DOCSLIB.ORG

Dynamic DNS Keeps Names up to Date

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Dynamic DNS Keeps Names up to Date WORKSHOPINFRASTRUCTURE tain. You’d do better to incorporate DDNS products Dynamic DNS into your infrastructure. DDNS Up Close Keeps Names DDNS includes three advanced DNS features: dynamic update, notify and IXFR (incremental transfer). Up to Date Dynamic update is the process by which your DHCP server or other IP address service notifies the DNS By Jeff Ballard server of new information. Using a secure connection, the DNS server is told, for instance, that workstation- t’s a chore to track the computer moves and bill.accounting.example.com is now at IP address changes within departments and offices in your 10.35.99.124. The DNS server remembers this infor- organization. The Dynamic Host Configuration mation, discards the old information and begins IProtocol helps, but your Domain Name System answering any requests for the name of 10.35.99.124 entries typically will lag behind your moves or require as workstation-bill.accounting.example.com. manual updates. A better approach for updating your Most large organizations have more than one DNS DNS entries is to use Dynamic DNS, which keeps your server for redundancy and load sharing. In DNS naming systems up to date automatically. terms, a zone is one of the parts of a DNS entry sepa- DHCP obviously goes a long way toward managing rated by a period: .accounting.example.com, for exam- computer IP addresses on an enterprise network. Work- ple. DNS information is stored and transferred rela- stations pick up their IP addresses and network configu- tive to this zone. Internet Systems’ BIND (Berkeley rations from the DHCP server. When a department Internet Name Daemon) open-source DNS server soft- moves, its servers and workstations get new network ware, for instance, typically updates a secondary DNS configurations. But keeping track of your IP addresses server’s zone records every 15 minutes from its pri- and assigning meaningful DNS entries to your servers mary server, which doesn’t give you real-time infor- and network services can be challenging with DHCP mation. But the zone-notify feature of DDNS fixes alone. It’s better to associate IP addresses on your net- that: The primary DNS server notifies secondary DNS work with meaningful DNS names so you can identify servers of the new, updated version of the DNS zone your networked computers reliably and easily. With records. The secondary DNS server then knows it DNS, your core systems can perform a DNS lookup, needs to fetch an updated copy of the zone file so its store that value and know which computer is using configuration matches the new values on the server. which IP address. If you’re not using DDNS, you have to transmit the But if you’re running DHCP and DNS without a entire copy of the zone to get that information across. Dynamic DNS system, your host names probably This causes a problem for fully dynamic DNS entries— don’t contain unique data about each computer— if you have a large or rapidly updating DNS zone, your they probably look like this: dhcp-192-168-12- servers will become bogged down. With DDNS’ IXFR 34.example.com. It’s more useful to have a DNS host feature, the secondary server asks the primary server name, such as accounting-sue.workstation.example.com, only for incremental changes. If you have 10,000 DNS appear in your logs. This kind of naming is made entries in your zone file, for example, and only three much easier with DDNS. DDNS bridges the gap have changed, these three are sent from the primary to between dynamic DHCP and DNS, recording dynamic the secondary servers, rather than the entire zone. DHCP lease records logged for your IP-based services (particularly Web servers). Open Source and Commercial Servers Before DDNS was widely available in DHCP and If you want to deploy a DNS server in a large network, DNS products, many enterprises used proprietary meth- the safest bet is to use BIND server software. It is well- ods to update DNS. These approaches are OK, but often supported and stable. are self-contained and difficult to support and main- There are commercial DDNS products as well, www.nwc.com I 9.22.2005 I NETWORK COMPUTING 63 WORKSHOPINFRASTRUCTURE which typically go beyond just DNS management (Transaction Signature) and SIG(0). TSIG keys are sym- and handle overall IP address management, too. metric HMAC-MD5 (Hashing Message for Authentica- Some examples include Infoblox Network Identity tion MD5) keys. Symmetric keys are basically shared appliances, Lucent Technologies VitalQIP software secrets. If any machine sending updates to your DNS and MetaInfo Meta IP software. These are turnkey server is compromised, the cat’s out of the bag because solutions to IP address management and DNS/ each machine and your DNS server share the same DDNS services. key. Still, TSIG keys typically are easy to set up and If you decide to run BIND, make sure it’s at least more widely supported in DNS and DHCP products version 9.2. Earlier versions have posed problems (see than SIG(0) keys. “Caught in a BIND,” below). BIND works on Apple SIG(0) comprises a public/private key pair using any Mac OS X, Linux, Windows and Unix. standard cryptographic method. It’s more secure than HMAC-MD5, but you’ll spend more time getting it to Keys Are Key work. Each updater gets its own key, and most client It is important to update your data securely. If you software needs extra configuration to work with SIG(0). don’t configure your DNS server to check who is send- You also can have multiple keys in your DNS con- ing updates, for instance, an intruder could redirect figuration file, so *.a.example.com could have a key dif- secure-intranet.example.com to www.i-am-a-hacker.com. ferent from that of *.b.example.com. This way, you can Redundancy doesn’t help here—with dynamic update limit the potential damage compromised keys can and IXFR, your redundant DNS servers just update this cause. But be careful with permissions. In Internet Sys- bad information quickly. tems’ BIND, for instance, the keys are in plain text in So be sure to use cryptographically strong keys the configuration files, so you want to make sure the when configuring DDNS updating. There are two files have the proper permissions so only systems methods for secure DDNS communications: TSIG administrators can access them. Time To Live Caught in a BIND If your DDNS data is accessible from the Internet, how long should other Internet DNS servers cache There have been several incidents this year of DNS cache poisoning, with Internet Systems’ BIND DNS your DDNS information? The length of time any DNS server software acting as a forwarding name server. record should be cached is called the TTL (Time To TA DNS server can be optimized to use another, larger Live). The lower this number, the quicker other Inter- name server—typically your ISP’s DNS server—as the first net DNS servers learn about changes, but the more source for DNS information on the Internet. A forwarding often they will be asking your DNS servers for infor- name server is helpful because it greatly decreases the mation. The higher you make this number, the more turnaround time for answers to DNS queries. out of date your DNS information could be on the But a weakness in the DNS RFC specification Internet. But less frequent updates mean less load on could leave you vulnerable to DNS cache poisoning. your DNS servers. In cache poisoning, the attacker redirects informa- Internet Systems’ DHCPD, for instance, uses a tion about a well-known site such as www.nwc.com default TTL of one-half of the DHCP lease time. How- to a server he or she controls. The DNS server is ever, you might want to consider a much lower num- tricked into getting information on www.nwc.com ber. It’s not uncommon to use a time-out of about from the rogue ns1.i-am-a-hacker.com server, for 30 seconds for rapidly changing networks. example. So it always goes to the fake server for During initial configuration, turn on all the logging information on www.nwc.com. If www.nwc.com were features of your DNS and DHCP servers. After your your banking Web site, for instance, the attacker DDNS system is up and running, you can dial back the could steal all your financial information. settings to show only the errors you want to see—and Although this hole was patched when it was dis- can control. For example, DNS generates a lot of logs covered more than 10 years ago, BIND versions 4 about poorly configured DNS servers on the Internet and 8 acting as a forwarding name server will pass that are beyond your control, so there’s no need to log on this bad information. So if your ISP’s DNS server all that data. runs BIND 4 or 8, and you are using it as a forward- The next step in building a dynamic IP address ing name server, you could be receiving rogue data. updating system is to configure your DHCP server to The best bet is to use at least a BIND 9.2 server, update the DNS server. Internet Systems’ DHCPD is the which is immune to this cache poisoning, as your de facto standard DHCP server, and the current version, forwarding name server and for your internal DNS servers as well. 3, sends dynamic updates to DNS.
Load more

Recommended publications
  • Configuring DNS
    Configuring DNS The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated hostname. The Cisco IOS software maintains a cache of hostname-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses. Note You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource record type AAAA is used to map a domain name to an IPv6 address. The IP6.ARPA domain is defined to look up a record given an IPv6 address. • Finding Feature Information, page 1 • Prerequisites for Configuring DNS, page 2 • Information About DNS, page 2 • How to Configure DNS, page 4 • Configuration Examples for DNS, page 13 • Additional References, page 14 • Feature Information for DNS, page 15 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
    [Show full text]
  • IP Addressing: DNS Configuration Guide, Cisco IOS Release 12.4
    IP Addressing: DNS Configuration Guide, Cisco IOS Release 12.4 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Reverse DNS What Is 'Reverse DNS'?
    Reverse DNS Overview • Principles • Creating reverse zones • Setting up nameservers • Reverse delegation procedures What is ‘Reverse DNS’? • ‘Forward DNS’ maps names to numbers – svc00.apnic.net -> 202.12.28.131 • ‘Reverse DNS’ maps numbers to names – 202.12.28.131 -> svc00.apnic.net 1 Reverse DNS - why bother? • Service denial • That only allow access when fully reverse delegated eg. anonymous ftp • Diagnostics • Assisting in trace routes etc • SPAM identifications • Registration • Responsibility as a member and Local IR In-addr.arpa • Hierarchy of IP addresses – Uses ‘in-addr.arpa’ domain • INverse ADDRess • IP addresses: – Less specific to More specific • 210.56.14.1 • Domain names: – More specific to Less specific • delhi.vsnl.net.in – Reversed in in-addr.arpa hierarchy • 14.56.210.in-addr.arpa Principles • Delegate maintenance of the reverse DNS to the custodian of the address block • Address allocation is hierarchical – LIRs/ISPs -> Customers -> End users 2 Principles – DNS tree - Mapping numbers to names - ‘reverse DNS’ Root DNS net edu com arpa au apnic in-addr whoiswhois RIR 202202 203 210 211.. ISP 6464 22 .64.202 .in-addr.arpa Customer 2222 Creating reverse zones • Same as creating a forward zone file – SOA and initial NS records are the same as normal zone – Main difference • need to create additional PTR records • Can use BIND or other DNS software to create and manage reverse zones – Details can be different Creating reverse zones - contd • Files involved – Zone files • Forward zone file – e.g. db.domain.net • Reverse zone file – e.g. db.192.168.254 – Config files • <named.conf> – Other • Hints files etc.
    [Show full text]
  • Microsoft DNS
    1 a. Domain Name Service (DNS) encompassing Microsoft DNS From Wikipedia, the free encyclopedia Jump to: navigation, search Microsoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems. Contents [hide] 1 Overview 2 DNS lookup client o 2.1 The effects of running the DNS Client service o 2.2 Differences from other systems 3 Dynamic DNS Update client 4 DNS server o 4.1 Common issues 5 See also 6 References 7 External links [edit] Overview The Domain Name System support in Microsoft Windows NT, and thus its derivatives Windows 2000, Windows XP, and Windows Server 2003, comprises two clients and a server. Every Microsoft Windows machine has a DNS lookup client, to perform ordinary DNS lookups. Some machines have a Dynamic DNS client, to perform Dynamic DNS Update transactions, registering the machines' names and IP addresses. Some machines run a DNS server, to publish DNS data, to service DNS lookup requests from DNS lookup clients, and to service DNS update requests from DNS update clients. The server software is only supplied with the server versions of Windows. [edit] DNS lookup client Applications perform DNS lookups with the aid of a DLL. They call library functions in the DLL, which in turn handle all communications with DNS servers (over UDP or TCP) and return the final results of the lookup back to the applications. 2 Microsoft's DNS client also has optional support for local caching, in the form of a DNS Client service (also known as DNSCACHE). Before they attempt to directly communicate with DNS servers, the library routines first attempt to make a local IPC connection to the DNS Client service on the machine.
    [Show full text]
  • Service (SRV) Records
    Service (SRV) Records You deploy multiple DNS SRV records in different locations on your enterprise DNS structure. Understand which records you should provision on which name servers. Review examples of SRV records to ensure a successful deployment. • Deploy SRV Records, page 1 • SRV Records, page 4 Deploy SRV Records The client queries name servers for records in the services domain. The services domain is determined as described in How the Client Discovers Available Services. You must deploy SRV records in each DNS zone for those service domains if your organization has multiple subsets of users who use different service domains. Deploy SRV Records in a Separate Domain Structure In a separate name design there are two domains, an internal domain and an external domain. The client queries for SRV records in the services domain. The internal name server must serve records for the services domain. However in a separate name design, a zone for the services domain might not exist on the internal name server. If the services domain is not currently served by the internal name server, you can: • Deploy records within an internal zone for the services domain. • Deploy records within a pinpoint subdomain zone on the internal name server. Use an Internal Zone for a Services Domain If you do not already have a zone for the services domain on the internal name server, you can create one. This method makes the internal name server authoritative for the services domain. Because it is authoritative, the internal name server does not forward queries to any other name server.
    [Show full text]
  • Stateless DNS
    Technical Report KN{2014{DiSy{004 Distributed System Laboratory Stateless DNS Daniel Kaiser, Matthias Fratz, Marcel Waldvogel, Valentin Dietrich, Holger Strittmatter Distributed Systems Laboratory Department of Computer and Information Science University of Konstanz { Germany Konstanzer Online-Publikations-System (KOPS) URL: http://nbn-resolving.de/urn:nbn:de:bsz:352-0-267760 Abstract. Several network applications, like service discovery, file dis- covery in P2P networks, distributed hash tables, and distributed caches, use or would benefit from distributed key value stores. The Domain Name System (DNS) is a key value store which has a huge infrastructure and is accessible from almost everywhere. Nevertheless storing information in this database makes it necessary to be authoritative for a domain or to be \registered" with a domain, e.g. via DynDNS, to be allowed to store and update resource records using nsupdate . Applications like the ones listed above would greatly benefit from a configurationless approach, giving users a much more convenient experience. In this report we describe a technique we call Stateless DNS, which allows to store data in the cache of the local DNS server. It works without any infrastructure updates; it just needs our very simple, configurationless echo DNS server that can parse special queries containing information desired to be stored, process this information, and generate DNS answers in a way that the DNS cache that was asked the special query will store the desired information. Because all this happens in the authority zone of our echo DNS server, we do not cause cache poisoning. Our tests show that Stateless DNS works with a huge number of public DNS servers.
    [Show full text]
  • DNS) Administration Guide
    Edgecast Route (DNS) Administration Guide Disclaimer Care was taken in the creation of this guide. However, Edgecast cannot accept any responsibility for errors or omissions. There are no warranties, expressed or implied, including the warranty of merchantability or fitness for a particular purpose, accompanying this product. Trademark Information EDGECAST is a registered trademark of Verizon Digital Media Services Inc. About This Guide Route (DNS) Administration Guide Version 2.40 8/28/2021 ©2021 Verizon Media. All rights reserved. Table of Contents Route ............................................................................................................................................................. 1 Introduction .............................................................................................................................................. 1 Scope ......................................................................................................................................................... 1 Module Comparison ................................................................................................................................. 2 Managed (Primary) or Secondary DNS Module .................................................................................... 2 DNS Health Checks Module .................................................................................................................. 3 Billing Activation ......................................................................................................................................
    [Show full text]
  • Guidelines for the Secure Deployment of Ipv6
    Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks NIST Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-119 Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
    [Show full text]
  • GW1000 User Manual
    GW1000 User Manual Issue: 1.7 Date: 09 September 2016 Table of Contents _______________________________________________________________________________________________________ 1 Introduction ................................................................................................. 8 1.1 Document scope ....................................................................................... 8 1.2 Using this documentation ........................................................................... 8 2 GW1000 Series hardware ........................................................................... 11 2.1 Hardware model varients ......................................................................... 11 2.2 GW1000 Series hardware features ............................................................ 12 2.3 GSM technology ...................................................................................... 12 2.4 WiFi technology ...................................................................................... 12 2.5 Power supply .......................................................................................... 13 2.6 GW1000 Series router dimensions............................................................. 13 2.7 GW1000M Series router dimensions .......................................................... 13 2.8 Compliance ............................................................................................ 13 2.9 Operating temperature range ................................................................... 14 2.10
    [Show full text]
  • DNS: Domain Name System a Scalable Naming System for the Internet
    Introduction Queries and Caching Protocol History and Growth DNS: Domain Name System A Scalable Naming System for the Internet Daniel Zappala Brigham Young University Computer Science Department 1/26 Introduction Introduction Queries and Caching Protocol History and Growth Domain Name System • people like to use names for computers (www.byu.edu), but computers need to use numbers (128.187.22.132) • the Domain Name System (DNS) is a distributed database providing this service • a program send a query a local name server • the local name server contacts other servers as needed • many DNS services • host name to IP address translation • host aliasing (canonical name versus alias names) • lookup mail server for a host • load distribution - can provide a set of IP addresses for one canonical name Demonstration: dig 3/26 Introduction Queries and Caching Protocol History and Growth Names • domain name: top-level domain (TLD) + one or more subdomains • example: cs.byu.edu • host name: a domain name with one or more IP addresses associated with it • TLDs • ccTLD: country codes (.us, .uk, .tv) • gTLD: generic (.com, .edu, .org, .net, .gov, .mil) { see full list at Wikipedia • iTLD: infrastructure (.arpa) • may be 127 levels deep, 63 characters per label, 255 characters per name 4/26 Introduction Queries and Caching Protocol History and Growth DNS Hierarchy • root, top-level domain (TLD), and local name servers • each level represents a zone • what zone is BYU in charge of? 5/26 Introduction Queries and Caching Protocol History and Growth Root Name
    [Show full text]
  • SMB/CIFS Configuration Power Guide
    SMB/CIFS Configuration Power Guide ONTAP® 9 Fifth edition © Copyright Lenovo 2018, 2021. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant to a General Services Administration (GSA) contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925 Contents Chapter 1. Deciding whether to use Creating an SMB server in a workgroup . 23 the SMB/CIFS Configuration Power Creating local user accounts . 24 Guide . 1 Creating local groups . 25 Managing local group membership . 26 Chapter 2. SMB/CIFS configuration Verifying enabled SMB versions . 27 workflow . 3 Mapping the SMB server on the DNS server. 28 Assessing physical storage requirements . 4 Assessing networking requirements . 5 Chapter 4. Configuring SMB client Deciding where to provision new SMB/CIFS access to shared storage . 29 storage capacity . 6 Creating a volume or qtree storage container . 29 Worksheet for gathering SMB/CIFS configuration Creating a volume . 29 information . 6 Creating a qtree . 30 Chapter 3. Configuring SMB/CIFS Requirements and considerations for creating an access to an SVM . 13 SMB share. 31 Creating an SMB share . 32 Creating an SVM . 13 Verifying SMB client access . 32 Verifying that the SMB protocol is enabled on the SVM . 14 Creating SMB share access control lists . 33 Opening the export policy of the SVM root Configuring NTFS file permissions in a share . 34 volume . 14 Verifying user access. 36 Creating a LIF . 15 Enabling DNS for host-name resolution . 18 Chapter 5. Where to find additional Setting up an SMB server in an Active Directory information. 37 domain .
    [Show full text]
  • How to Add Domains and DNS Records
    Barracuda NextGen Firewall X How to Add Domains and DNS Records https://campus.barracuda.com/doc/41109753/ Configure the Barracuda NextGen X-Series Firewall to be the authoritative DNS server for your domains or subdomains to take advantage of Split DNS or dead link detection. Step 1. Make the X-Series Firewall the authoritative DNS server at your domain registrar To become the authoritative DNS server for a domain contact the registrar for your domain to use the static or dynamic WAN IP addresses of your X-Series Firewall. Hosting a subdomain If you want to delegate a subdomain to the X-Series Firewall, add ns1 and ns2 records to the zone file of the domain where it is stored at the registrar. If the domain is yourdomain.com, and you want to host subdomain.yourdomain.com add the following DNS records: subdomain IN NS ns1 subdomain IN NS ns2 ns1 IN A <WAN IP 1 OF YOUR BARRACUDA FIREWALL> ns2 IN A <WAN IP 2 OF YOUR BARRACUDA FIREWALL> Step 2. Enable authoritative DNS on the X-Series Firewall In the DNS Servers table, you can view a list of the static IP addresses for which the DNS Server service is enabled (NETWORK > IP Configuration). Dynamic IP addresses are not listed. An access rule is created in step 3 to redirect incoming DNS requests on dynamic interfaces to the DNS service on the firewall. The access rule LOCALDNSCACHE must be active after enabling authoritative DNS for local clients to access the DNS server. 1. Go to the NETWORK > Authoritative DNS page.
    [Show full text]