This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Help/guidance requested please.

I have a small soho network  which is connected to the WAN through a UTM.  I have enabled DNS services on subnets using the UTM.  I do not have a local DNS set up on my machines.

Recently I have run into authentication issues with a shared NAS device and am thinking of running an LDAP server on the NAS as it has this capability built in.

The first setting I have to complete is for an FQDN on the LDAP server and an example was suggested.  This suggestion was along the lines "my.server.com." 

I wondered why .com since I hope the LDAP will be contained within the LAN and not connect beyond. 

What will the top level domain name be if I create a dedicated FQDN for my LDAP sever.  As it will be a private domain can I use a more appropriate top level such as .org or what?

In addition to setting up the LDAP I am also planning to set up an NSFv4 sever on my network and this will require DNS.  Does this mean I must set up my own DNS or can I use the service provided on the UTM.

Sorry to be so dumb but am having to learn a lot of new stuff I have not needed before!!!

Budge



This thread was automatically locked due to age.
Parents
  • If you are assigning it local DNS for your internal network, you wouldn't use a .com address for that.  Instead, you would use something like NAS.budgie2.home and create a DNS entry on the UTM.  You would create DNS entries for each device, and the easiest way I do that is through the IPv4 Lease Table, so you can just click 'Make Static' and it pulls up the interface for you to create a new Host entry.  I do that for all of my server-type devices and core items (switches, servers, APs, etc).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi and many thanks.  That seems really neat but I am not sure what I am doing so please help me further here. 

    For example I have a NAS which has a static IP on a subnet which is configured on UTM interfaces and uses the start address of the subnet for the DNS. The NAS is usually accessed by the web interface from one of the workstations on the same subnet.  The NAS has internet access for updates etc. and I can see it on the lease table.

    If I do as you suggest and create a new Host with a DNS hostname, does this work alongside the existing DNS connection configured on the UTM?

    I am seeking to do this to set up an LDAP server on the NAS which asks for the FQNS.  How do other devices work in this situation when LDAP is in use?

    As you can tell I am a real beginner still so hope you will forgive my dumb questions.

    Regards,

    Budge     

  • Hi Budge,

    You are overcomplicating things: DNS and LDAP are completely separate services, which perfectly work alongside. So one would not disturb the other when setup on the same LAN or server. Although an LDAP needs a correct and working DNS as a precondition, as you already know. You normally have one or more DNS inside your LAN, if you want to resolve internal servernames. The UTM has the ability to serve as a DNS, with some limitations. So the first thing you should do is to find an internal DNS domain name, you want to use on all of your systems. This could be budge.local or budgie2.home or blabla.internal. It should NOT use some of commen .TLD endings which are used in the public internet. So no .com , .org .net or alike.
    Then define thos host entries like Amodin showed you, and the UTM will happily resolve these. If you request Name resoltuion for a domain outside this internal used one, the UTM forwards this request to the DNS-forwarders you already have setup, did you?

    Hope this helps.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp and many thanks.  Will use Amodin's suggestion with your very helpful clarification.

    Best wishes,

    Budge.  

  • Hi Amodin, I  do have one problem with your suggestion and that is because the machine I wish to use for local DNS is already on a fixed IP and therefore not within the lease table.

    Is there another way to do what is proposed please?

  • You can still create a host entry for that device and give it the fixed IP you have it assigned and can even create another hostname for it in the same entry. ;)  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi Amodin, many thanks.  I am a bit slow here, can you please give me a blow by blow instruction.  The screenshot was brilliant and  I have no idea where to start, so many options and not enough learning!!!

  • OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply Children
  • Great and many thanks.  Found it and have started setting it up.  It does beg the question about the existing networks on the DNS service and how this new host fits in.   More reading for me  required I think on how the local name server works.  

  • It's really the same thing as .com, you are just using something that isn't recognizable on the internet so the network (and you) can distinguish the difference.  I use .home to obviously recognize what my home devices are, and an FQDN would also constitute the naming convention you use; i.e., <subdomain>.<domain>.<com> It's the same thing as - <devicename>.<domain>.<home> 

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi Amodin, clearly I made a mistake or three as I lost my internet connection on my home network and had to undo. 

    I did notice when I went to the Network Definitions tab that there is an entry in the list for my home network Alastair is not fully set and has the edit, delete, clone buttons showing.  It appears to be an attempted duplicate of the object Alastair (Network). 

    When I tried to delete this incomplete entry I received a warning The network object 'Alastair' is required by the WebAdmin allowed network list. 

    Since I already have the Alastair (Network) showing in the list I think I should clear this up before continuing with the local DNS work.   

  • Well when you are ready, it would behoove you to add some screenshots of your setup here so we can see what you have set up (visually).  You can block some of the IP addresses if you think you need to such as your external IP, but internal IPs wouldn't matter.

    For us visual people, it paints a clearer picture of what's going on.  ;)

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • First screenshot

    This shows what seems to be a duplicate for my home network.  It was set up by my supplier when UTM was installed by him.  It doesn't look right to me here but I don't want to remove and lose log in access.

    The second screen shot

    Intended to show what I think is a duplicate but when I try and delete I get an error message as it is required by WebAdmin.

    This is the third screenshot  which is where I have been trying to follow your instructions and shows where I am not sure of the right entries and finally my last screenshot which, if you were in any doubt, confirms my ignorance!!!

    BTW I read your profile and clearly I am in the hands of the Master.  Sorry I am such a poor student but am for ever grateful for your patience and help.

  • Well, I wish I were a master at this, but there are some who are far more qualified than I am, haha.  But I appreciate the sentiment!

    First screenshot:  This just reeks of 'wrong' to me, but without seeing what the specifics are of that network (Alastair), I can't be 100% sure.  What your first screenshot is showing is 'what network are you giving access to in order to reach Webadmin'.  Personally, nothing but my Internal (Network) gets this access.  If I know I am going to be traveling, I will add my VPN Pool to it, and remove it from there when I get home.  The current one you have there now is a network group, and it could be legitimate; however, I go with what I know. This is an example of what mine looks like.  Note the identifying icon:

    Why yours is set up the way it is - I don't know, it could be a way of doing the same thing, but I agree you are correct that it's most likely duplicate.  I would personally replace it with the Alastair (Network) if it is the same network IP information and get rid of the other one.  You can delete it once you've confirmed it's no longer needed.

    Third screenshot:  I will preface this with answering your question in the screenshot.  The UTM is not a true DNS server; however, it can still resolve your static entries you put in it for your local network.  Any DNS requests for internet traffic will use your DNS forwarder information, or if you have a separate DNS server you can specify that in the DNS settings (Network Services).  Most SOHO/Home users do not need this, and the UTM will work fine for anything internal.

    That being said, if you want to manually add devices on your network to identify and access them by name, I have attached a screenshot of what I would use, and you are close with your entries:

    The Name: field is just that - a name, and it can be anything you want.  It's just for you to identify which device it is and doesn't affect routing or anything.  It's just an identifier.

    Change your DHCP settings to use your internal DHCP server, unless you ever create an external entry for special routing or filtering needs.

    DNS Settings:  Like I had posted above, you need a proper naming convention:  <device>.alastair.local is what I used as an example.  So if you wanted to add a printer named 'Printer01', it would be printer01.alastair.local for your static entry to identify the device via name/IP. (Note that if you are choosing to make devices static from the DHCP window, the MAC address will show up automatically in that field, which is also why I suggested to create those device entries from the DHCP window, and it saves you some data entry time - that's how the devices know to get static IPs assigned because they are unique to devices).

    Leave the Advanced window alone and do not bind these to any interface.

    As for your last screenshot - well, I can say that might be too many entries.  Again, mine only consist of my Internal (Network) and my VPN Pool.  This is where you would allow any network to be able to use the DNS resolving that I just explained regarding your third screenshot.  Basically, every network entry you have there can get access to any DNS static entry you create on your internal network.  For me, I don't believe any Guest network or account needs access to any Internal resolving. If all of those entries are part of your internal network, you can leave them.  If you have an internal DNS Server (Not the UTM), then you would empty that field and leave it blank.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi and very many thanks.  First task was easy, I have been able to remove the "duplicate" WebAdmin entry so now all looks right and  is same as yours without the VPN Pool.

    Am busy on work so will need to resume later in week.  Hope this is OK.   

  • Hi Amodin,

    I have been busy with our book keeping and have forgotten everything I had been doing on this; clearly I am getting senile!!! 

    I do wish to pick up on this again with some simple DNS questions but should I continue here or start a new thread?  Not sure what is the correct form on this forum so please advise.

    Regards,

    Budge 

  • I think continuing here is fine, it keeps it to one post for people to review if they have the same issues.  I, along with others, are always lurking about.  Slight smile

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi Amodin and many thanks for the reply. 

    I am trying to set up a fixed IP on my workstation.  Since I have been using our UTM I have put my workstation network connection on DHCP using Network Manager.  I now find I need to put the machine on a static of fixed IP and have been trying to set up my interface using Wicked, which is the standard for openSUSE if not using Network Manager.

    My problem is that I have no idea what DNS address I should use and how to configure my local firewall.  Just to remind you I have half a dozen subnets all defined by the UTM with two WAN connections, one set up when the UTM was installed with my main ISP and the other my fallback connection.  I have no idea what DNS should be used for my own subnet but I had assumed the one assigned by the UTM rather than trying to go back to the router but if I use the UTM DNS for the WAN connection, how is this connection routed to my subnet.

    Does this make sense?

    Budge