DNS: Difference between revisions

(Adding category)
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Here's a quick overview of what you need:
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=DNS=
{{KB||{{ZCS 10.0}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}}


First, remember that you need to set up an MX record for the DOMAIN, which points to the A record for the HOST, which will be the IP ADDRESS of the box running zimbra.
DNS is an important aspect of any Zimbra installation. This article will help those that are new on installing Zimbra to get an idea what needs to be configured to get started. There will also be some tips and best practices that will improve security and email deliverability that may be lesser know even to experienced administrators. Having a good DNS configuration will improve:


Example:
# Reliability
Zimbra is running on zcs.domain.com, IP 1.2.3.4
# Performance
You send mail to user1@domain.com
# Security


Postfix will look up the MX record for domain.com, which will return zcs.domain.com, IP address 1.2.3.4.
= DNS and reliability =


Something like this is the file you need. This sets itself up as the SOA for the domain.com domain, sets the NS record to be zcs.domain.com, standard timeout stuff, then adds one MX record, plus the A record that corresponds to the MX record.
The first things to consider is rolling out Zimbra using a so called [https://virtualize.link/split-dns/ Split DNS].


<tt>
Example: Your Zimbra server has the domain name mail.example.com. When on the server itself you query the DNS A record for mail.example.com, the answer from DNS is an internal network address such as 10.0.0.1. However when someone from the Internet queries the A record for example.com the answer is a public IP address such as 54.172.92.245.
$TTL 3D @ IN SOA zcs.domain.com. zcs.marcmac.com. (
:                    2005110200
:                    8H ; refresh, seconds
:                    2H ; retry, seconds
:                    4W ; expire, seconds
:                    1D ) ; minimum, seconds
;
:                    NS zcs ; Inet Address of name server
:                    MX 10 zcs.domain.com. ; Primary Mail Exchanger
;
zcs A 1.2.3.4


mail      IN CNAME zcs ; CNAME for a common nickname
One of the benefits of a split DNS is that you can make sure network traffic does not needlessly have to pass though your router/firewall and or NAT. On top of that when set-up correctly the internal DNS should be 100% under your control. This makes the Zimbra system more reliable. Because even when external DNS would fail, internally Zimbra would run as normally.


otherhost  IN A 1.2.3.5 ; another host, for example
== Setting up Split DNS ==


www        IN CNAME otherhost ; with a nickname
The following steps will show you how to set-up a basic split DNS using the <code>/etc/hosts</code> file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the <code>ip a</code> command from the server.


<pre>1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
2: ens3: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:00:17:0a:8c:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.0.229/24 brd 10.0.0.255 scope global ens3
      valid_lft forever preferred_lft forever
    inet6 2603:c020:400d:567e:c37f:fdad:8a43:d3b4/128 scope global dynamic noprefixroute
      valid_lft 4699sec preferred_lft 4399sec
    inet6 fe80::17ff:fe0a:8ce4/64 scope link
      valid_lft forever preferred_lft forever</pre>
You will have to use the address that is listed after <code>inet</code> under the device called ensX, ethX or enpX. In most cases it will start with 192.168. or 10.0. If you directly get a public IP for example 54.84.210.249 from your hosting provider on your Zimbra machine, you can use this IP.


</tt>
Next you have to set this IP and the hostname in the <code>/etc/hosts</code> file. The following line must be present or added as follows:


So, drop that in the domain.com file in /var/named/data (or /var/named/chroot/var/named/data, depending).
<pre>10.0.0.229  mail.example.com mail</pre>
You have to set-up the <code>/etc/hostname</code> file as follows:


In /etc/named.conf (or /var/named/chroot/etc/named.conf), you'll put:
<pre>mail.example.com</pre>
Next install DNSMASQ as follows:


<tt>
<pre>apt-get install -y dnsmasq</pre>
Next disable systemd-resolved:


<pre>systemctl stop systemd-resolved
systemctl disable systemd-resolved
systemctl mask systemd-resolved</pre>
Next set this server to resolve DNS using the locally installed DNSMASQ:


options {
<pre>rm -f /etc/resolv.conf
:        directory "/var/named";
echo &quot;nameserver 127.0.0.1&quot; &gt; /etc/resolv.conf</pre>
:        dump-file "/var/named/data/cache_dump.db";  
You can optionally prevent changes from upstream package updates to resolv.conf by making this file immutable:
:        statistics-file "/var/named/data/named_stats.txt";  
};
include "/etc/rndc.key";


zone domain.com {
<pre>chattr +i /etc/resolv.conf #make immutable
:        type master;
chattr -i /etc/resolv.conf #regular setting</pre>
:        file "/var/named/data/domain.com";
'''''If you are installing Zimbra or installing Zimbra/OS updates make sure to reset the resolv.conf file to the regular setting, meaning chattr -i because otherwise packages fail to install.'''''
};


</tt>
Finally configure DNSMASQ by editing <code>/etc/dnsmasq.conf</code>, in this example we will be using Quad9, Cloudflare and Google for upstream resolving of DNS. Set <code>listen-address</code> to 127.0.0.1 so only queries from the local Zimbra machine are accepted.


<pre>server=9.9.9.9
server=149.112.112.112
server=1.1.1.1
server=1.0.0.1
server=8.8.8.8
server=8.8.4.4


A note about chrooting - most name servers run in a chrooted environment - so, you'll create the files in /var/named/chroot/whatever - but remember, when named is running, it's paths are relative to the chroot - so when you REFER to a file (as I do above in the named.conf snippet) you'll have absolute paths that are relative to the chroot.
# trust-anchor is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
dnssec-check-unsigned


Is it chrooted? Check /etc/sysconfig/named for a ROOTDIR value. If it's present, then that's your chroot.
no-resolv
listen-address=127.0.0.1
bind-interfaces
bogus-priv
domain-needed
stop-dns-rebind
rebind-localhost-ok


Also, make sure that this nameserver is listed first in resolv.conf. Also, if there are other hosts in this domain, you should add them, too - or you won't be able to resolve them.
cache-size=2000


CAVEAT - I haven't touched my named config in a while, so more recent bind versions may be pickier than mine - but this should work.
#log-queries
#log-facility=/var/log/dnsmasq.log</pre>
You can now restart your server and proceed with the installation of Zimbra. Please note that when running the Zimbra installer choose <code>N</code> when asked to install zimbra-dnscache.


Another CAVEAT - Run named chrooted, as a non-root user. Bind is known for exploits, and being hacked is a drag. My examples are just to get you going, and aren't intended as a Bind security primer.
== MX record ==


=== Firewall and DNS ===
At the very minimum you will also have to set an MX record, you can use the command <code>dig</code> to verify it is set correctly:
If you are running a ZCS installation that is behind a firewall and has its IP address masked using NAT, mail delivery may not work correctly if the internal IP address is not listed in DNS.  In order to reconcile the private and public IP addresses in DNS, you may need to set up Split DNS.  More information on Split DNS configuration is available on the [[Incoming_Mail_Problems#Split_DNS|Incoming Mail Problems]] page.


[[Category:Architecture and Components]]
<pre>dig +short MX example.com
100 mail.example.com.</pre>
To find the actual IP of mail.example.com you use <code>dig</code> again as follows:
 
<pre>dig +short A mail.example.com</pre>
Internally you should get the internal IP such as 10.0.0.229 in this example. Externally you would get 54.84.210.249 again this is just an example.
 
= DNS and Performance =
 
When using DNSMASQ you can control the cache of DNS, and since DNSMASQ runs locally it answer very quickly. This makes it that your email gets delivered faster.
 
== Setting zimbraMtaLmtpHostLookup ==
 
After installation you can set the <code>zimbraMtaLmtpHostLookup</code> directive. This tells Zimbra NOT to use DNS when delivering internal email. This increases performance.
 
<pre>zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
zmprov mcf zimbraMtaLmtpHostLookup native
zmmtactl restart</pre>
= DNS and Security =
 
With the installation of DNSMASQ and the configuration as above you enforce DNSSEC this increases security. You should also implement SPF, DKIM, DMARC etc. Take a look at our [https://blog.zimbra.com/webinars/ email security webinars] for in depth information on these topics.
 
== Testing DNSSEC ==
 
You can use the following service via the command line: https://dnssec.vs.uni-due.de/ or http://conn.internet.nl/connection/ from a browser (in most cases you will not have a browser on your Zimbra server).
 
To test from the command line using <code>dig</code>:
 
<pre>#The next query should return A record
dig sigok.verteiltesysteme.net @127.0.0.1
 
#The next query should return SERVFAIL
dig sigfail.verteiltesysteme.net @127.0.0.1</pre>

Latest revision as of 12:04, 11 January 2024

DNS

   KB 1292        Last updated on 2024-01-11  




0.00
(0 votes)

DNS is an important aspect of any Zimbra installation. This article will help those that are new on installing Zimbra to get an idea what needs to be configured to get started. There will also be some tips and best practices that will improve security and email deliverability that may be lesser know even to experienced administrators. Having a good DNS configuration will improve:

  1. Reliability
  2. Performance
  3. Security

DNS and reliability

The first things to consider is rolling out Zimbra using a so called Split DNS.

Example: Your Zimbra server has the domain name mail.example.com. When on the server itself you query the DNS A record for mail.example.com, the answer from DNS is an internal network address such as 10.0.0.1. However when someone from the Internet queries the A record for example.com the answer is a public IP address such as 54.172.92.245.

One of the benefits of a split DNS is that you can make sure network traffic does not needlessly have to pass though your router/firewall and or NAT. On top of that when set-up correctly the internal DNS should be 100% under your control. This makes the Zimbra system more reliable. Because even when external DNS would fail, internally Zimbra would run as normally.

Setting up Split DNS

The following steps will show you how to set-up a basic split DNS using the /etc/hosts file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the ip a command from the server.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:00:17:0a:8c:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.0.229/24 brd 10.0.0.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2603:c020:400d:567e:c37f:fdad:8a43:d3b4/128 scope global dynamic noprefixroute
       valid_lft 4699sec preferred_lft 4399sec
    inet6 fe80::17ff:fe0a:8ce4/64 scope link
       valid_lft forever preferred_lft forever

You will have to use the address that is listed after inet under the device called ensX, ethX or enpX. In most cases it will start with 192.168. or 10.0. If you directly get a public IP for example 54.84.210.249 from your hosting provider on your Zimbra machine, you can use this IP.

Next you have to set this IP and the hostname in the /etc/hosts file. The following line must be present or added as follows:

10.0.0.229  mail.example.com mail

You have to set-up the /etc/hostname file as follows:

mail.example.com

Next install DNSMASQ as follows:

apt-get install -y dnsmasq

Next disable systemd-resolved:

systemctl stop systemd-resolved
systemctl disable systemd-resolved
systemctl mask systemd-resolved

Next set this server to resolve DNS using the locally installed DNSMASQ:

rm -f /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf

You can optionally prevent changes from upstream package updates to resolv.conf by making this file immutable:

chattr +i /etc/resolv.conf #make immutable
chattr -i /etc/resolv.conf #regular setting

If you are installing Zimbra or installing Zimbra/OS updates make sure to reset the resolv.conf file to the regular setting, meaning chattr -i because otherwise packages fail to install.

Finally configure DNSMASQ by editing /etc/dnsmasq.conf, in this example we will be using Quad9, Cloudflare and Google for upstream resolving of DNS. Set listen-address to 127.0.0.1 so only queries from the local Zimbra machine are accepted.

server=9.9.9.9
server=149.112.112.112
server=1.1.1.1
server=1.0.0.1
server=8.8.8.8
server=8.8.4.4

# trust-anchor is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
dnssec-check-unsigned

no-resolv
listen-address=127.0.0.1
bind-interfaces
bogus-priv
domain-needed
stop-dns-rebind
rebind-localhost-ok

cache-size=2000

#log-queries
#log-facility=/var/log/dnsmasq.log

You can now restart your server and proceed with the installation of Zimbra. Please note that when running the Zimbra installer choose N when asked to install zimbra-dnscache.

MX record

At the very minimum you will also have to set an MX record, you can use the command dig to verify it is set correctly:

dig +short MX example.com
100 mail.example.com.

To find the actual IP of mail.example.com you use dig again as follows:

dig +short A mail.example.com

Internally you should get the internal IP such as 10.0.0.229 in this example. Externally you would get 54.84.210.249 again this is just an example.

DNS and Performance

When using DNSMASQ you can control the cache of DNS, and since DNSMASQ runs locally it answer very quickly. This makes it that your email gets delivered faster.

Setting zimbraMtaLmtpHostLookup

After installation you can set the zimbraMtaLmtpHostLookup directive. This tells Zimbra NOT to use DNS when delivering internal email. This increases performance.

zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
zmprov mcf zimbraMtaLmtpHostLookup native
zmmtactl restart

DNS and Security

With the installation of DNSMASQ and the configuration as above you enforce DNSSEC this increases security. You should also implement SPF, DKIM, DMARC etc. Take a look at our email security webinars for in depth information on these topics.

Testing DNSSEC

You can use the following service via the command line: https://dnssec.vs.uni-due.de/ or http://conn.internet.nl/connection/ from a browser (in most cases you will not have a browser on your Zimbra server).

To test from the command line using dig:

#The next query should return A record
dig sigok.verteiltesysteme.net @127.0.0.1

#The next query should return SERVFAIL
dig sigfail.verteiltesysteme.net @127.0.0.1
Jump to: navigation, search