Author Topic: How to Resolve External Host Names with Zentyal DNS  (Read 14432 times)

jcamel2k5

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
How to Resolve External Host Names with Zentyal DNS
« on: September 12, 2013, 06:21:57 pm »
I have configured Zentyal as my primary domain DNS host. However, I cannot resolve external domain hosts (hostnames). For example, domain is "example.com". I only have two locally defined hosts, the gateway ("gw01"), itself, and another virtual machine server("ovirt1"). (These are defined under "Hostnames" in Zentyal.)

I can ping "gw01.example.com", "ovirt1.example.com" and "example.com" from all local machines served by the Zentyal server. However, I cannot ping any other external domain-related hosts, e.g., "mail.example.com" or "www.example.com" which are hosted by Network Solutions, Inc.

Can someone please help me fix Zentyal DNS, so that it will forward the lookups to external DNS hosts to find the undefined external domain-related hosts? (I know I can manually define these external hosts and provide their IPs. However, I don't want to keep having to change the IPs when my host provider decides to change the IPs on their end.) Am I stuck with having to manually define all my external domain hosts under "Hostnames" and update their IPs are needed?

Enclosed are screenshots of my configuration. Identifiable data are blocked. However, refer to the former paragraph for explanations.

Thanks,

Joe

robb

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #1 on: September 12, 2013, 06:31:42 pm »
Did you mark your external nic as external?

christian

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #2 on: September 12, 2013, 07:03:24 pm »
I don't understand how you configure DNS. I'm not saying this is the wrong way but I really don't understand it.

- you are using forwarders, I'm wondering why  ??? As a result, this may prevent internal users to reach Zentyal via it's internal interface if hostname exists on external DNS
- you are using external name servers for internal domain (well, I suppose this is internal domain: you are showing screenshot but pay atention to hide everything as if knowing your domain name would bring some weakness  ;)
- secondary name server pushed by DCHP is redundant with forwarders
- you don't show network settings that are also including DNS  ;)

jcamel2k5

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #3 on: September 12, 2013, 08:23:21 pm »
Did you mark your external nic as external?

Yes. eth0 is marked as external. eth1 is trunked; and I believe it should be automatically marked as "internal".

What else am I missing?

I cannot resolve my external host names without manually entering them into "Hostnames" in Zentyal. My understanding is that external hosts name queries should have been passed to root DNS, correct?

Attached are my NIC settings.

Thanks,

Joe

jcamel2k5

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #4 on: September 12, 2013, 08:27:46 pm »
I don't understand how you configure DNS. I'm not saying this is the wrong way but I really don't understand it.

- you are using forwarders, I'm wondering why  ??? As a result, this may prevent internal users to reach Zentyal via it's internal interface if hostname exists on external DNS
- you are using external name servers for internal domain (well, I suppose this is internal domain: you are showing screenshot but pay atention to hide everything as if knowing your domain name would bring some weakness  ;)
- secondary name server pushed by DCHP is redundant with forwarders
- you don't show network settings that are also including DNS  ;)

I've taken out the forwarders--still cannot resolve external domain hosts. I can resolve all non-domain related hosts, though, e.g., google.com, www.google.com, all resolve; only xxx.<example>.com will not resolve unless have "xxx" entered into "Hostnames" in Zentyal and provide IP for "xxx".

I don't believe this is normal behavior for Zentyal.

Thanks,

Joe

christian

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #5 on: September 12, 2013, 09:47:14 pm »
Could you explain further what you intend to achieve, for which kind of machine (internal or external) and what kind of IP (static or dynamic)  ???

jcamel2k5

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #6 on: September 12, 2013, 10:35:16 pm »
Could you explain further what you intend to achieve, for which kind of machine (internal or external) and what kind of IP (static or dynamic)  ???

Here's the scenario:

host: gw01 (internal Zentyal)
host: ovirt1 (internal KVM host)
host: mail (external host @ NSI)
host: www (external host @ NSI)
domain: example.com (a registered domain)

Entry on DNS "Hostname" on the Zentyal DNS server are:

"gw01" and "ovirt1", no entry for "mail" and "www".

"gw01.example.com" and "ovirt1.example.com" are resolvable through DNS, but "mail.example.com" and "www.example.com" are not resolvable through DNS on the internal network. "www" and "mail" become resolvable in the internal network if entries are made in the "Hostnames" on the Zentyal box. (Both "mail.example.com" and "www.example.com" can be considered 'static'. However, they can change at the will of the host provider. However, both IPs are public IPs. "example.com" is just a pseudo domain for a FQDN domain.)

This can't be the normal way it should work. Zentyal should resolve what it can and pass along what it can't to root servers.

Thanks,

Joe
« Last Edit: September 12, 2013, 10:45:36 pm by jcamel2k5 »

christian

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #7 on: September 12, 2013, 10:45:53 pm »
This can't be the normal way it should work. Zentyal should resolve what it can and pass along what it can't to root servers.

Yes... and no.
What you don't get here is that Zentyal is authoritative for example.com
This means that if you look for www.example.com, Zentyal will try to resolve it. As this entry doesn't exist in Zentyal local DNS (because this is an external server), then authoritative servers answer is "no such name here and I know it because I'm responsible for this zone !"

for this specific purpose, forwarders should help as servers defined as forwarders will be checked first before local DNS (assuming my understanding is correct).

jcamel2k5

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #8 on: September 12, 2013, 10:56:09 pm »
This can't be the normal way it should work. Zentyal should resolve what it can and pass along what it can't to root servers.

Yes... and no.
What you don't get here is that Zentyal is authoritative for example.com
This means that if you look for www.example.com, Zentyal will try to resolve it. As this entry doesn't exist in Zentyal local DNS (because this is an external server), then authoritative servers answer is "no such name here and I know it because I'm responsible for this zone !"

for this specific purpose, forwarders should help as servers defined as forwarders will be checked first before local DNS (assuming my understanding is correct).

This is why it's odd. I have "ns11.worldnic.com" and "ns12.worldinc.com" as forwarders, yet, "mail" and "www" are not getting resolved on the internal network. Both of these DNS's are the primary DNS  and secondary DNS assigned to me by NSI.

Clearly, I can just make entries for both "mail" and "www" and point to their current IPs, however, I know they can change; and I would have to revise them on Zentyal box as they change at NSI side.

So, can I make Zentyal non-authoritative, yet, still resolve internal host names for the internal network? Zentyal is active as the domain controller (DC) for "example.com"; and "example.com" does not have another DNS host to do internal lookups.

(I am not an expert on DNS/BIND.)

Attached is the DNS configuration in Zentyal with forwarders.

Thanks,

Joe
« Last Edit: September 12, 2013, 11:01:02 pm by jcamel2k5 »

BrunovonTroba

  • Zen Monk
  • **
  • Posts: 61
  • Karma: +3/-0
    • View Profile
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #9 on: March 06, 2014, 06:58:40 pm »
Little bit old topic but can make explanation to others also.

1. You can't resolve internal IP (like 192.168.0.1) using external DNS.
If You have domain "mydomain.com" at IP address 185.11.32.40 and "www.mydomain.com" at IP address 185.11.32.41 and "ns1.mydomain.com" at IP address 185.11.32.42 then it means, that ANYONE in the world will ask about one of those addresses will get assigned IP address in return.
Example:
ping www.mydomain.com will result in pinging address 185.11.32.41
In this case, if You set "ovirt1.mydomain.com" at address 192.168.0.1 than ANYONE IN THE WORLD pinging addres "ovirt1.mydomain.com" will ping addres 192.168.0.1, but not Your's because address 192.168.0.1 exsists only in local networks. So if any person will ping that "ovirt.mydomain.com" will reach his own addres in local network (if it exists in his local network)
It is also dangerous because it reveals Your internal lan configuration to the world

2. If You have "mydomain.com" set in external DNS and the same domain You will set in Your internal Zentyal server/router
In this case ANY internal workstation/server will search subdomains on Your internal server. So if You have registered "www.mydomain.com" on external DNS and "ovirt1.mydomain.com" on internal DNS than workstation asking "ovirt.mydomain.com" will get IP address, but asking "www.mydomain.com" will get no rsult because it will not ask external DNS as internal DNS is master for him.
If You set external DNS as master, then You will not find "ovirt1.mydomain.com"

3. In local networks You can use LOCAL domain like "mylan.local" and in this case in internal network You can set "ovirt1.mylan.local". and start pinging like ping ovirt1

4. Set transparent DNS
All Your internal workstations/servers will treat Zentyal DNS as DNS cache. It reduces external DNS ask and does not reveal internal IP structure to the world (and foreign DNS owners). Do in Your DHCP delete external DNS addresses (like google's 8.8.8.8 ). Instead let Your Zentyal ask external DNS and send it to Your LAN.

christian

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #10 on: March 06, 2014, 07:55:09 pm »
 :)

There is a quite simple solution to side effects you describe. This is known as "split DNS" (split views) which permits to expose different content depending on from where you request DNS.
From internet you will expose only public content while from Intranet you will expose also your private host and services.
Cool  8)

but Zentyal doesn't implement it so far  :'(

robb

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #11 on: March 06, 2014, 08:38:43 pm »
I was just wondering... can't you mimic split DNS?
If you use subdomains for all your websites, you can choose to only advertise the 'private websites' to Zentyal DNS and make them only available from your LAN (or VPN clients if you propagate Zentyal DNS to VPN clients). From outside you only add the domains that you allow from the outside to be available.

christian

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #12 on: March 06, 2014, 09:11:33 pm »
The idea behind split view is that you expose different content for same domain.
You could imagine workaround (although I don't really understand what you have in mind) but perhaps one example I'll take will clarify this concept.

Imagine you have a web page or application containing URL pointing to another web server. This application is available from inside and outside.
1 - When inside, you want this URL to be resolved with internal IP while when outside, you want to use the public IP (which could be, e.g. your reverse proxy)
2 - you don't want the whole internet to know that you have a web server available on your LAN at this IP. even if not directly reachable if you are suing RFC1918 IPs, it exposes some informations that are better keep inside only.

for this exactly same reason, I don't understand this habit that is to use different domain name for external and internal content. When using your laptop to connect to services like "bookmarks" in your browser pointing to your web server or even when trying to access your mail server, how do you proceed if you have different domain name. Do you switch to another mail client configuration  ::) ???

robb

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #13 on: March 06, 2014, 09:16:22 pm »
What I do now for my personal sites is use the registrar's DNS for external clients and Zentyal for internal clients. Imagine you don't want internal.domain.tld be available for external clients and only for internal clients. Then you only create an A record in Zentyal DNS (internal interface ;) ) for internal.domain.tld
If you want website.domain.tld be available for both internal and external, you create an A record at your registrar's DNS and in Zentyal DNS.

christian

  • Guest
Re: How to Resolve External Host Names with Zentyal DNS
« Reply #14 on: March 06, 2014, 09:23:03 pm »
That's what I'm doing too.  ;D
I don't want to rely on Zentyal DNS from internet  :-\
But you will admit that in case you have many services and potentially changes, this is rather painful and also, from design perspective, as shame that such state-of-the-art design is not available out of the box.