Domain Name System Setup

The mapping of Internet host names to addresses is done by means of the Domain Name System or DNS. Setting up DNS can be a complex task, but the administration program will take care of most of the complexities for you. Even so, it is useful to have an understanding of DNS requirements and how DNS is handled by your firewall or VPN gateway.

The first thing to do is to establish what the requirements are for your site. There are a number of points to consider:

• Because your firewall is your gateway to the Internet, it must have access to a DNS server that can resolve the addresses of external host names (this server may run on the firewall itself).

• In order for other Internet hosts to exchange mail with the firewall or to access any public servers running on the firewall, these hosts must be able to look up the address of the firewall and determine that mail for your domain should be sent to the firewall. Thus there must be a DNS name server for your domain which is accessible from hosts in the Internet. This name server usually only needs to serve one address to the Internet, namely the external address of the firewall (as other hosts in your domain should not be directly accessible). As a result, it is quite common to have your ISP provide the necessary public name service on your behalf. Alternatively, the firewall can act as the public nameserver.

• The firewall needs to know the name/address associations of hosts on the inside that can access it and that it can access. It can do this using a static file (named /etc/hosts), but if you have a large number of hosts then using a name server will be more efficient. In this case, an internal name server can be run on the firewall or on some other internal host accessible by the firewall;

• For transparent gatewaying, hosts on the inside should be able to look up the names of hosts on the outside (this is not necessary when using proxies, due to the two-step connection process). The firewall must run a name server to support this.

• It is quite common to have secondary name servers to provide redundancy; in fact, this is an (informal) requirement for DNS servers accessible from the Internet. Secondary servers periodically download the name server databases from the primary server (known as a zone transfer).

Unless you already have name servers running in your network, the easiest way to satisfy all of these requirements is to have the firewall act as both the internal and the external name server. It is possible (and even preferable) to do this even if someone else, such as your ISP, acts as your primary external name server.

Apart from supporting name/address lookups, DNS also allows mail exchange or MX records to be looked up. These records specify where mail for particular addresses or domains should be routed. Redundancy is possible by having multiple mail exchangers for a mail address. The public external name server needs to provide an MX record specifying that any mail for the domain should be relayed to the firewall. The firewall allows you to specify additional external mail exchange hosts to which mail can be sent if the firewall is down (this is really only useful if the firewall is the primary external DNS server, and there is at least one secondary external DNS server).

The CEQURUX Firewall includes a proxy DNS server which provides what we call `split DNS'; namely, the redirection of DNS requests to one of two or more servers depending on where the request comes from and what hostname or address is being requested. This proxy server has a number of uses:

• It allows the firewall to run both the internal and the external name servers. These will be run on non-standard ports, with the split DNS server running on the standard port and redirecting requests to one of the other two servers. The split DNS server decides whether to route a request to the internal or external server based on whether the request came from an internal host or an external host, and on whether the requested name/address is in the local domain or not. If the request is in the local domain and came from an internal host, it will be routed to the internal name server; otherwise it will be sent to the external name server.

• It allows DNS lookups of host names or addresses in remote Virtual Private Networks (VPNs). Without split DNS you will have to specify numeric IP addresses to access hosts in other parts of the VPN. The split DNS server can be used regardless of whether the name servers are running on the firewall itself, or on other server hosts. If a request for the address of a host whose hostname has a domain part that matches a domain specified for one or more VPN IP tunnels is received, and a normal lookup fails, then the request will be tunnelled to the remote CEQURUX firewall(s) or VPN gateway(s) which handle that domain.

• It allows both the internal and external name server entries to be pointed at a single external host. This is useful when you have more than one CEQURUX Firewall in series (for example, between departments), to allow DNS requests to be forwarded `upstream' until they reach a server which can look up Internet addresses directly.

• It contains some sophisticated features for blocking the lookups of addresses for hosts whose names contain specified keywords (we call this smart blocking). It also caches the results of forward lookups (names to addresses), and uses these to satisfy reverse lookups (addresses to names) that would otherwise fail. This provides better logging capabilities, as well as improving the effectiveness of the smart blocking.

The split DNS proxy server will automatically be run if your configuration requires it (for example, if you have VPNs, transparent TCP or UDP gateways, or ICMP gatewaying configured, which covers almost every case).

In summary, the information you need to set up the name service on the firewall is:

• The address of the primary external name server.
• The addresses of the secondary external name servers, or other external hosts that are allowed to do zone transfers, if any.
• The address of the internal name server, if any.
• The names and addresses of hosts on the inside that can access the firewall, unless the internal name service is being run on a host other than the firewall itself.
• If the firewall is the external name server, the names of the external secondary mail exchange hosts for your domain, if any.

  

Figure 4.7: The Domain Name System Setup Screen

The DNS Setup Screen (Figure 4.7) lets you specify the following fields:

Primary Internal

The host which acts as the primary internal nameserver. If you leave this empty, then no internal name server will be used, while a value of 127.0.0.1 will cause the firewall to act as the internal name server.

Primary External

The primary name server to be used for the external network (usually the Internet). This would typically be your service provider's name server, or the firewall itself. You can have the firewall provide the external name service by specifying 127.0.0.1 here. You must specify an external name server.

Auto-Update Root Cache

The firewall can automatically retrieve and install a new DNS root cache file at regular intervals. This field lets you specify how often this should be done. A value of zero will prevent any auto-updating.

Seamless DNS

If enabled, then the DNS proxy will transparently proxy UDP DNS requests from internal hosts to external servers. This allows you to deploy a CEQURUX Firewall in front of an existing network without having to reconfigure internal DNS resolvers.

Seamless MX

If enabled, then the DNS proxy will supply fake MX records to internal clients for external mail servers that point to itself. This allows you to deploy a CEQURUX Firewall in front of an existing network without having to reconfigure internal Mail Transfer Agents (MTAs).

The available keys are:

F1

Cancel any changes and return to the Main Setup Screen

F2

View or edit the local hosts within the domain

F3

View or edit the secondary external DNS servers

F4

View or edit the hosts that can do zone transfers but aren't secondaries

F5

View or edit the smart blocks

F7

View help

F8

Save any changes and return to the Main Setup Screen

Note that secondary MX hosts are configured from the Mail Setup Screen rather than the DNS Setup Screen.

  

Figure 4.8: The Local Host Setup Screen

Next you need to set up the list of hosts and addresses on your internal networks, which you do from the Local Host Setup Screen (Figure 4.8). The entries you make here are put in the /etc/hosts file (unless there are a large number of entries), as well as in the external or internal DNS files if the firewall is running the internal or external name server. An entry in the hosts file is only accessible by the firewall itself, while an entry in the DNS files makes the host/address mapping accessible from other hosts that use the firewall as a name server. The firewall will put all the entries in the internal DNS databases, but only the entries for external hosts in the external DNS database.

You do not need to domain-qualify the names of hosts if the domain is the same as that entered in the Registration Screen; this domain will be automatically appended to any hostnames that are not domain-qualified. Also, you should not make an entry for the firewall itself; implicit entries are set up using the hostname from the Registration screen, and using the names associated with interfaces on the System Setup screen.

If you enter a host name in the list that is qualified with a domain other than the local domain, then the details will be placed in the hosts file but not in the DNS files. This could be useful for ensuring that the firewall can resolve some important external addresses even if there are DNS problems.

Another case in which you may find it useful to enter a domain-qualified name is if you have a public web server that is actually hosted by your ISP, rather than internally. If your ISP provides your external DNS, then they will typically be serving an address for `www.yourdomain' to the outside world. Your internal hosts will be querying the firewall for the address associated with this host, rather than the ISP's name server. By making an entry in the local hosts for the address of the web server, and domain qualifying it, your internal hosts will be able to correctly look up the address of your web server (an alternative approach to solving this problem is to specify the external server address as the address of your public web server in the Public Service setup).

The fields in this screen are:

Name

The name of the host.

Address

The numeric IP address of the host.

The following functions are available from this screen:

F1

Discard the changes and return to the DNS Setup Screen

F2

Show the previous page of host entries

F3

Show the next page of host entries

F4

Import a list of hosts and addresses from a file

F5

Insert an entry at the current row

F6

Delete the entry at the current row

F7

View help

F8

Record the changes and return to the DNS Setup Screen

If you have a hosts file containing lists of host names and addresses, you can import the data from that file directly into the Local Hosts Setup Screen. You will need to transfer the file onto the firewall first; this can be done using a diskette (with the UNIX tar command or similar), or, if you have completed a basic configuration, you can use FTP.

  

Figure 4.9: The External Secondary DNS Servers Setup Screen

The External Secondary DNS Servers Setup Screen (Figure 4.9) allows you to specify the domain names and IP addresses of the secondary name servers that your firewall should use, and that may request zone transfers from the firewall (if your firewall is the primary external DNS server).

  

Figure 4.10: The External Zone Transfer Hosts Setup Screen

The External Zone Transfer Hosts Setup Screen (Figure 4.10) allows you to specify the domain names and IP addresses of hosts that are allowed to do zone transfers from your firewall but should not be used as secondary DNS servers. In most cases you should not need any of these, but there are some ISPs who may require this.