DNS

DNS

   KB 1292        Last updated on 2022-12-20  




0.00
(0 votes)


DNS is an important aspect of any Zimbra installation. This article will help those that are new on installing Zimbra to get an idea what needs to be configured to get started. There will also be some tips and best practices that will improve security and email deliverability that may be lesser know even to experienced administrators. Having a good DNS configuration will improve:

  1. Reliability
  2. Performance
  3. Security

DNS and reliability

The first things to consider is rolling out Zimbra using a so called Split DNS.

Example: Your Zimbra server has the domain name mail.example.com. When on the server itself you query the DNS A record for mail.example.com, the answer from DNS is an internal network address such as 10.0.0.1. However when someone from the Internet queries the A record for example.com the answer is a public IP address such as 54.172.92.245.

One of the benefits of a split DNS is that you can make sure network traffic does not needlessly have to pass though your router/firewall and or NAT. On top of that when set-up correctly the internal DNS should be 100% under your control. This makes the Zimbra system more reliable. Because even when external DNS would fail, internally Zimbra would run as normally.

Setting up Split DNS

The following steps will show you how to set-up a basic split DNS using the /etc/hosts file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the ip a command from the server.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:00:17:0a:8c:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.0.229/24 brd 10.0.0.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2603:c020:400d:567e:c37f:fdad:8a43:d3b4/128 scope global dynamic noprefixroute
       valid_lft 4699sec preferred_lft 4399sec
    inet6 fe80::17ff:fe0a:8ce4/64 scope link
       valid_lft forever preferred_lft forever

You will have to use the address that is listed after inet under the device called ensX, ethX or enpX. In most cases it will start with 192.168. or 10.0. If you directly get a public IP for example 54.84.210.249 from your hosting provider on your Zimbra machine, you can use this IP.

Next you have to set this IP and the hostname in the /etc/hosts file. The following line must be present or added as follows:

10.0.0.229  mail.example.com mail

You have to set-up the /etc/hostname file as follows:

mail.example.com

Next install DNSMASQ as follows:

apt-get install -y dnsmasq

Next disable systemd-resolved:

systemctl stop systemd-resolved
systemctl disable systemd-resolved
systemctl mask systemd-resolved

Next set this server to resolve DNS using the locally installed DNSMASQ:

rm -f /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf

You can optionally prevent changes from upstream package updates to resolv.conf by making this file immutable. This may cause problems when you update your system using apt-get, so be aware to revert if needed:

chattr +i /etc/resolv.conf #make immutable
chattr -i /etc/resolv.conf #regular setting

Finally configure DNSMASQ by editing /etc/dnsmasq.conf, in this example we will be using Quad9, Cloudflare and Google for upstream resolving of DNS. You have to change the IP in listen-address with your actual internal IP.

server=9.9.9.9
server=149.112.112.112
server=1.1.1.1
server=1.0.0.1
server=8.8.8.8
server=8.8.4.4

# trust-anchor is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
dnssec-check-unsigned

no-resolv
listen-address=10.0.0.229
bind-interfaces
bogus-priv
domain-needed
stop-dns-rebind
rebind-localhost-ok

cache-size=2000

#log-queries
#log-facility=/var/log/dnsmasq.log

You can now restart your server and proceed with the installation of Zimbra. Please note that when running the Zimbra installer choose N when asked to install zimbra-dnscache.

MX record

At the very minimum you will also have to set an MX record, you can use the command dig to verify it is set correctly:

dig +short MX example.com
100 mail.example.com.

To find the actual IP of mail.example.com you use dig again as follows:

dig +short A mail.example.com

Internally you should get the internal IP such as 10.0.0.229 in this example. Externally you would get 54.84.210.249 again this is just an example.

DNS and Performance

When using DNSMASQ you can control the cache of DNS, and since DNSMASQ runs locally it answer very quickly. This makes it that your email gets delivered faster.

Setting zimbraMtaLmtpHostLookup

After installation you can set the zimbraMtaLmtpHostLookup directive. This tells Zimbra NOT to use DNS when delivering internal email. This increases performance.

zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
zmprov mcf zimbraMtaLmtpHostLookup native
zmmtactl restart

DNS and Security

With the installation of DNSMASQ and the configuration as above you enforce DNSSEC this increases security. You should also implement SPF, DKIM, DMARC etc. Take a look at our email security webinars for in depth information on these topics.

Testing DNSSEC

You can use the following service via the command line: https://dnssec.vs.uni-due.de/ or http://conn.internet.nl/connection/ from a browser (in most cases you will not have a browser on your Zimbra server).

To test from the command line using dig:

#The next query should return A record
dig sigok.verteiltesysteme.net @127.0.0.1

#The next query should return SERVFAIL
dig sigfail.verteiltesysteme.net @127.0.0.1
Currently, 20 December 2022 there is a cyber attack ongoing against the University of Duisburg-Essen so the test will not work.
Jump to: navigation, search