DNS Help/guidance requested please.

Question

I have a small soho network which is connected to the WAN through a UTM. I have enabled DNS services on subnets using the UTM. I do not have a local DNS set up on my machines. 
 Recently I have run into authentication issues with a shared NAS device and am thinking of running an LDAP server on the NAS as it has this capability built in. 
 The first setting I have to complete is for an FQDN on the LDAP server and an example was suggested. This suggestion was along the lines "my.server.com." 
 I wondered why .com since I hope the LDAP will be contained within the LAN and not connect beyond. 
 What will the top level domain name be if I create a dedicated FQDN for my LDAP sever. As it will be a private domain can I use a more appropriate top level such as .org or what? 
 In addition to setting up the LDAP I am also planning to set up an NSFv4 sever on my network and this will require DNS. Does this mean I must set up my own DNS or can I use the service provided on the UTM. 
 Sorry to be so dumb but am having to learn a lot of new stuff I have not needed before!!! 
 Budge

PhilippRusch · Accepted Answer

Hi Budge, 
 You are overcomplicating things: DNS and LDAP are completely separate services, which perfectly work alongside. So one would not disturb the other when setup on the same LAN or server. Although an LDAP needs a correct and working DNS as a precondition, as you already know. You normally have one or more DNS inside your LAN, if you want to resolve internal servernames. The UTM has the ability to serve as a DNS, with some limitations. So the first thing you should do is to find an internal DNS domain name, you want to use on all of your systems. This could be budge.local or budgie2.home or blabla.internal. It should NOT use some of commen .TLD endings which are used in the public internet. So no .com , .org .net or alike. Then define thos host entries like Amodin showed you, and the UTM will happily resolve these. If you request Name resoltuion for a domain outside this internal used one, the UTM forwards this request to the DNS-forwarders you already have setup, did you? 
 Hope this helps.

Amodin · Answer

If you are assigning it local DNS for your internal network, you wouldn't use a .com address for that. Instead, you would use something like NAS.budgie2.home and create a DNS entry on the UTM. You would create DNS entries for each device, and the easiest way I do that is through the IPv4 Lease Table, so you can just click 'Make Static' and it pulls up the interface for you to create a new Host entry. I do that for all of my server-type devices and core items (switches, servers, APs, etc).

Amodin · Answer

Well, I wish I were a master at this, but there are some who are far more qualified than I am, haha. But I appreciate the sentiment! 
 First screenshot: This just reeks of 'wrong' to me, but without seeing what the specifics are of that network (Alastair), I can't be 100% sure. What your first screenshot is showing is 'what network are you giving access to in order to reach Webadmin'. Personally, nothing but my Internal (Network) gets this access. If I know I am going to be traveling, I will add my VPN Pool to it, and remove it from there when I get home. The current one you have there now is a network group, and it could be legitimate; however, I go with what I know. This is an example of what mine looks like. Note the identifying icon: 
 
 Why yours is set up the way it is - I don't know, it could be a way of doing the same thing, but I agree you are correct that it's most likely duplicate. I would personally replace it with the Alastair (Network) if it is the same network IP information and get rid of the other one. You can delete it once you've confirmed it's no longer needed. 
 Third screenshot: I will preface this with answering your question in the screenshot. The UTM is not a true DNS server; however, it can still resolve your static entries you put in it for your local network. Any DNS requests for internet traffic will use your DNS forwarder information, or if you have a separate DNS server you can specify that in the DNS settings (Network Services). Most SOHO/Home users do not need this, and the UTM will work fine for anything internal. 
 That being said, if you want to manually add devices on your network to identify and access them by name, I have attached a screenshot of what I would use, and you are close with your entries: 
 
 The Name: field is just that - a name, and it can be anything you want. It's just for you to identify which device it is and doesn't affect routing or anything. It's just an identifier. 
 Change your DHCP settings to use your internal DHCP server, unless you ever create an external entry for special routing or filtering needs. 
 DNS Settings: Like I had posted above, you need a proper naming convention: <device>.alastair.local is what I used as an example. So if you wanted to add a printer named 'Printer01', it would be printer01.alastair.local for your static entry to identify the device via name/IP. (Note that if you are choosing to make devices static from the DHCP window, the MAC address will show up automatically in that field, which is also why I suggested to create those device entries from the DHCP window, and it saves you some data entry time - that's how the devices know to get static IPs assigned because they are unique to devices). 
 Leave the Advanced window alone and do not bind these to any interface. 
 As for your last screenshot - well, I can say that might be too many entries. Again, mine only consist of my Internal (Network) and my VPN Pool. This is where you would allow any network to be able to use the DNS resolving that I just explained regarding your third screenshot. Basically, every network entry you have there can get access to any DNS static entry you create on your internal network. For me, I don't believe any Guest network or account needs access to any Internal resolving. If all of those entries are part of your internal network, you can leave them. If you have an internal DNS Server (Not the UTM), then you would empty that field and leave it blank.

DNS Help/guidance requested please.

Top Replies