Configure DNS zones for use with the DNS service of the Barracuda CloudGen Firewall. Modify the DNS zone template by adding hosts, subdomains, mail exchangers, etc. You can also create new DNS zones. When adding new zones, they will inherit all the settings specified in the template zone. The procedure for creating and modifying zone template settings is identical to the procedure for creating and editing settings in a new zone. Each zone can be defined as forward or reverse lookup zone.
Before You Begin
- Before starting the configuration, you must create a DNS service. For more information, see How to Configure Services.
- Make sure that you DNS server is properly configured. For more information, see How to Configure the DNS Service.
Configure a DNS Zone
Configure zone 1 (_template), by modifying the Start of Authority (SOA). Then, you can add and configure further zones that will inherit the template settings.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click the zone entry (e.g. _template) in the left navigation tree and select Lock Zone.
- In the main table, double-click the zone entry (e.g. _template). The Properties of window opens.
Define a Serial number. Update will increase the serial number by one.
- In the Primary Server field, define the primary name server of the domain. Click Pick up to select already created entries.
- In the Responsible person field, define a person responsible for this host/zone. The syntax that has to be used is username.domain (e.g.
ernestexample.test.org
. - Adjust the following settings according to your needs:
- Refresh after – This interval tells the slave how often it has to check whether its data is up to date.
- Retry after – When the slave fails to reach the master server after the refresh period (Refresh after), then it starts trying again after this set time interval.
- Expire after – When the slave fails to contact the master server for the expire period, the slave expires its data. Expiring means that the slave stops giving out answers about the data because the data is too old to be useful.
- Minimum TTL – (standard) This value sets the Time To Live of cached database entries of this zone (format:days:hours:minutes:seconds).
- Expire (TTL) – This value sets the Time To Live of cached database entries of this zone until it is considered as expired.
- Click OK.
- Click Send Changes and Activate.
The Start of Authority (SOA) for the zone is now configured and you can add Name Server (NS), host, Mail-Exchanger and sub-domains, depending on your requirements. Each added entry generates an additional tab in the Properties of window for the SOA from where you can edit the settings.
Add a New Name Server
Introduce a Name Server (NS) to the zone.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click the zone entry (e.g.: _template) in the left navigation tree and select Lock Zone.
- Right-click in the table and select New Name Server (NS).
- Click Add. The Properties of window opens.
- Enter the Servername. To select existing entries, click Pick up.
- Enter the IPv4 or IPv6 address of the name server and click Add.
- In the Expire (TTL) field, set the globally defined length of life, future name server records are expected to have (format: days:hours:minutes:seconds), and click OK.
- Click OK.
- Click Send Changes and Activate.
An entry for the new name server is now displayed in a separate row within the main table and can be selected for further modification.
Add a New Host
Introduce a host to the zone (e.g.: _template.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click the zone entry (e.g.:_template) in the left navigation tree and select Lock Zone.
- Right-click in the table and select New Host .
- In the Host field, enter the name of the host.
- Enter the host IPv4 address and click Add.
Define the Expire (TTL) (format:days:hours:minutes:seconds).
Select Add corresponding reverse lookup entry (PTR) to automatically create a pointer record when creating the A-Record.
- Open the Text (TXT) tab.
- In the Text field, enter an optional description of the system to simplify maintenance of the DNS database.
- Under the Host Information (HINFO) tab, add information on the hardware and operating system of the host if applicable.
- Under the Well-Known Services (WKS) tab, specify the IPv4 address and the used protocol in the appropriate fields. The services must be entered in plain text and separated with blanks (e.g.
telnet ssh smtp ftp
. - Click OK.
- Click Send Changes and Activate.
An entry for the new host is now displayed in a separate row within the main table and can be selected for further modification.
Add a New Mail Exchanger
Introduce a mail exchanger to handle mail traffic for the domain.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click the zone entry (_template) in the left navigation tree and select Lock Zone.
- Right-click in the table and select New Mail-Exchanger.
- In the Host field, specify the following values according to your needs:
- Mail-exchanger is responsible for
@domain.com any_text
- Mail-exchanger is responsible for
@any_text.domain.com
- Mail-exchanger is responsible for
- Specify the Mailserver name. To select existing entries, click Pick up.
- If required, set the values for Mailserver priority and Expire (TTL) (format: days:hours:minutes:seconds).
- Open the Mailbox information (MINFO) tab.
- Specify the name of the Mailbox (MB). To select existing entries, click Pick up.
- Specify the name of the Error Mailbox (MB) and Expire (TTL) (format:days:hours:minutes:seconds).
- Under the Well-Known Services (WKS) tab, enter the IPv4 address and the used protocol in the appropriate fields.
- Enter the services (e.g.
telnet ssh smtp ftp
. The services must be entered in plain text and separated with blanks. - Click OK.
- Click Send Changes and Activate.
An entry for the mail exchanger is now displayed in a separate row within the main table and can be selected for further modification.
Add a New Domain
Introduce a new subdomain to the zone (e.g.: _template.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click the zone entry (_template) in the left navigation tree and select Lock Zone.
- Right-click in the table and select New Domain.
Enter a name for the new sub-domain and click OK.
After clicking OK , the new subdomain displays in the DNS tree. Within the new sub-domain, you can perform the same operations as described above.- Click Send Changes and Activate.
Add New Others
There are several other objects you can add to your DNS configuration. These objects can be introduced by right clicking in the DNS config table and selecting New Others. The following objects can be added to the DNS configuration:
Parameter Overview
Add a New Zone
Create an additional zone and configure the settings according to your requirements. This new zone will inherit the settings configured in the template zone. (Note that only template settings will be inherited that already existed before the zone was created.)
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click your DNS server and select Lock Server.
- Right-click your DNS server and select Add New Zone. The Properties of window opens.
- Select the Type of the zone from the list. (For more information, see DNS)
- Enter the Origin Domain Name you wish to create here (e.g. barracuda.com).
- Define whether the zone should perform DNS Forward or Reverse lookup:
- Forward – Provides IP addresses for known host names.
- Reverse – Provides host names for known IP addresses (provided only for 8-bit networks, e.g.
213.47.10.0/24
).
- When type Slave is selected, add the master IP addresses.
- When type Forward is selected, add the forward IP addresses.
- Clicking advanced and configure the following settings in the Interface section:
- notify – Allows the administrator to select whether the DNS server should notify slave DNS servers about zone changes. If explicit is selected, enter the explicit IP address in the also notify field.
- also notify – Here you may enter a list of IPv4 or IPv6 hosts that should be notified about zone changes although these machines are not registered slaves of the DNS server. Separate multiple entries with a semicolon and space (e.g.
10.0.0.53; 10.0.0.67; 192.168.0.10; 2001:db8:85a3:0:0:8a2e:370:73341
. transfer-source-ip – (only available for type Slave) The IP address the slave has to use when contacting its master DNS server.
- In the Security section, configure detailed security options for the DNS service (These settings are very important for type Master and Forward).:
- allow notify – (only available for type Slave). Defines if the slave accepts notifications about updates from its master.
- allow query – Lists the IPv4 or IPv6 hosts that are allowed to query the DNS server. By default all hosts are allowed.
- allow update – Lists the hosts that are allowed to update the database of the DNS server.
- allow transfer – Lists the hosts that are allowed to fetch the DNS database from the DNS server.
- Click OK.
- Click Send Changes and Activate.
The new zone is now displayed in the left configuration tree. Clicking on this entry displays the zone details in the main table, from where you can add Name Servers, hosts, subdomains, mail exchangers, etc.
Troubleshooting
Add a New Start Of Authority (SOA)
In case you have deleted the standard template that is automatically inherited by newly generated zones and have created a new zone afterwards, you must create a new Start of Authority (SOA).
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > DNS-Service.
- Double-click DNS Template Zone.
- Right-click your DNS server and select Lock Server.
- Locate the newly created domain lacking an SOA record in the tree view.
- Right-click in the table and select Add a New Start of Authority (SOA), or, if the SOA record already exists, double-click an existing entry with type NS or SOA and select the Start of Authority (SOA) tab.
- Specify the settings as described in Configure DNS Zones .
- Click Send Changes and Activate.
Enable Debug Logging
To enable debug logging for the DNS service, edit its named.conf file. Then restart the service.
- Edit the named.conf file.
vi /opt/phion/config/active/servers/<servername>/services/<dns-servicename>/named.conf
- Replace these lines:
logging {
category "default" { "default_syslog"; };
}; - with the following lines:
logging {
category "default" { "default_syslog"; };
category "general" { "default_syslog"; };
category "database" { "default_syslog"; };
category "security" { "default_syslog"; };
category "config" { "default_syslog"; };
category "resolver" { "default_syslog"; };
category "xfer-in" { "default_syslog"; };
category "xfer-out" { "default_syslog"; };
category "notify" { "default_syslog"; };
category "client" { "default_syslog"; };
category "unmatched" { "default_syslog"; };
category "network" { "default_syslog"; };
category "update" { "default_syslog"; };
category "queries" { "default_syslog"; };
category "dispatch" { "default_syslog"; };
category "dnssec" { "default_syslog"; };
category "lame-servers" { "default_syslog"; };
}; - Restart the DNS service. Enter:
phionctrl module restart dns