Barracuda CloudGen Firewall

How to Configure DNS Zones https://campus.barracuda.com/doc/12198234/

The Barracuda NG Firewall DNS configuration object contains two predefined zones: _template and '.' To be able to edit and specify DNS zones within the Barracuda NG Firewall DNS configuration, you must create a DNS service. For more information, see How to Activate the DNS Server.

In this article:

Zone 1: _template

This zone contains the general template, which is used as model for all newly created zones. The procedure for creating and modifying template settings is identical to the procedure for creating and editing settings in another zone. Note that only template settings will be inherited that already existed before the zone was created. To access the _template zone, proceed with the following steps:

1. Log into the Barracuda NG Firewall 2. From the Config Tree, expand Box > Virtual Servers > your server > Assigned Services > DNS. 3. Expand the DNS service and open the DNS Template Zone by double clicking it. 4. Double click the entry (_template) to create or modify settings for SOA, primary server, nameserver, etc. 5. Right-click into the main window to create new hosts, mail exchangers, etc. Every setting made here will be clearly arranged in a separate row within the main window and can be selected for further modification or deletion.

Zone 2: '.'

The initial set of root-servers is defined using a hint zone. When the server starts up it uses the hint zone file to find a root name server and get the most recent list of root name servers. The "." zone is short for this root zone and means any zone for which there is no locally defined zone (slave or master) or cached answer.

Do NOT modify the root server settings unless you exactly know what you are doing.

How to Configure DNS Zones 1 / 13 Barracuda CloudGen Firewall

Add a New Zone

To introduce a new zone, right-click your DNS server and select Lock Server. Optionally, you may lock the DNS server already in the config tree. The configuration can now be modified. Select Add New Zone from the context menu and configure the following options: Parameter Overview Parameter Description ⚬ Master - Every domain configuration change takes place on the master. From here the information is propagated to the secondary servers. A master zone requires at least a Start of Authority (SOA) record and a Name Server (NS) record. Be sure to examine the security settings of the master zone, since a corrupt master zone can cause a lot of problems. ⚬ Slave - A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. DNS slave zones do not require much configuration; just enter the IP addresses of the master server (or servers) and examine the security settings. Be sure to set a transfer-source-IP, otherwise the slave zone will not be accepted by the DNS server. Type ⚬ Forward - A forward zone is used to direct all queries in it to other servers. The specification of options in such a zone will override any global options declared in the options statement. A forward zone does not need a transfer-source-IP. Be sure to check the security settings. ⚬ Hint - The initial set of root name servers is specified using a hint zone. When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. The Barracuda NG Firewall DNS server already has a hint zone (Zone ".") pre-configured, so normally there is no need to introduce another hint zone. Depending on the selected types the necessary settings may be slightly different. Such settings are marked with (optional) in the following. Origin Enter the domain name you wish to create here (for example, Domain Name barracuda.com). This section is used for defining whether the zone should perform Forward or Reverse lookup. DNS forward lookup provides IP addresses for known host Lookup names, while reverse lookup provides host names for known IP addresses. The Barracuda NG Firewall DNS server is able to provide DNS reverse lookup only for 8-bit networks (like 213.47.10.0/24). (optional) This field is available when type Slave is selected. Enter the master Masters IP addresses here. (optional) This field is available when type Forward is selected. Enter the Forwards forward IP addresses here. By clicking the advanced button a new window appears containing additional settings: Parameter Description

How to Configure DNS Zones 2 / 13 Barracuda CloudGen Firewall

Allows the administrator to select whether the DNS server should notify slave DNS servers about zone changes. Possible values for selection are notify yes/no/explicit. If explicit is selected enter the explicit IP in the also notify field below. Here you may enter a list of IPv4 or IPv6 hosts that should be notified about zone changes although these machines are not registered slaves also notify of the DNS server. Separate multiple entries with a semicolon and space (like 10.0.0.53; 10.0.0.67; 192.168.0.10; 2001:db8:85a3:0:0:8a2e:370:7334). This field is only available for type Slave. It defines the IP address the slave has to use when contacting its master DNS server. The following options are available: ⚬ service-default transfer-source-ip ⚬ server-first ⚬ server-second ⚬ explicit Slave zones must have transfer-source-ip to work.

Advanced Settings – Section Security

This section offers detailed security options for the DNS service. Each pull-down field can take one the value none or any. allow notify - This field is only available for type Slave. It defines if the slave accepts notifications about updates from its master. allow query - Lists the IPv4 or IPv6 hosts that are allowed to query the DNS server. By default all hosts are allowed to query the DNS server. allow update - Lists the IPv4 or IPv6 hosts that are allowed to update the database of the DNS server. allow transfer - Lists the IPv4 or IPv6 hosts that are allowed to fetch the DNS database from the DNS server.

Edit/Add a New Start of Authority

At creation time of the Barracuda NG Firewall DNS Server a standard template is created which is automatically inherited by newly generated zones. This template may freely be deleted or modified. In case you have deleted it, and have thereafter created a new zone, proceed as follows to comprehend the following instructions:

1. Select the newly created domain lacking a SOA record in the tree view, right-click the main window and choose Add a New Start of Authority (SOA). 2. If the SOA record already exists, double-click an existing entry with type NS or SOA and select the Start of Authority (SOA) tab.

How to Configure DNS Zones 3 / 13 Barracuda CloudGen Firewall

DNS Server - SOA Configuration

Enter a serial number here. - Clicking Update will increase the serial number by one. The serial number of the master has to be higher than the serial number Serial saved on the slave, otherwise the slave will stop fetching information updates from its master. Select the primary name server of the domain here. - By clicking Pickup already Primary Sever created entries can be selected. Use this field to define a person responsible for this host/zone. The syntax that Responsible has to be used is username.domain (for example ernestexample.test.org). - By person clicking Pickup, already created entries can be selected. This interval tells the slave how often it has to check whether its data is up to Refresh after date. When the slave fails to reach the master server after the refresh period (Refresh Retry after after), then it starts trying again after this set time interval. When the slave fails to contact the master server for the expire period, the slave Expire after expires its data. Expiring means that the slave stops giving out answers about the data because the data is too old to be useful.

How to Configure DNS Zones 4 / 13 Barracuda CloudGen Firewall

(standard) This value sets the Time To Live of cached database entries of this Minimum TTL zone. - The format for TTL is days:hours:minutes:seconds. This value sets the Time To Live of cached database entries of this zone until it is Expire (TTL) considered as expired. - The format for TTL is days:hours:minutes:seconds.

Edit/Add a New Name Server

1. To introduce a new Name Server (NS), right-click the right part of the window and select New Name Server (NS). 2. If a nameserver has already been created, open an existing entry with type SOA or NS and click the Nameserver (NS) tab. A new nameserver can only be entered if the SOA has already been generated.

How to Configure DNS Zones 5 / 13 Barracuda CloudGen Firewall

Name Server Configuration

This is a read-only field. It displays the name of the domain the Superordinate domain nameserver will be responsible for. To add name servers, click Add. • Servername - This is the name of the name server. Add/Modify/Delete • IP Address - This is the IPv4 or IPv6 address of the name server. • Expire (TTL) - This is the globally defined length of life, future name server records are expected to have. The format for the Time to Live (TTL) is days:hours:minutes:seconds.

Add a New Host

To introduce a new host, right-click the main window and select New Host. Entries made in the individual tabs will be saved in separate rows of type A, TXT, HINFO and WKS within the main configuration window. Select the Add corresponding reverse lookup entry (PTR) check box to automatically create a pointer record when creating the A-Record.

How to Configure DNS Zones 6 / 13 Barracuda CloudGen Firewall

In order to function, the reverse zone as described in the last article section must have already been created.

Host Configuration

Superordinate domain - This read-only field displays the name of the domain where the new host is created in (This field is also displayed in all other tabs of this window). Host - Enter the name of the host here (In all other tabs of this window this field is also displayed but read-only). IP address - To enter a new host IPv4 address, click Add. To delete an existing address, click Delete. Expire (TTL) - The format for this field is days:hours:minutes:seconds.

Host Information (HINFO) Tab

The fields of this tab (Hardware Type and Operating System) can be used to provide information on the hardware and operating system of the host.

How to Configure DNS Zones 7 / 13 Barracuda CloudGen Firewall

Text (TXT) Tab

Text - In this field, any text can be entered. For example, for describing the system to simplify maintenance of the DNS database. Expire (TTL) - The format for this field is days:hours:minutes:seconds.

Well-Known Services (WKS) Tab

Enter the IPv4 address and the used protocol in the appropriate fields. The services must be entered in plain text and separated with blanks (like: telnet ssh smtp ftp).

Add a New Mail-Exchanger

To introduce a new mail exchanger, right-click the main window and select New Mail-Exchanger.

Mail-Exchanger Configuration

Superordinate domain - This is a read-only field. It displays the name of the domain the mail- exchanger handles mail-traffic for. (This field is also displayed in all other tabs of this window).

How to Configure DNS Zones 8 / 13 Barracuda CloudGen Firewall

Host - Depending on the needs the following values are entered here: @ - mail-exchanger is responsible for @domain.com any_text - mail-exchanger is responsible for @any_text.domain.com. Mailserver (A) - Here the name of the mailserver must be entered. To select existing entries, click Pickup. Mailserver priority - Use this field to set the mailserver priority. Expire (TTL) - The format for this field is days:hours:minutes:seconds.

Mailbox information (MINFO) Tab

Mailbox (MB) - Here the name of the mailbox has to be entered. To select existing entries, click Pickup. Error mailbox (MB) - Here the name of the error mailbox has to be entered. To select existing entries, click Pickup. Expire (TTL) - The format for this field is days:hours:minutes:seconds.

Well-Known Services (WKS) Tab

Enter the IPv4 address and the used protocol in the appropriate fields. The services must be entered in plain text and separated with blanks (for example telnet ssh smtp ftp).

Add a New Domain

To introduce a new subdomain, right-click the main window and select New Domain.

Enter a name for the new sub-domain. After clicking OK, the new subdomain displays in the DNS tree. Within the new sub-domain, you are able to perform the same operations as described above.

Completely set up new subdomains before clicking Send Changes and Activate. Otherwise, incompletely configured subdomains are deleted.

Add New Others

How to Configure DNS Zones 9 / 13 Barracuda CloudGen Firewall

There are several other objects you can add to your DNS configuration.

These objects can be introduced by right-clicking in the right part of the DNS config window and selecting New Others.

The following objects can be added to the DNS configuration:

Parameter Overview

A New host. AAAA IPv6 address. AFSDB records specify the hosts that provide a style of distributed service advertised under this domain name. A subtype value (analogous to the preference value in the MX record) indicates which style of distributed service is provided with the given name. Subtype 1 AFSDB indicates that the named host is an AFS® database server for the AFS cell of the given domain name. Subtype 2 indicates that the named host provides intra-cell name service for the DCE cell named by the given domain name. CNAME specifies an alias or nickname for the official or canonical name. An alias should be the only record associated with the alias; all other resource records should be associated CNAME with the canonical name and not with the alias. Any resource records that include a zone name as their value (for example, NS or MX) must list the canonical name, not the alias. This resource record is especially useful when changing machine names. DNAME specifies an alias for one or more subdomains of a domain. The effect of this is that DNAME the entire subtree of DNS identified by the domain name can be mapped onto the target domain. HINFO records contain host-specific data. They list the hardware and operating system that are running on the listed host. If you want to include a space in the machine name, you must quote the name. Host information is not specific to any address class, so ANY may be HINFO used for the address class. There should be one HINFO record for each host. For security reasons, many sites do not include the HINFO record, and no applications depend on this record. ISDN Representation of ISDN addresses. MB lists the machine where a user wants to receive mail. The "name" field is the user's MB login; the machine field denotes the machine to which mail is to be delivered. Mail box names should be unique to the zone. MG The mail group record (MG) lists members of a mail group. MINFO creates a mail group for a mailing list. This resource record is usually associated with a mail group, but it can be used with a mailbox record. The "name" specifies the name of the mailbox. The "requests" field is where mail such, as requests to be added to a mail MINFO group, should be sent. The "maintainer" is a mailbox that should receive error messages. This is particularly appropriate for mailing lists when errors in members' names should be reported to a person different to the sender.

How to Configure DNS Zones 10 / 13 Barracuda CloudGen Firewall

MR records lists aliases for a user. The "name" field lists the alias for the name listed in the MR fourth field, which should have a corresponding MB record. MX records specify a list of hosts that are configured to receive mail sent to this domain name. Every host that receives mail should have an MX record, since if one is not found at MX the time the mail is delivered, an MX value will be imputed with a cost of 0 and a destination of the host itself. NAPTR records map between sets of URNs, URLs and plain domain names and suggest to clients what protocol should be used to talk to the mapped resource. For example NAPTR is NAPTR used in SIP. The SIP URN for the US telephone number 1-800-555-1234 would be tel:+1-800-555-1234 and its domain name sipcalls.sip.com NS lists a name server responsible for a given zone. The first "name'' field lists the zone that is serviced by the listed name server. There should be one NS record for each name NS server of the zone, and every zone should have at least two name servers, preferably on separate networks. PTR allows special names to point to some other location in the domain. The following example of a PTR record is used in setting up reverse pointers for the special in addr.arpa PTR domain. This line is from the example mynet.rev file. In this record, the "name'' field is the network number of the host in reverse order. You only need to specify enough octets to make the name unique. RP identifies the name (or group name) of the responsible person(s) for a host. This RP information is useful in troubleshooting problems over the network. Route-through binding for hosts that do not have their own direct wide area network RT addresses (experimental). SRV Information on well known network services (replaces WKS). A TXT record contains free-form textual data. The syntax of the text depends on the TXT domain in which it appears; several systems use TXT records to encode user databases and other administrative data. WKS records describe the well-known services supported by a particular protocol at a specified address. The list of services and port numbers comes from the list of services specified in /etc/services. There should be only one WKS record per protocol and address. WKS Because the WKS record is not widely used throughout the Internet, applications should not rely on the existence of this record to recognize the presence or absence of a service. Instead, the application should simply attempt to use the service. X25 Representation of X.25 network addresses (experimental).

Reverse Lookup Zones

Each of the available zones can be defined as a reverse lookup zone. To do so, switch the lookup box from forward to reverse when creating a new zone. The input mask will change and you will be able to enter the address of the network you wish to create a reverse lookup zone for.

How to Configure DNS Zones 11 / 13 Barracuda CloudGen Firewall

An appropriate name for the reverse lookup zone will automatically be created from the network address. For example, if the network address would be 10.0.0.0, this would result in an automatically created reverse lookup zone named 0.0.10.in-addr.arpa. By clicking the advanced button, the Advanced window will appear, allowing you to define the same options as described in the section.

How to Configure DNS Zones 12 / 13 Barracuda CloudGen Firewall

Figures

1. soa.jpg 2. image2013-4-16 16:27:46.png 3. image2013-4-16 16:26:58.png 4. host_config.jpg 5. mailex.jpg 6. sub_dom.jpg 7. image2013-4-16 16:56:48.png

© Barracuda Networks Inc., 2021 The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

How to Configure DNS Zones 13 / 13