How to Configure DNS Zones

Transcription

1 The Barracuda NG Firewall DNS configuration object contains two predefined zones: _template and '.' To be able to edit and specify DNS zones within the Barracuda NG Firewall DNS configuration, you must create a DNS service. For more information, see How to Activate the DNS Server. In this article: Zone 1: _template This zone contains the general template, which is used as model for all newly created zones. The procedure for creating and modifying template settings is identical to the procedure for creating and editing settings in another zone. Note that only template settings will be inherited that already existed before the zone was created. To access the _template zone, proceed with the following steps: 1. Log into the Barracuda NG Firewall 2. From the Config Tree, expand Box > Virtual Servers > your server > Assigned Services > DNS. 3. Expand the DNS service and open the DNS Template Zone by double clicking it. 4. Double click the entry (_template) to create or modify settings for SOA, primary server, nameserver, etc. 5. Right-click into the main window to create new hosts, mail exchangers, etc. Every setting made here will be clearly arranged in a separate row within the main window and can be selected for further modification or deletion. Zone 2: '.' The initial set of root-servers is defined using a hint zone. When the server starts up it uses the hint zone file to find a root name server and get the most recent list of root name servers. The "." zone is short for this root zone and means any zone for which there is no locally defined zone (slave or master) or cached answer. Do NOT modify the root server settings unless you exactly know what you are doing. Add a New Zone To introduce a new zone, right-click your DNS server and select Lock Server. Optionally, you may lock the DNS server already in the config tree. The configuration can now be modified. Select Add New Zone from the context menu and configure the following options: Parameter Overview Click here to see more Parameter Description 1 / 11

2 Type Origin Domain Name Lookup Masters Forwards 2 / 11 Master - Every domain configuration change takes place on the master. From here the information is propagated to the secondary servers. A master zone requires at least a Start of Authority (SOA) record and a Name Server (NS) record. Be sure to examine the security settings of the master zone, since a corrupt master zone can cause a lot of problems. Slave - A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. DNS slave zones do not require much configuration; just enter the IP addresses of the master server (or servers) and examine the security settings. Be sure to set a transfer-source- IP, otherwise the slave zone will not be accepted by the DNS server. Forward - A forward zone is used to direct all queries in it to other servers. The specification of options in such a zone will override any global options declared in the options statement. A forward zone does not need a transfer-source-ip. Be sure to check the security settings. Hint - The initial set of root name servers is specified using a hint zone. When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. The Barracuda NG Firewall DNS server already has a hint zone (Zone ".") pre-configured, so normally there is no need to introduce another hint zone. Depending on the selected types the necessary settings may be slightly different. Such settings are marked with (optional) in the following. Enter the domain name you wish to create here (for example, barracuda.com). This section is used for defining whether the zone should perform Forward or Reverse lookup. DNS forward lookup provides IP addresses for known host names, while reverse lookup provides host names for known IP addresses. The Barracuda NG Firewall DNS server is able to provide DNS reverse lookup only for 8-bit networks (like /24). (optional) This field is available when type Slave is selected. Enter the master IP addresses here. (optional) This field is available when type Forward is selected. Enter the forward IP addresses here. By clicking the advanced button a new window appears containing additional settings: notify Parameter also notify transfer-source-ip Advanced Settings Section Security Description Allows the administrator to select whether the DNS server should notify slave DNS servers about zone changes. Possible values for selection are yes/no/explicit. If explicit is selected enter the explicit IP in the also notify field below. Here you may enter a list of IPv4 or IPv6 hosts that should be notified about zone changes although these machines are not registered slaves of the DNS server. Separate multiple entries with a semicolon and space (like ; ; ; 2001:db8:85a3:0:0:8a2e:370:7334). This field is only available for type Slave. It defines the IP address the slave has to use when contacting its master DNS server. The following options are available: service-default server-first server-second explicit Slave zones must have transfer-source-ip to work. This section offers detailed security options for the DNS service. Each pull-down field can take one the value none or any.

3 allow notify - This field is only available for type Slave. It defines if the slave accepts notifications about updates from its master. allow query - Lists the IPv4 or IPv6 hosts that are allowed to query the DNS server. By default all hosts are allowed to query the DNS server. allow update - Lists the IPv4 or IPv6 hosts that are allowed to update the database of the DNS server. allow transfer - Lists the IPv4 or IPv6 hosts that are allowed to fetch the DNS database from the DNS server. Edit/Add a New Start of Authority At creation time of the Barracuda NG Firewall DNS Server a standard template is created which is automatically inherited by newly generated zones. This template may freely be deleted or modified. In case you have deleted it, and have thereafter created a new zone, proceed as follows to comprehend the following instructions: Select the newly created domain lacking a SOA record in the tree view, right-click the main window and choose Add a New Start of Authority (SOA). If the SOA record already exists, double-click an existing entry with type NS or SOA and select the Start of Authority (SOA) tab. DNS Server - SOA Configuration Serial Primary Sever Enter a serial number here. - Clicking Update will increase the serial number by one. The serial number of the master has to be higher than the serial number saved on the slave, otherwise the slave will stop fetching information updates from its master. Select the primary name server of the domain here. - By clicking Pickup already created entries can be selected. 3 / 11

4 Responsible person Refresh after Retry after Expire after Minimum TTL Expire (TTL) Use this field to define a person responsible for this host/zone. The syntax that has to be used is username.domain (for example ernestexample.test.org). - By clicking Pickup, already created entries can be selected. This interval tells the slave how often it has to check whether its data is up to date. When the slave fails to reach the master server after the refresh period (Refresh after), then it starts trying again after this set time interval. When the slave fails to contact the master server for the expire period, the slave expires its data. Expiring means that the slave stops giving out answers about the data because the data is too old to be useful. (standard) This value sets the Time To Live of cached database entries of this zone. - The format for TTL is days:hours:minutes:seconds. This value sets the Time To Live of cached database entries of this zone until it is considered as expired. - The format for TTL is days:hours:minutes:seconds. Edit/Add a New Name Server To introduce a new Name Server (NS), right-click the right part of the window and select New Name Server (NS). If a nameserver has already been created, open an existing entry with type SOA or NS and click the Nameserver (NS) tab. A new nameserver can only be entered if the SOA has already been generated. 4 / 11

5 Name Server Configuration Superordinate domain Add/Modify/Delete Add a New Host This is a read-only field. It displays the name of the domain the nameserver will be responsible for. To add name servers, click Add. Servername - This is the name of the name server. IP Address - This is the IPv4 or IPv6 address of the name server. Expire (TTL) - This is the globally defined length of life, future name server records are expected to have. The format for the Time to Live (TTL) is days:hours:minutes:seconds. To introduce a new host, right-click the main window and select New Host. Entries made in the individual tabs will be saved in separate rows of type A, TXT, HINFO and WKS within the main configuration window. Select the Add corresponding reverse lookup entry (PTR) check box to automatically create a pointer record when creating the A-Record. In order to function, the reverse zone as described in the last article section must have already been created. 5 / 11

6 Host Configuration Superordinate domain - This read-only field displays the name of the domain where the new host is created in (This field is also displayed in all other tabs of this window). Host - Enter the name of the host here (In all other tabs of this window this field is also displayed but read-only). IP address - To enter a new host IPv4 address, click Add. To delete an existing address, click Delete. Expire (TTL) - The format for this field is days:hours:minutes:seconds. Host Information (HINFO) Tab The fields of this tab (Hardware Type and Operating System) can be used to provide information on the hardware and operating system of the host. Text (TXT) Tab Text - In this field, any text can be entered. For example, for describing the system to simplify maintenance of the DNS database. Expire (TTL) - The format for this field is days:hours:minutes:seconds. Well-Known Services (WKS) Tab Enter the IPv4 address and the used protocol in the appropriate fields. The services must be entered in plain text and separated with blanks (like: telnet ssh smtp ftp). Add a New Mail-Exchanger To introduce a new mail exchanger, right-click the main window and select New Mail-Exchanger. 6 / 11

7 Mail-Exchanger Configuration Superordinate domain - This is a read-only field. It displays the name of the domain the mailexchanger handles mail-traffic for. (This field is also displayed in all other tabs of this window). Host - Depending on the needs the following values are entered - mail-exchanger is responsible any_text - mail-exchanger is responsible Mailserver (A) - Here the name of the mailserver must be entered. To select existing entries, click Pickup. Mailserver priority - Use this field to set the mailserver priority. Expire (TTL) - The format for this field is days:hours:minutes:seconds. Mailbox information (MINFO) Tab Mailbox (MB) - Here the name of the mailbox has to be entered. To select existing entries, click Pickup. Error mailbox (MB) - Here the name of the error mailbox has to be entered. To select existing entries, click Pickup. Expire (TTL) - The format for this field is days:hours:minutes:seconds. Well-Known Services (WKS) Tab Enter the IPv4 address and the used protocol in the appropriate fields. The services must be entered in plain text and separated with blanks (for example telnet ssh smtp ftp). Add a New Domain To introduce a new subdomain, right-click the main window and select New Domain. 7 / 11

8 Enter a name for the new sub-domain. After clicking OK, the new subdomain displays in the DNS tree. Within the new sub-domain, you are able to perform the same operations as described above. Completely set up new subdomains before clicking Send Changes and Activate. Otherwise, incompletely configured subdomains are deleted. Add New Others There are several other objects you can add to your DNS configuration. These objects can be introduced by right-clicking in the right part of the DNS config window and selecting New Others. The following objects can be added to the DNS configuration: Parameter Overview Click here to see more A AAAA AFSDB CNAME DNAME HINFO ISDN MB MG New host. IPv6 address. AFSDB records specify the hosts that provide a style of distributed service advertised under this domain name. A subtype value (analogous to the preference value in the MX record) indicates which style of distributed service is provided with the given name. Subtype 1 indicates that the named host is an AFS database server for the AFS cell of the given domain name. Subtype 2 indicates that the named host provides intra-cell name service for the DCE cell named by the given domain name. CNAME specifies an alias or nickname for the official or canonical name. An alias should be the only record associated with the alias; all other resource records should be associated with the canonical name and not with the alias. Any resource records that include a zone name as their value (for example, NS or MX) must list the canonical name, not the alias. This resource record is especially useful when changing machine names. DNAME specifies an alias for one or more subdomains of a domain. The effect of this is that the entire subtree of DNS identified by the domain name can be mapped onto the target domain. HINFO records contain host-specific data. They list the hardware and operating system that are running on the listed host. If you want to include a space in the machine name, you must quote the name. Host information is not specific to any address class, so ANY may be used for the address class. There should be one HINFO record for each host. For security reasons, many sites do not include the HINFO record, and no applications depend on this record. Representation of ISDN addresses. MB lists the machine where a user wants to receive mail. The "name" field is the user's login; the machine field denotes the machine to which mail is to be delivered. Mail box names should be unique to the zone. The mail group record (MG) lists members of a mail group. 8 / 11

9 MINFO MR MX NAPTR NS PTR RP RT SRV TXT WKS X25 MINFO creates a mail group for a mailing list. This resource record is usually associated with a mail group, but it can be used with a mailbox record. The "name" specifies the name of the mailbox. The "requests" field is where mail such, as requests to be added to a mail group, should be sent. The "maintainer" is a mailbox that should receive error messages. This is particularly appropriate for mailing lists when errors in members' names should be reported to a person different to the sender. MR records lists aliases for a user. The "name" field lists the alias for the name listed in the fourth field, which should have a corresponding MB record. MX records specify a list of hosts that are configured to receive mail sent to this domain name. Every host that receives mail should have an MX record, since if one is not found at the time the mail is delivered, an MX value will be imputed with a cost of 0 and a destination of the host itself. NAPTR records map between sets of URNs, URLs and plain domain names and suggest to clients what protocol should be used to talk to the mapped resource. For example NAPTR is used in SIP. The SIP URN for the US telephone number would be tel: and its domain name sipcalls.sip.com NS lists a name server responsible for a given zone. The first "name'' field lists the zone that is serviced by the listed name server. There should be one NS record for each name server of the zone, and every zone should have at least two name servers, preferably on separate networks. PTR allows special names to point to some other location in the domain. The following example of a PTR record is used in setting up reverse pointers for the special in addr.arpa domain. This line is from the example mynet.rev file. In this record, the "name'' field is the network number of the host in reverse order. You only need to specify enough octets to make the name unique. RP identifies the name (or group name) of the responsible person(s) for a host. This information is useful in troubleshooting problems over the network. Route-through binding for hosts that do not have their own direct wide area network addresses (experimental). Information on well known network services (replaces WKS). A TXT record contains free-form textual data. The syntax of the text depends on the domain in which it appears; several systems use TXT records to encode user databases and other administrative data. WKS records describe the well-known services supported by a particular protocol at a specified address. The list of services and port numbers comes from the list of services specified in /etc/services. There should be only one WKS record per protocol and address. Because the WKS record is not widely used throughout the Internet, applications should not rely on the existence of this record to recognize the presence or absence of a service. Instead, the application should simply attempt to use the service. Representation of X.25 network addresses (experimental). Reverse Lookup Zones Each of the available zones can be defined as a reverse lookup zone. To do so, switch the lookup box from forward to reverse when creating a new zone. The input mask will change and you will be able to enter the address of the network you wish to create a reverse lookup zone for. 9 / 11

10 An appropriate name for the reverse lookup zone will automatically be created from the network address. For example, if the network address would be , this would result in an automatically created reverse lookup zone named in-addr.arpa. By clicking the advanced button, the Advanced window will appear, allowing you to define the same options as described in the section. 10 / 11

11 Figures 11 / 11