This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Help/guidance requested please.

I have a small soho network  which is connected to the WAN through a UTM.  I have enabled DNS services on subnets using the UTM.  I do not have a local DNS set up on my machines.

Recently I have run into authentication issues with a shared NAS device and am thinking of running an LDAP server on the NAS as it has this capability built in.

The first setting I have to complete is for an FQDN on the LDAP server and an example was suggested.  This suggestion was along the lines "my.server.com." 

I wondered why .com since I hope the LDAP will be contained within the LAN and not connect beyond. 

What will the top level domain name be if I create a dedicated FQDN for my LDAP sever.  As it will be a private domain can I use a more appropriate top level such as .org or what?

In addition to setting up the LDAP I am also planning to set up an NSFv4 sever on my network and this will require DNS.  Does this mean I must set up my own DNS or can I use the service provided on the UTM.

Sorry to be so dumb but am having to learn a lot of new stuff I have not needed before!!!

Budge



This thread was automatically locked due to age.
Parents
  • If you are assigning it local DNS for your internal network, you wouldn't use a .com address for that.  Instead, you would use something like NAS.budgie2.home and create a DNS entry on the UTM.  You would create DNS entries for each device, and the easiest way I do that is through the IPv4 Lease Table, so you can just click 'Make Static' and it pulls up the interface for you to create a new Host entry.  I do that for all of my server-type devices and core items (switches, servers, APs, etc).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi and many thanks.  That seems really neat but I am not sure what I am doing so please help me further here. 

    For example I have a NAS which has a static IP on a subnet which is configured on UTM interfaces and uses the start address of the subnet for the DNS. The NAS is usually accessed by the web interface from one of the workstations on the same subnet.  The NAS has internet access for updates etc. and I can see it on the lease table.

    If I do as you suggest and create a new Host with a DNS hostname, does this work alongside the existing DNS connection configured on the UTM?

    I am seeking to do this to set up an LDAP server on the NAS which asks for the FQNS.  How do other devices work in this situation when LDAP is in use?

    As you can tell I am a real beginner still so hope you will forgive my dumb questions.

    Regards,

    Budge     

  • First screenshot

    This shows what seems to be a duplicate for my home network.  It was set up by my supplier when UTM was installed by him.  It doesn't look right to me here but I don't want to remove and lose log in access.

    The second screen shot

    Intended to show what I think is a duplicate but when I try and delete I get an error message as it is required by WebAdmin.

    This is the third screenshot  which is where I have been trying to follow your instructions and shows where I am not sure of the right entries and finally my last screenshot which, if you were in any doubt, confirms my ignorance!!!

    BTW I read your profile and clearly I am in the hands of the Master.  Sorry I am such a poor student but am for ever grateful for your patience and help.

  • Well, I wish I were a master at this, but there are some who are far more qualified than I am, haha.  But I appreciate the sentiment!

    First screenshot:  This just reeks of 'wrong' to me, but without seeing what the specifics are of that network (Alastair), I can't be 100% sure.  What your first screenshot is showing is 'what network are you giving access to in order to reach Webadmin'.  Personally, nothing but my Internal (Network) gets this access.  If I know I am going to be traveling, I will add my VPN Pool to it, and remove it from there when I get home.  The current one you have there now is a network group, and it could be legitimate; however, I go with what I know. This is an example of what mine looks like.  Note the identifying icon:

    Why yours is set up the way it is - I don't know, it could be a way of doing the same thing, but I agree you are correct that it's most likely duplicate.  I would personally replace it with the Alastair (Network) if it is the same network IP information and get rid of the other one.  You can delete it once you've confirmed it's no longer needed.

    Third screenshot:  I will preface this with answering your question in the screenshot.  The UTM is not a true DNS server; however, it can still resolve your static entries you put in it for your local network.  Any DNS requests for internet traffic will use your DNS forwarder information, or if you have a separate DNS server you can specify that in the DNS settings (Network Services).  Most SOHO/Home users do not need this, and the UTM will work fine for anything internal.

    That being said, if you want to manually add devices on your network to identify and access them by name, I have attached a screenshot of what I would use, and you are close with your entries:

    The Name: field is just that - a name, and it can be anything you want.  It's just for you to identify which device it is and doesn't affect routing or anything.  It's just an identifier.

    Change your DHCP settings to use your internal DHCP server, unless you ever create an external entry for special routing or filtering needs.

    DNS Settings:  Like I had posted above, you need a proper naming convention:  <device>.alastair.local is what I used as an example.  So if you wanted to add a printer named 'Printer01', it would be printer01.alastair.local for your static entry to identify the device via name/IP. (Note that if you are choosing to make devices static from the DHCP window, the MAC address will show up automatically in that field, which is also why I suggested to create those device entries from the DHCP window, and it saves you some data entry time - that's how the devices know to get static IPs assigned because they are unique to devices).

    Leave the Advanced window alone and do not bind these to any interface.

    As for your last screenshot - well, I can say that might be too many entries.  Again, mine only consist of my Internal (Network) and my VPN Pool.  This is where you would allow any network to be able to use the DNS resolving that I just explained regarding your third screenshot.  Basically, every network entry you have there can get access to any DNS static entry you create on your internal network.  For me, I don't believe any Guest network or account needs access to any Internal resolving. If all of those entries are part of your internal network, you can leave them.  If you have an internal DNS Server (Not the UTM), then you would empty that field and leave it blank.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi and very many thanks.  First task was easy, I have been able to remove the "duplicate" WebAdmin entry so now all looks right and  is same as yours without the VPN Pool.

    Am busy on work so will need to resume later in week.  Hope this is OK.   

  • Hi Amodin,

    I have been busy with our book keeping and have forgotten everything I had been doing on this; clearly I am getting senile!!! 

    I do wish to pick up on this again with some simple DNS questions but should I continue here or start a new thread?  Not sure what is the correct form on this forum so please advise.

    Regards,

    Budge 

  • I think continuing here is fine, it keeps it to one post for people to review if they have the same issues.  I, along with others, are always lurking about.  Slight smile

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi Amodin and many thanks for the reply. 

    I am trying to set up a fixed IP on my workstation.  Since I have been using our UTM I have put my workstation network connection on DHCP using Network Manager.  I now find I need to put the machine on a static of fixed IP and have been trying to set up my interface using Wicked, which is the standard for openSUSE if not using Network Manager.

    My problem is that I have no idea what DNS address I should use and how to configure my local firewall.  Just to remind you I have half a dozen subnets all defined by the UTM with two WAN connections, one set up when the UTM was installed with my main ISP and the other my fallback connection.  I have no idea what DNS should be used for my own subnet but I had assumed the one assigned by the UTM rather than trying to go back to the router but if I use the UTM DNS for the WAN connection, how is this connection routed to my subnet.

    Does this make sense?

    Budge

       

  • I think I covered this in both of my marked posts of 'Suggested Answers' ad nauseum. If there is something there that isn't clear, please let me know!  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi Amodin,  I have moved on slightly and all has been well thanks to your help earlier.  In continuing my slow attempts to improve our network however, I have been advised that a better solution than using static IPs on a device is to set them up as static IPs on the UTM end.  This is possible but there is one question concerning how I organize by devices. 

    Having started out with static IPs I had adopted a logic for arranging these in numbered sequences for example switches .129 to 140, aps 141 to 150, NAS devices etc 151 to 160 .  To do this I have withheld the first thirtytwo addresses from the dhcp server and these have been used for access.  

    If I wish to set a static address I can do this from the DHCP leases but these are in a random list depending on which subnet and which device has active leases.  

    I cannot reconfigure everything at once so if possible I would like to set a static IP from the UTM but using the address which is not in the dhcp pool but which would then allow me to get rid of static IP and revert to dhcp on the device.  Is this even possible and if so how would it work? I assume using MAC address and hostname but I may be thinking nonsense and need to ask.  

  • Further to this I have read up the help notes and have now been able to set up a couple of devices.  The help notes make it clear that what I am doing is correct in that I have used IPs from outwith the DHCP pool.  What I am less clear about is the reverse DNS.  I have ticked this box and inserted the relevant MAC address but am not sure if I am right.

    Another question concerns the devices which have both eth0 and wlan0 connections available.  Is it OK to have two MAC addresses for only one IP?

    Will keep reading and hope you can let me know if I am on right track.

    Regards,

    Budge 

  • So from your DHCP scope, you can still create your static IP addresses, even though they have been handed one IP, you can follow the same steps I outlined above, and just change the addresses to whatever you want them to be on the UTM for each device. You will still reference the DHCP server by changing it from 'No DHCP Server' to the one that you have created, and assigning whatever IP address you want in the address field.

    So if you have an address as an example of 192.168.0.150 assigned to it from the DHCP, but you want it from your range of IPs that you set aside, like .30, then just change it on the UTM (how I screenshot it above in my second suggested answer post). You will have to assign it the DHCP Server regardless of whether you use the IP range or not, or it won't allow the creation of the Host (and that's okay).  

    As far as assigning one IP address multiple MAC addresses - yes, that's exactly what you want.  UTM Home has a 50 IP limit, and there is little to no sense assigning multiple IPs to the same machine.  I have that set up for my laptops which have Wireless capability and Wired capability.  Just add the MAC address to the existing Host on UTM by modifying it on UTM.

    Reverse DNS is just allowing you to access something with a NAME instead of an IP Address.  So if you want to access a NAS or NVR by webpage, and it has an address as an example of 192.168.0.50, and it is assigned a DNS name in your Reverse DNS of NAS.Budgie2.home (or whatever you assign it) you can open a page and type the name in, instead of trying to remember the IP address to type in to access it.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • So from your DHCP scope, you can still create your static IP addresses, even though they have been handed one IP, you can follow the same steps I outlined above, and just change the addresses to whatever you want them to be on the UTM for each device. You will still reference the DHCP server by changing it from 'No DHCP Server' to the one that you have created, and assigning whatever IP address you want in the address field.

    So if you have an address as an example of 192.168.0.150 assigned to it from the DHCP, but you want it from your range of IPs that you set aside, like .30, then just change it on the UTM (how I screenshot it above in my second suggested answer post). You will have to assign it the DHCP Server regardless of whether you use the IP range or not, or it won't allow the creation of the Host (and that's okay).  

    As far as assigning one IP address multiple MAC addresses - yes, that's exactly what you want.  UTM Home has a 50 IP limit, and there is little to no sense assigning multiple IPs to the same machine.  I have that set up for my laptops which have Wireless capability and Wired capability.  Just add the MAC address to the existing Host on UTM by modifying it on UTM.

    Reverse DNS is just allowing you to access something with a NAME instead of an IP Address.  So if you want to access a NAS or NVR by webpage, and it has an address as an example of 192.168.0.50, and it is assigned a DNS name in your Reverse DNS of NAS.Budgie2.home (or whatever you assign it) you can open a page and type the name in, instead of trying to remember the IP address to type in to access it.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
No Data