Difference between revisions of "Split DNS"

m (Verify that this is working)
m (Verify that this is working)
Line 133: Line 133:
  
 
You should also note that the output on your system may be slightly different than above examples but there should be an A record that points to the LAN IP address of your Zimbra server and an MX record that contains the FQDN (Fully Qualified Domain Name - that's the hostname plus the domain name and it's mail.yourdomain.com in the examples) of your Zimbra server.
 
You should also note that the output on your system may be slightly different than above examples but there should be an A record that points to the LAN IP address of your Zimbra server and an MX record that contains the FQDN (Fully Qualified Domain Name - that's the hostname plus the domain name and it's mail.yourdomain.com in the examples) of your Zimbra server.
 +
 +
If you're asked in the forums to provide the information to confirm your DNS is correct then you should also supply the output of the following commands (run on your Zimbra server):
 +
 +
cat /etc/resolv.conf
 +
cat /etc/hosts
  
 
If you have a number of servers inside the firewall that need to use internal addresses to communicate to each other, you should consider setting up a full internal DNS server that can be authoritative for the whole domain.  This example is not suitable for this task.
 
If you have a number of servers inside the firewall that need to use internal addresses to communicate to each other, you should consider setting up a full internal DNS server that can be authoritative for the whole domain.  This example is not suitable for this task.

Revision as of 13:08, 15 July 2010

Overview

Installations of Zimbra behind a firewall often require the creation of some form of split DNS, also called split-horizon or dual-horizon DNS. This is a DNS installation where machines receive different IP address answers to queries depending on whether they are (commonly) inside or outside a firewall.

This is because the Postfix mail system used by Zimbra performs a DNS lookup when attempting to route email to the back-end message store. Frequently, this is the same physical host as Postfix. The DNS server frequently returns the external address of the mail host, not the internal address. Depending on how the firewall and network are configured, the external address may not even be reachable from the mail host, and mail will not be delivered.

Split DNS avoids this problem by providing an internal DNS server (using bind) that can be used to resolve the internal address of the server. This guide will detail how to set up a very specific, single-host DNS server (i.e. bind) that can be installed on the Zimbra host itself so that it can resolve its own address. This should not be used for a multi-node Zimbra installation, and should not be used as the DNS server for any other hosts on your network.

It is possible to use a generalized split-horizon DNS server to perform this function, but it will need to be set up differently, and many people recommend against it because even a couple ms of delay can be too much on a heavily loaded system.

Configuring Bind on the Zimbra Server

Install Bind on Red Hat Enterprise Linux

Use up2date to download bind from Red Hat Network.

Install bind9 on Ubuntu/Kubuntu Hardy Heron

apt-get install bind9

You could also make sure it is installed from Synpatic Package Manager or Adept.

Edit the named.conf file

  • Substitute your fully-qualified server name for server.example.com
  • If named runs in a chroot'ed directory (i.e. /var/named/chroot), named.conf should be placed in

/etc/named/chroot/etc/named.conf and you should create a symbolic link to /etc/named.conf,

  1. i.e. ln -s /etc/named.conf /etc/named/chroot/etc/named.conf
  2. or ln -s /etc/bind/named.conf /etc/bind/named/chroot/etc/named.conf
  • For Red Hat, edit: /etc/named.conf
  • For Ubuntu/Kubuntu, edit: /etc/bind/named.conf.options


// Default named.conf generated by install of bind-9.2.4-2
options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { <address of current DNS server> ; };
};
include "/etc/rndc.key";
// We are the master server for server.example.com
zone "server.example.com" {
    type master;
    file "db.server.example.com";
};

Make sure to set the forwarders to match the DNS servers currently in use on your system. The forwarders setting allows the server to query those DNS servers for any addresses for which it is not authoritative.

Create a /var/named/db.server.example.com zone file

  • If named runs in a chroot'ed directory /var/named/chroot, db.server.example.com should be placed in /etc/named/chroot/var/named/db.server.example.com and you should create a symbolic link to /var/named/db.server.example.com
;
;       Addresses and other host information.
;
@       IN      SOA     server.example.com. hostmaster.server.example.com. (
                               10118      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum
;       Define the nameservers and the mail servers
               IN      NS      <internal address of server>
               IN      A       <internal address of server>
               IN      MX      10 server.example.com.


Change /etc/resolv.conf

  • Change /etc/resolv.conf to use the Zimbra server as the primary DNS address.
  • Also remember to change the search path to be the name of the Zimbra server.

Start named on the zimbra server

/etc/init.d/named start

Enable autostart of named on boot

chkconfig named on

Verify that this is working

To verify that your configuration of DNS is correct you should run the following commands on the Zimbra server itself (the expected output is in the boxes below the commands):

dig yourdomain.com mx

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> yourdomain.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20907
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;yourdomain.com.                IN      MX

;; ANSWER SECTION:
yourdomain.com. 7200    IN      MX      30 mail.yourdomain.com.

;; ADDITIONAL SECTION:
mail.yourdomain.com. 7200 IN  A       192.168.1.30

;; Query time: 4 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Thu Jul 15 14:38:48 2010
;; MSG SIZE  rcvd: 140

dig yourdomain.com any

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> yourdomain.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36845
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;yourdomain.com.                IN      ANY

;; ANSWER SECTION:
yourdomain.com. 7200    IN      NS      ns1.yourdomain.com.
yourdomain.com. 7200    IN      A       192.168.1.30
yourdomain.com. 7200    IN      SOA     yourdomain.com. admin. 2010051304 10800 3600 1814400 7200
yourdomain.com. 7200    IN      MX      10 mail.yourdomain.com.
yourdomain.com. 7200    IN      NS      ns2.yourdomain.com.

;; ADDITIONAL SECTION:
mail.yourdomain.com. 7200 IN     A       192.168.1.30
ns2.yourdomain.com.  7200 IN     A       192.168.1.11
ns1.yourdomain.com.  7200 IN     A       192.168.1.10 

;; Query time: 11 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Thu Jul 15 14:38:52 2010
;; MSG SIZE  rcvd: 367

host `hostname`

mail.yourdomain.com has address 192.168.1.30

NOTE: The host `hostname' command should be typed exactly as you see it using backticks not single quotes and don't change the word "hostname" to anything else.

You should also note that the output on your system may be slightly different than above examples but there should be an A record that points to the LAN IP address of your Zimbra server and an MX record that contains the FQDN (Fully Qualified Domain Name - that's the hostname plus the domain name and it's mail.yourdomain.com in the examples) of your Zimbra server.

If you're asked in the forums to provide the information to confirm your DNS is correct then you should also supply the output of the following commands (run on your Zimbra server):

cat /etc/resolv.conf
cat /etc/hosts

If you have a number of servers inside the firewall that need to use internal addresses to communicate to each other, you should consider setting up a full internal DNS server that can be authoritative for the whole domain. This example is not suitable for this task.

For information on performing the same task w/ TinyDNS / DJBDNS: http://www.fefe.de/djbdns/#splithorizon

Additional Information: Zimbra Power Tip: http://www.zimbra.com/blog/archives/2007/06/making_zimbra_bind_work_together_1.html

Verified Against: unknown Date Created: 10/5/2006
Article ID: https://wiki.zimbra.com/index.php?title=Split_DNS Date Modified: 2010-07-15



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search