQDN)
  • Relay zones: Forwarding of queries belonging to a specific domain
  • DNS Forwarding: Forwarding of all DNS queries


To use the nameserver, a rule must exist in the packet filter with the respective network as the source and the destination  xy-Interface.
As a service, at least  dns must be allowed (Port 53 for TCP and UDP).
However, it is generally recommended to use the service group  proxy. This opens additional ports for services such as the transparent proxy, webcache, or a ping.


Prerequisites

In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden







Set Firewall as Namesever

Server settings UTMuser@firewall.name.fqdnNetwork Nameserver IP The first step is to define the UTM itself as the nameserver of the firewall.

  1. Configuration under Network Server settings  Area Server settings section
    DNS Server
  2. Field Primary nameserver set the IP to 127.0.0.1 (localhost) as IP.
  3. Save with
  • If no nameserver is stored, DNS queries are resolved via the root DNS servers and the DNS servers stored there for the top-level domains



    • Forward-Zone

    A forward zone is used to convert domain names into IP addresses.
    This implementation is possible in both IPv4 (A) and IPv6 (AAAA). The following setup example shows the creation of an A-RR for a public domain.
    If the DNS of the firewall is used for resolution, a private IP from the internal network should be returned.

    This setting is required, among other things, if a domain whose public IP is that of the firewall is accessed from the internal network.
    Without this entry, a complicated port forwarding would be required, but this way the request can be sent directly to the server without any detours.
    Setup under Applications Nameserver  Area Zones button Add forward zone. notemptyIf a NAT router is available, a forward zone must be set up.


    Create A-RR













    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver
    Step 1
    Zone name: webserver.anyideas.de
    Domain that is managed by an internal DNS server
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver
    Step 2
    Nameserver Hostname: localhost
    The UTM itself serves as the nameserver
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver
    Step 3
    IP address:    
  • The IP address is only required if the nameserver is located in the zone that is currently being created and is not the localhost, i.e. the UTM itself
    • Complete the wizard with the Done button


    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplication Zones overview
    Edit The zone can be edited by clicking on the wrench
    Settings
    Type: Normal Setting for Forward-Zones Edit zone UTMuser@firewall.name.fqdnApplicationNameserver Edit zone
    Update: 10000 Seconds Frequency with which the entry is updated
    Retry: 1800 Seconds Repeat update in case of failure
    Expires: 3600000 Seconds Expiry period of the entry (starts again after successful update)
    Minimum: 3600 Seconds
    Entries
    Type NS localhost. There is already an NS entry (with a period at the end!)
    Edit Opens the record entry for editing
    Delete Deletes the record entry
    Add entry Add another record entry
    Name: webserver.anyideas.de. Desired domain name
  • A dot "." is appended to the domain (=Top-Level)
    		•  Add entry UTMuser@firewall.name.fqdnApplicationNameserverEdit zone Add entry
    Type: A Select A-Record entry


































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: 192.168.222.2 IP of the server to which the domain should point
    Closes the dialog for the DNS record
    Closes the dialog for editing the zone

    Test A-RR

    Testen des angelegten A-RR über die Tool-Leiste mit Netzwerkwerkzeuge Bereich Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork
    Query type A Query type of the created DNS record
    Hostname: webserver.anyideas.de Web server address as entered in the record entry under Name (with or without the final dot)
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response

    If everything has been set up correctly, the domain is resolved to the correct IP address in the lower window.

    Alternative testing using a nslookup webserver.anyideas.de from a computer in the UTM network

    Reverse-Zone

    • Reverse DNS lookup (rDNS) refers to a DNS query in which the name is to be determined for an IP address
  • Only PTR resource records are permitted as RR types
    A PTR-RR has an IP address as the request basis and a name as the result - in contrast to the A Resource Record, where a name represents the request and an IP address the result.
    • An rDNS lookup is often used in connection with spam filters.
      Many spam mails are sent from fake domains.
      The recipient can use a reverse resolution of the IP to determine whether the domain really belongs to the incoming IP; if this is not the case, the mail is rejected.

    Create PTR-RR

    A PTR record (Pointer Record) assigns a domain name to an IP address and is required for reverse DNS queries. The in-addr.arpa domain organizes IP addresses in reverse order (e.g., 1.2.0.192.in-addr.arpa for the IP 192.0.2.1) to enable efficient resolution.
    1. Create reverse zone:
      1. Navigate to ApplicationsNameserver in the navigation bar.
      2. Select Add Reverse Zone from the dropdown menu.
      3. In Step 1, enter the subnet (e.g., 192.0.2.0/24).
      4. In Step 2, enter localhost under Nameserver and click Finish.

    (The zone name is generated automatically, e.g., 2.0.192.in-addr.arpa.)

    1. Configure PTR record:
      1. Edit the newly created zone by clicking the wrench icon.
      2. In the dialog, click Add Entry.
      3. Name field: Enter the last number of the IP address (e.g., 1 for 192.0.2.1).
      4. Type: Select PTR.
      5. Value field: Enter the target domain (e.g., example.com.).

    (The dot at the end of the domain is required.)

      1. Confirm by clicking Add and then Save.
    Note: For other subnets (e.g., /16), adjust the levels of the in-addr.arpa domain accordingly.

    Application Nameserver  Area Zones button Add reverse zone













    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver
    Step 1
    The desired subnet in which the IP address for the desired domain is located
    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver
    Step 2
    Nameserver is the localhost, i.e. the UTM itself
    Complete the wizard with the Done button
    The newly created entry Edit and Add entry
    Caption Value Description Add entry UTMuser@firewall.name.fqdnApplicationNameserverEdit zone Add PTR-RR entry
    Name: 60 The last number block of the host IP that belongs to the desired domain (in the example 60)
    Type: PTR PTR (Pointer)-Record


































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: mail.anyideas.de. The domain to which the IP address should point
  • A dot "." is appended to the domain (=Top-Level)
    • Closes the dialog for the DNS record
    Closes the dialog for editing the zone
    The creation of the PTR-RR is now complete and the firewall will change the IP to the desired domain on request!

    Test PTR-RR

    Testen des angelegten PTR-RR über die Tool-Leiste mit Netzwerkwerkzeuge Bereich Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork
    Query type PTR Query type of the created DNS record
    Hostname: 192.168.222.60 IP address of the desired server
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response
    In the lower window, if everything has been set up correctly, the IP address is resolved to the correct domain.

    Alternatively by a nslookup 192.168.222.60 from a computer in the UTM network

    Relay-Zone

    A relay zone is responsible for forwarding requests that belong to a specific domain.
    Application example:

    • The firewall is used as a nameserver by all clients in the internal network
    • In addition, a nameserver is integrated in the internal network which is responsible for the internal domain administration (anyideas.local)
    • If a client now wants to resolve an internal name (e.g.: uma.anyideas.local), this DNS request is sent to the firewall
    • By forwarding all queries to anyideas.local to the internal nameserver, they can be resolved by the latter without any problems
  • Requests that do not belong to the internal domain are still resolved by the firewall itself


    • Create Relay

    Application Nameserver  Area Zones button Add Relay-Zone
    Caption Value Description Add Relay-Zone UTMuser@firewall.name.fqdnApplicationNameserver
    Zone name: anyideas.local Domain that is managed by an internal DNS server
    Type Relay Zone type is Relay
    Server
    Add server
    IP address: 192.168.222.5 IP address (IPv4 or IPv6) of the internal DNS server Add server UTMuser@firewall.name.fqdnApplicationNameserverAdd Relay-Zone
    Port: 53 Default: 53 for DNS queries
    Saves the information and closes the dialog
    Nameserver UTMuser@firewall.name.fqdnApplication Nameserver with relay zones for IPv4 and IPv6






    notempty This article refers to a version that is no longer current!
    notempty The article for the latest version is here

    notempty There is already a newer version of this article, but it refers to a Beta version




































    {{var | Nameserver der Firewall festlegen--desc

    | Menü Network Appliance Settings  Area Servereinstellungen Abschnitt {{b|
    DNS-Server
    . | Menu Network Server Settings  Area Server Settings section
    DNS-Server
    .





























    DNS Forwarding

    A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.


    Add DNS Forwarding

    Menu Applications Nameserver  Area DNS Forwarding button + Add DNS Forwarding

    Caption Value Description Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationsNameserver Creating a DNS Forwarding
    IP address: 192.168.175.2 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    Saves the entry


    Domain forwarding through a VPN tunnel

    Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

    It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.


    Set the name server of the firewall

    Caption Value Description Server settings UTMuser@firewall.name.fqdnNetwork Name server IP
    Check name server before local cache: Yes Should be enabled
    Primary name server: 127.0.0.1 The IP of the UTM itself (localhost=127.0.0.1)
    Secondary name server:     Can remain empty or designate another DNS in the VPN
    Saves the entry


    Create relay

    notemptyFor this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way. Menü Menu Applications Name server  Area Zones button + Add Relay-Zone.

    Caption Value Description Add relay zone UTMuser@firewall.name.fqdnApplicationsNameserver Creating the relay zone
    Zone name: relay.test.local Zone name of the desired domain
    Type: Relay Select this type
    IP address: 192.168.8.5 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    Saves the entry


    Create network object

    Menu Firewall Network Objects  button + Add Object. A network object must be created for the IPSec network.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object Network object
    Name: IPSec-Network Choose unique name
    Type: VPN network Select this type
    Address: 192.168.8.0/24 The IP address corresponds to that of the IPSec network
    Zone: vpn-ipsec Suitable zone must be selected
    Saves the entry


    Add Rule

    In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
    Menu Firewall Packetfilter  button + Add Rule.

    Caption Value Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter
    Aktive: On
    Source:  external-interface
    Destination:  IPSec-Netzwerk
    Service:  domain-udp

    [-] NAT
    Type: HIDENAT
    Network object:  internal-interface
    Saves the rule and closes the dialogue. The rules must then be updated.


    Safe Search with external DHCP server

    If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
    In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
    Menu Applications Nameserver  button + Add Forward Zone.

    Caption Value Zone bearbeiten UTMuser@firewall.name.fqdnApplicationsNameserver The forward zone set up for www.google.com
    Zone name: www.google.com
    Name server hostname: localhost
    Name server IP address:    
    In the Name server window, click in the www.google.de zone.
    In the Edit Zone window click Add entry.
    Name: www.google.com
    Type: A
    Value: 216.239.38.120
    Save and click again on Add entry.
    Name: www.google.com
    Type: AAAA
    Value: 2001:4860:4802:32::78
    Saves the entry


    In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden















    DNA rebinding attack and prevention

    This type of attack attempts to gain access to internal resources using falsified DNS responses.

    The attacker needs nothing more than a domain with malicious code and a name server that answers all DNS queries for the attacker site.

    The attack is carried out in several steps:
    1. the victim is lured to a prepared website whose IP address is only marked as valid for a few seconds.
    2. Malicious code is loaded on the website, which starts a new call after the IP address has expired,
    3. but which now uses a modified, proprietary DNS server to display an address from the victim's local network as the destination
    4. The attacker now has access to the host with the internal IP through his malicious code (e.g. Java script)

    DNS rebinding prevention prevents internal IP addresses from the local network from being issued in response to a DNS query.



    Configuration

    DNS Rebinding Prevention is configured under Applications Nameserver  Area DNS Rebinding Prevention.

    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplications DNS Rebinding Prevention tab
    DNS Rebinding Prevention: On
    default    		 Activates DNS rebinding prevention
    Mode: Automatic In the factory settings, all private IP addresses (class A, B and C) are blocked.
    The corresponding private IPv6 addresses and the unique local unicast address are also protected in automatic mode.
    Custom The addresses can be set manually.
    Protected addresses:     All addresses that are protected by the prevention are displayed here.
    Saves the settings
    Protected aliases
    The DNS entries already configured are activated as protected aliases by default.

    Only zones for which a relay is configured are displayed. notemptyAs of v14.0.1
    If the aliases already configured in the Zones tab are to be excluded from protection, they can be deactivated. Off













    mDNS-Repeater

    Applications Nameserver  Area mDns-Repeater
    The multicast DNS repeater forwards mDNS queries between interfaces and networks without the need to configure an extra DNS server.
    Multicast-capable devices, such as printers, can be made visible across different networks.

  • The mDNS repeater only uses port 5353 as source and destination port!
    • Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplications mDNS repeater configuration
    Activate mDNS repeater: Yes Activates the multicast DNS repeater
    The mDNS repeater is active
    The mDNS repeater is deactivated
    Interface: LAN1 LAN2 Selection of the interfaces between which mDNS requests are to be forwarded.
    At least two interfaces must be entered.
    Default behavior for networks: default All networks connected to the interfaces use the mDNS repeater
    Blocked network exceptions:     Networks from which mDNS requests are not forwarded
    Allowed network exceptions: Only if Default behavior for all networks is deactivated     Explicit specification of the networks from which mDNS requests are forwarded






    notempty This article refers to a version that is no longer current!
    notempty The article for the latest version is here

    notempty There is already a newer version of this article, but it refers to a Beta version











































    General Settings

    General settings are made under Applications Nameserver  Area General.
    Caption Value Description Nameserver UTMuser@firewall.name.fqdnAnwendungen Tab General
    DNSSEC validation in resolver: Off notemptyCaution!
    If DNSSEC Validation is enabled alongside Forward-Zones, it must be ensured that the domains corresponding to the forward zones can be validated within the global DNS. Replies corresponding to not globally registered domains are refused and lead to SERVFAIL replies for the domain in question.
    When this function is activated, all DNS entries are resolved with DNSSEC without exception. This would also attempt a validation in the DNS hierarchy for only local addresses. However, due to the lack of uniqueness of the local address, it cannot be registered with higher-level DNS servers. An error message appears, the address is not resolved and the zone is therefore not accessible (using DNS).
    This applies, for example, to .local domains!
    Further information on the implementation of DNSSEC can be found here.
    Allow DNS queries only from routed and VPN networks: On
    Default    		 By default, only DNS queries from the following sources are answered:
    • localhost
    • local networks
    • Networks that are routed via another gateway but do not contain a default route (or shared default route)
    • VPN transfer networks or Roadwarrior address pools
    Off If DNS queries are to be answered from other external networks as well, this option must be disabled
    Disable EDNS for the following servers:     EDNS can be disabled for servers that do not comply with RFC 6891.
    Old or misconfigured name servers sometimes do not use or do not correctly use Extended DNS and as a result do not accept DNS queries that use these protocol extensions.
  • EDNS is mandatory for DNSSEC
    The DO flag (DNSSEC OK) can no longer be placed in the standard header.
    • Use DNS server specified by the provider: Off When activated, the DNS server of the Internet provider is used.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Nameserver_v12.6.1&oldid=93685"