Jump to:navigation, search
Wiki

Nameserver

From Securepoint Wiki


































De.png
En.png
Fr.png






Nameserver configuration on the UTM
Last adaptation to the version: 12.6.1
New:
  • Layout adjustment and port note for the mDNS-Repeater
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

v12.2.2 v11.6

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Application Nameserver





















| Expiry period of the entry (starts again after successful update}} }}






































Introduction

The nameserver of the UTM offers:

  • Forward zones: Name resolution (FQDN) in IP addresses
  • Reverse zones: IP addresses into FQDN)
  • Relay zones: Forwarding of queries belonging to a specific domain
  • DNS Forwarding: Forwarding of all DNS queries

 Um den Nameserver der UTM nutzen zu können, muss im Paketfilter eine Regel mit dem jeweiligen Netz als Quelle und dem Ziel Interface.svg xy-Interface existieren.
Als Dienst muss mindestens Service-group.svg dns erlaubt werden (Port 53 für TCP und UDP).
Es empfiehlt sich in der Regel jedoch die Dienstgruppe Service-group.svg proxy zu verwenden. Dies gibt weitere Ports für Dienste wie z.B. den transparenten Proxy, webcache oder einen Ping frei.


Prerequisites







Set Firewall as Namesever

Server settings UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver Servereinstellungen-en.pngNameserver IP The first step is to define the UTM itself as the nameserver of the firewall.

  1. Configuration under Network Server settings  Area Server settings section
    DNS Server
  2. Field Primary nameserver set the IP to 127.0.0.1 (localhost) as IP.
  3. Save with
  • If no nameserver is stored, DNS queries are resolved via the root DNS servers and the DNS servers stored there for the top-level domains



    • Forward-Zone

    A forward zone is used to convert domain names into IP addresses.
    This implementation is possible in both IPv4 (A) and IPv6 (AAAA). The following setup example shows the creation of an A-RR for a public domain.
    If the DNS of the firewall is used for resolution, a private IP from the internal network should be returned.

    This setting is required, among other things, if a domain whose public IP is that of the firewall is accessed from the internal network.
    Without this entry, a complicated port forwarding would be required, but this way the request can be sent directly to the server without any detours.
    Setup under Applications Nameserver  Area Zones Button Add forward zone.

    notempty
    If a NAT router is available, a forward zone must be set up.


    Create A-RR

    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 1-en.png
    Step 1
    Zone name: webserver.anyideas.de
    Domain that is managed by an internal DNS server
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 2-en.png
    Step 2
    Nameserver Hostname: localhost
    The UTM itself serves as the nameserver
    Add Forward-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone Schritt 3-en.png
    Step 3
    IP address:    
  • The IP address is only required if the nameserver is located in the zone that is currently being created and is not the localhost, i.e. the UTM itself
    • Complete the wizard with the Done button














    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplication UTM v12.6 Nameserver Zone bearbeiten-en.pngZones overview
    Edit The zone can be edited by clicking on the wrench
    Settings
    Type: Normal Setting for Forward-Zones Edit zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Forwardzone-en.pngEdit zone
    Update: 10000Link= Seconds Frequency with which the entry is updated
    Retry: 1800Link= Seconds Repeat update in case of failure
    Expires: 3600000Link= Seconds Ablauffrist des Eintrags (beginnt nach erfolgreicher Aktualisierung erneut
    Minimum: 3600Link= Seconds
    Entries
    Type NS localhost. There is already an NS entry (with a period at the end!)
    Edit Opens the record entry for editing
    Delete Deletes the record entry
    Add entry Add another record entry
    Name: webserver.anyideas.de. Desired domain name
  • A dot "." is appended to the domain (=Top-Level)
    		•  Add entry UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Record hinzufügen-en.pngAdd entry
    Type: A Select A-Record entry

































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: 192.168.222.2 IP of the server to which the domain should point
    Closes the dialog for the DNS record
    Closes the dialog for editing the zone

    Test A-RR

    Test the created A-RR under: Network Network Tools  Area Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver A-RR testen-en.png
    Query type A Query type of the created DNS record
    Hostname: webserver.anyideas.de Web server address as entered in the record entry under Name (with or without the final dot)
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response

    If everything has been set up correctly, the domain is resolved to the correct IP address in the lower window.

    Alternative testing using a nslookup webserver.anyideas.de from a computer in the UTM network

    Reverse-Zone

    • Reverse DNS lookup (rDNS) refers to a DNS query in which the name is to be determined for an IP address
  • Only PTR resource records are permitted as RR types
    A PTR-RR has an IP address as the request basis and a name as the result - in contrast to the A Resource Record, where a name represents the request and an IP address the result.
    • An rDNS lookup is often used in connection with spam filters.
      Many spam mails are sent from fake domains.
      The recipient can use a reverse resolution of the IP to determine whether the domain really belongs to the incoming IP; if this is not the case, the mail is rejected.

    Create PTR-RR

    The next step is to create the PTR-RR.

    Here is a brief description to help you understand:

    As it would be extremely time-consuming to search the entire domain tree for the desired IPv4 address for an inverse request, a separate domain was created for inverse accesses, the in-addr.arpa domain. There are only three subdomain levels below this domain, so that a maximum of three steps are required to resolve an IPv4 address.

    The immediate subdomains of in-addr.arpa have a number between 0 and 255 as a label and represent the first component of an IPv4 address. (Example: 64.in-addr.arpa or 192.in-addr.arpa).
    The next level in the tree represents the second component of an IPv4 address (example: 27.64.in-addr.arpa. contains the IPv4 addresses 64.27.x.y) and the lowest level finally the third component (example: 125.27.64.in-addr.arpa contains all known IPv4 addresses of the network 64.27.125.0/24 - e.g. 64.27.125.60).

    As can be seen from the examples, a reverse name contains the IP address components in reverse order. This structure makes it possible to refine the reverse address space in several steps. In our following setup example, we will work with the last address space (/24).

    1. Go to Applications in the navigation bar and click on Nameserver in the drop-down menu.
    2. Click on the Add reverse zone button in the dialog that appears.
    3. In step 1, enter the desired subnet in which the IP address for the desired domain is located.
    4. Enter "localhost" under Nameserver in Step 2 and click on Done.


    The zone name is created automatically as described in the example above.

    1. Edit the created zone by clicking on the wrench.
    2. Click on the Add entry button in the dialog that appears.
    3. In the "Name" field, enter the last number of the host IP that belongs to the desired domain (in our example, "60").
    4. Select "PTR" as the type.
    5. In the Value field, enter the domain to which the IP address should point. A dot "." is appended to the domain!
    6. Click on Add.
    7. Click on Save.

    Application Nameserver  Area Zones Button Add reverse zone

    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Reverszone Schritt 1.png
    Step 1
    The desired subnet in which the IP address for the desired domain is located
    Add reverse zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Reverszone Schritt 2.png
    Step 2
    Nameserver is the localhost, i.e. the UTM itself
    Complete the wizard with the Done button













    The newly created entry Edit and Add entry
    Caption Value Description Add entry UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver PTR anlegen.pngAdd PTR-RR entry
    Name: 60 The last number block of the host IP that belongs to the desired domain (in the example 60)
    Type: PTR PTR (Pointer)-Record

































    Type Description
    NS An NS record (or NS-RR: Name Server Resource Record) is a data record of a DNS server and can fulfill two different functions:
    • It defines which name servers are officially responsible for this zone
    • It links zones to form a zone tree (delegation).

    Each zone file must contain at least one NS-RR that specifies which name server is authoritative for this zone.
    If, for example, the firewall itself is responsible, "localhost" must be selected/entered here.

    A An A-RR (A Resource Record) is used to assign an IPv4 address to a DNS name.
    AAAA An AAAA resource record ("quad-A") is used to assign an IPv6 address to a DNS name.
    This is the IPv6 equivalent of the A resource record.
    TXT A TXT resource record can be used to store a freely definable text in a DNS zone.
    TXT records can be used for tunnelling via DNS, among other things.
    PTR PTR resource records assign one or more host names to a given IP address in the Domain Name System. In a way, they are the counterpart to the classic assignment of one or more IP address(es) to a given host name via A or AAAA resource record.

    PTR Resource Records are a central element of the Reverse DNS. They are usually used exclusively

    • in the in-addr.arpa zone (for the reverse lookup of IPv4 addresses),
    • in the ip6.arpa zone (for the reverse lookup of IPv6 addresses)[1] and
    • in other zones for hostnames to which a CNAME resource record from one of the aforementioned zones points.
    MX The MX Resource Record (MX-RR) of a domain is an entry in the Domain Name System that relates exclusively to the e-mail (SMTP) service.

    An MX record specifies the Fully Qualified Domain Name (FQDN) under which the mail server for a domain or subdomain can be reached. It is common to define several MX records with different priorities for a domain, so that if one mail server fails, another can receive the emails. This increases the probability that a mail can still be delivered to the recipient domain.

    CNAME A CNAME Resource Record (CNAME RR) is used in the Domain Name System to assign an additional name to a domain. The abbreviation "CNAME" stands for canonical name (canonical = recognized, meaning the primary, quasi real name).

    In the simplest case, the name of a CNAME resource record refers to the name of an A resource record and/or an AAAA resource record. The names of these resource records refer to an IP address. When changing an IP address, only a single resource record needs to be changed for several names. An NS Resource Record, MX Resource Record or PTR Resource Record must not refer to a CNAME Resource Record. Conversely, a PTR resource record may only be accessible via a CNAME resource record. The name of a CNAME resource record may not be used as the name of other resource records, as it is representative of all resource records of the target.

    Value: mail.anyideas.de. The domain to which the IP address should point
  • A dot "." is appended to the domain (=Top-Level)
    • Closes the dialog for the DNS record
    Closes the dialog for editing the zone
    The creation of the PTR-RR is now complete and the firewall will change the IP to the desired domain on request!

    Test PTR-RR

    Test the created PTR-RR under: Network Network Tools  Area Host
    Settings
    		Network tools UTMuser@firewall.name.fqdnNetwork UTM v12.6 Nameserver PTR testen.png
    Query type PTR Query type of the created DNS record
    Hostname: 192.168.222.60 IP address of the desired server
    Nameserver: 127.0.0.1 Localhost address of the UTM

    Response
    In the lower window, if everything has been set up correctly, the IP address is resolved to the correct domain.

    Alternatively by a nslookup 192.168.222.60 from a computer in the UTM network


    Relay-Zone

    A relay zone is responsible for forwarding requests that belong to a specific domain.
    Application example:

    • The firewall is used as a nameserver by all clients in the internal network
    • In addition, a nameserver is integrated in the internal network which is responsible for the internal domain administration (anyideas.local)
    • If a client now wants to resolve an internal name (e.g.: uma.anyideas.local), this DNS request is sent to the firewall
    • By forwarding all queries to anyideas.local to the internal nameserver, they can be resolved by the latter without any problems
  • Requests that do not belong to the internal domain are still resolved by the firewall itself


    • Create Relay

    Application Nameserver  Area Zones Button Add Relay-Zone
    Caption Value Description Add Relay-Zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Relayzone hinzufuegen.png
    Zone name: anyideas.local Domain that is managed by an internal DNS server
    Type Relay Zone type is Relay
    Server
    Add server
    IP address: 192.168.222.5 IP address (IPv4 or IPv6) of the internal DNS server Add server UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6 Nameserver Relayzone Server hinzufuegen.png
    Port: 53Link= Default: 53 for DNS queries
    Saves the information and closes the dialog
    Nameserver UTMuser@firewall.name.fqdnApplication UTM v12.6 Nameserver Relayzone.pngNameserver with relay zones for IPv4 and IPv6










    {{var | Nameserver der Firewall festlegen--desc

    | Menü Network Appliance Settings  Area Servereinstellungen Abschnitt {{b|
    DNS-Server
    . | Menu Network Server Settings  Area Server Settings section
    DNS-Server
    .






























    DNS Forwarding

    A DNS forwarding is used to forward all DNS requests made to the firewall's name server to another IP.


    Add DNS Forwarding

    Menu Applications Nameserver  Area DNS Forwarding Button + Add DNS Forwarding

    Caption Value Description Add DNS Forwarding UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver DNS Forwarding hinzufügen-en.pngCreating a DNS Forwarding
    IP address: 192.168.175.2 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    Saves the entry


    Domain forwarding through a VPN tunnel

    Sometimes it is necessary to forward internal domain requests to a remote name server located in a VPN.

    It should be noted here that, by default, all direct requests addressed to external name servers are sent from the firewall with the external IP. However, a public IP is not routed into a VPN tunnel.


    Set the name server of the firewall

    Caption Value Description Server settings UTMuser@firewall.name.fqdnNetwork UTM v12.6.0 Netzwerk Servereinstellungen DNS Server-en.pngName server IP
    Check name server before local cache: Yes Should be enabled
    Primary name server: 127.0.0.1 The IP of the UTM itself (localhost=127.0.0.1)
    Secondary name server:     Can remain empty or designate another DNS in the VPN
    Saves the entry


    Create relay

    notempty
    For this example, an IPSec connection was used. For SSL-VPN, the setup is done in the same way.

    Menü Menu Applications Name server  Area Zones Button + Add Relay-Zone.

    Caption Value Description Add relay zone UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver Relay Zone hinzufügen-en.pngCreating the relay zone
    Zone name: relay.test.local Zone name of the desired domain
    Type: Relay Select this type
    IP address: 192.168.8.5 Click on Add server and in the IP address field the address of the remote name server is entered


    Edit the entry
    trash Delete the entry

    Saves the entry


    Create network object

    Menu Firewall Network Objects  Button + Add Object. A network object must be created for the IPSec network.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork object UTM v12.6.0 Netzwerkobjekt DNS Forwarding-en.pngNetwork object
    Name: IPSec-Network Choose unique name
    Type: VPN network Select this type
    Address: 192.168.8.0/24 The IP address corresponds to that of the IPSec network
    Zone: vpn-ipsec Suitable zone must be selected
    Saves the entry


    Add Rule

    In the last step, a firewall rule with a Hide NAT must be created. This causes the DNS forwarding to also go into the tunnel, and not directly into the Internet.
    Menu Firewall Packetfilter  Button + Add Rule.

    Caption Value Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter UTM v12.6.0 Paketfilterregel DNS Forwarding-en.png
    Aktive: On
    Source: Interface.svg external-interface
    Destination: Vpn-network.svg IPSec-Netzwerk
    Service: Udp.svg domain-udp

    [-] NAT
    Type: HIDENAT
    Network object: Interface.svg internal-interface
    Saves the rule and closes the dialogue. The rules must then be updated.


    Safe Search with external DHCP server

    If an external DHCP server is used, the active web filter Safe Search often does not work for search engines, especially Google, when searching for images.
    In order for this web filter to take effect there as well, the following forward zones must be set up for all ccTLDs (see https://www.google.com/supported_domains : www.google.de, www.google.ch, ...).
    Menu Applications Nameserver  Button + Add Forward Zone.

    Caption Value Zone bearbeiten UTMuser@firewall.name.fqdnApplicationNameserver UTM v12.6.0 Anwendungen Nameserver Zone bearbeiten-en.pngThe forward zone set up for www.google.com
    Zone name: www.google.com
    Name server hostname: localhost
    Name server IP address:    
    In the Name server window, click in the www.google.de zone.
    In the Edit Zone window click Add entry.
    Name: www.google.com
    Type: A
    Value: 216.239.38.120
    Save and click again on Add entry.
    Name: www.google.com
    Type: AAAA
    Value: 2001:4860:4802:32::78
    Saves the entry















    Thumbnail for

    Load video
    YouTube


    DNA rebinding attack and prevention

    This type of attack attempts to gain access to internal resources using falsified DNS responses.

    The attacker needs nothing more than a domain with malicious code and a name server that answers all DNS queries for the attacker site.

    The attack is carried out in several steps:
    1. the victim is lured to a prepared website whose IP address is only marked as valid for a few seconds.
    2. Malicious code is loaded on the website, which starts a new call after the IP address has expired,
    3. but which now uses a modified, proprietary DNS server to display an address from the victim's local network as the destination
    4. The attacker now has access to the host with the internal IP through his malicious code (e.g. Java script)
      

    DNS rebinding prevention prevents internal IP addresses from the local network from being issued in response to a DNS query.



    Configuration

    DNS Rebinding Prevention is configured under Applications Nameserver  Area DNS Rebinding Prevention.

    Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplications UTM v12.6.0 Anwendungen Nameserver DNS Rebinding Prevention-en.pngDNS Rebinding Prevention tab
    DNS Rebinding Prevention: On
    default    		 Activates DNS rebinding prevention
    Mode: Automatic In the factory settings, all private IP addresses (class A, B and C) are blocked.
    The corresponding private IPv6 addresses and the unique local unicast address are also protected in automatic mode.
    Custom The addresses can be set manually.
    Protected addresses:     All addresses that are protected by the prevention are displayed here.
    Saves the settings
    '
















    mDNS-Repeater

    Applications Nameserver  Area mDns-Repeater
    The multicast DNS repeater forwards mDNS queries between interfaces and networks without the need to configure an extra DNS server.
    Multicast-capable devices, such as printers, can be made visible across different networks.

  • The mDNS repeater only uses port 5353 as source and destination port!
    • Caption Value Description Nameserver UTMuser@firewall.name.fqdnApplications UTM v12.6.1 Anwendungen Nameserver MDNS Repeater-en.pngmDNS repeater configuration
    Activate mDNS repeater: Yes Activates the multicast DNS repeater
    		The mDNS repeater is active
    		The mDNS repeater is deactivated
    Interface: ×LAN1 ×LAN2 Selection of the interfaces between which mDNS requests are to be forwarded.
     At least two interfaces must be entered.
    Default behavior for networks: default All networks connected to the interfaces use the mDNS repeater
    Blocked network exceptions:     Networks from which mDNS requests are not forwarded
    Allowed network exceptions: Only if Default behavior for all networks is deactivated     Explicit specification of the networks from which mDNS requests are forwarded
















    General Settings

    General settings are made under Applications Nameserver  Area General.
    Caption Value Description Nameserver UTMuser@firewall.name.fqdnAnwendungen UTM v12.6.0 Anwendungen Nameserver Allgemein-en.pngTab General
    DNSSEC validation in resolver: Off notempty
    Caution!
    If DNSSEC Validation is enabled alongside Forward-Zones, it must be ensured that the domains corresponding to the forward zones can be validated within the global DNS. Replies corresponding to not globally registered domains are refused and lead to SERVFAIL replies for the domain in question.

    When this function is activated, all DNS entries are resolved with DNSSEC without exception. This would also attempt a validation in the DNS hierarchy for only local addresses. However, due to the lack of uniqueness of the local address, it cannot be registered with higher-level DNS servers. An error message appears, the address is not resolved and the zone is therefore not accessible (using DNS).
    This applies, for example, to .local domains!
    Further information on the implementation of DNSSEC can be found here.
    Allow DNS queries only from routed and VPN networks: On
    Default    		 By default, only DNS queries from the following sources are answered:
    • localhost
    • local networks
    • Networks that are routed via another gateway but do not contain a default route (or shared default route)
    • VPN transfer networks or Roadwarrior address pools
    Off If DNS queries are to be answered from other external networks as well, this option must be disabled
    Disable EDNS for the following servers:     EDNS can be disabled for servers that do not comply with RFC 6891.
    Old or misconfigured name servers sometimes do not use or do not correctly use Extended DNS and as a result do not accept DNS queries that use these protocol extensions.
  • EDNS is mandatory for DNSSEC
    The DO flag (DNSSEC OK) can no longer be placed in the standard header.
      
    • notempty
    New as of v12.6.0

    Use DNS server specified by the provider:    		 Off When activated, the DNS server of the Internet provider is used.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Nameserver&oldid=90884"