Barracuda CloudGen Firewall How to Configure DNS Zones https://campus.barracuda.com/doc/12198234/ The Barracuda NG Firewall DNS configuration object contains two predefined zones: _template and '.' To be able to edit and specify DNS zones within the Barracuda NG Firewall DNS configuration, you must create a DNS service. For more information, see How to Activate the DNS Server. In this article: Zone 1: _template This zone contains the general template, which is used as model for all newly created zones. The procedure for creating and modifying template settings is identical to the procedure for creating and editing settings in another zone. Note that only template settings will be inherited that already existed before the zone was created. To access the _template zone, proceed with the following steps: 1. Log into the Barracuda NG Firewall 2. From the Config Tree, expand Box > Virtual Servers > your server > Assigned Services > DNS. 3. Expand the DNS service and open the DNS Template Zone by double clicking it. 4. Double click the entry (_template) to create or modify settings for SOA, primary server, nameserver, etc. 5. Right-click into the main window to create new hosts, mail exchangers, etc. Every setting made here will be clearly arranged in a separate row within the main window and can be selected for further modification or deletion. Zone 2: '.' The initial set of root-servers is defined using a hint zone. When the server starts up it uses the hint zone file to find a root name server and get the most recent list of root name servers. The "." zone is short for this root zone and means any zone for which there is no locally defined zone (slave or master) or cached answer. Do NOT modify the root server settings unless you exactly know what you are doing. How to Configure DNS Zones 1 / 13 Barracuda CloudGen Firewall Add a New Zone To introduce a new zone, right-click your DNS server and select Lock Server. Optionally, you may lock the DNS server already in the config tree. The configuration can now be modified. Select Add New Zone from the context menu and configure the following options: Parameter Overview Parameter Description ⚬ Master - Every domain configuration change takes place on the master. From here the information is propagated to the secondary servers. A master zone requires at least a Start of Authority (SOA) record and a Name Server (NS) record. Be sure to examine the security settings of the master zone, since a corrupt master zone can cause a lot of problems. ⚬ Slave - A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. DNS slave zones do not require much configuration; just enter the IP addresses of the master server (or servers) and examine the security settings. Be sure to set a transfer-source-IP, otherwise the slave zone will not be accepted by the DNS server. Type ⚬ Forward - A forward zone is used to direct all queries in it to other servers. The specification of options in such a zone will override any global options declared in the options statement. A forward zone does not need a transfer-source-IP. Be sure to check the security settings. ⚬ Hint - The initial set of root name servers is specified using a hint zone. When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. The Barracuda NG Firewall DNS server already has a hint zone (Zone ".") pre-configured, so normally there is no need to introduce another hint zone. Depending on the selected types the necessary settings may be slightly different. Such settings are marked with (optional) in the following. Origin Enter the domain name you wish to create here (for example, Domain Name barracuda.com). This section is used for defining whether the zone should perform Forward or Reverse lookup. DNS forward lookup provides IP addresses for known host Lookup names, while reverse lookup provides host names for known IP addresses. The Barracuda NG Firewall DNS server is able to provide DNS reverse lookup only for 8-bit networks (like 213.47.10.0/24). (optional) This field is available when type Slave is selected. Enter the master Masters IP addresses here. (optional) This field is available when type Forward is selected. Enter the Forwards forward IP addresses here. By clicking the advanced button a new window appears containing additional settings: Parameter Description How to Configure DNS Zones 2 / 13 Barracuda CloudGen Firewall Allows the administrator to select whether the DNS server should notify slave DNS servers about zone changes. Possible values for selection are notify yes/no/explicit. If explicit is selected enter the explicit IP in the also notify field below. Here you may enter a list of IPv4 or IPv6 hosts that should be notified about zone changes although these machines are not registered slaves also notify of the DNS server. Separate multiple entries with a semicolon and space (like 10.0.0.53; 10.0.0.67; 192.168.0.10; 2001:db8:85a3:0:0:8a2e:370:7334). This field is only available for type Slave. It defines the IP address the slave has to use when contacting its master DNS server. The following options are available: ⚬ service-default transfer-source-ip ⚬ server-first ⚬ server-second ⚬ explicit Slave zones must have transfer-source-ip to work. Advanced Settings – Section Security This section offers detailed security options for the DNS service. Each pull-down field can take one the value none or any. allow notify - This field is only available for type Slave. It defines if the slave accepts notifications about updates from its master. allow query - Lists the IPv4 or IPv6 hosts that are allowed to query the DNS server. By default all hosts are allowed to query the DNS server. allow update - Lists the IPv4 or IPv6 hosts that are allowed to update the database of the DNS server. allow transfer - Lists the IPv4 or IPv6 hosts that are allowed to fetch the DNS database from the DNS server. Edit/Add a New Start of Authority At creation time of the Barracuda NG Firewall DNS Server a standard template is created which is automatically inherited by newly generated zones. This template may freely be deleted or modified. In case you have deleted it, and have thereafter created a new zone, proceed as follows to comprehend the following instructions: 1. Select the newly created domain lacking a SOA record in the tree view, right-click the main window and choose Add a New Start of Authority (SOA). 2. If the SOA record already exists, double-click an existing entry with type NS or SOA and select the Start of Authority (SOA) tab. How to Configure DNS Zones 3 / 13 Barracuda CloudGen Firewall DNS Server - SOA Configuration Enter a serial number here. - Clicking Update will increase the serial number by one. The serial number of the master has to be higher than the serial number Serial saved on the slave, otherwise the slave will stop fetching information updates from its master. Select the primary name server of the domain here. - By clicking Pickup already Primary Sever created entries can be selected. Use this field to define a person responsible for this host/zone. The syntax that Responsible has to be used is username.domain (for example ernestexample.test.org). - By person clicking Pickup, already created entries can be selected. This interval tells the slave how often it has to check whether its data is up to Refresh after date. When the slave fails to reach the master server after the refresh period (Refresh Retry after after), then it starts trying again after this set time interval. When the slave fails to contact the master server for the expire period, the slave Expire after expires its data. Expiring means that the slave stops giving out answers about the data because the data is too old to be useful. How to Configure DNS Zones 4 / 13 Barracuda CloudGen Firewall (standard) This value sets the Time To Live of cached database entries of this Minimum TTL zone. - The format for TTL is days:hours:minutes:seconds. This value sets the Time To Live of cached database entries of this zone until it is Expire (TTL) considered as expired. - The format for TTL is days:hours:minutes:seconds. Edit/Add a New Name Server 1. To introduce a new Name Server (NS), right-click the right part of the window and select New Name Server (NS). 2. If a nameserver has already been created, open an existing entry with type SOA or NS and click the Nameserver (NS) tab. A new nameserver can only be entered if the SOA has already been generated. How to Configure DNS Zones 5 / 13 Barracuda CloudGen Firewall Name Server Configuration This is a read-only field. It displays the name of the domain the Superordinate domain nameserver will be responsible for. To add name servers, click Add. • Servername - This is the name of the name server. Add/Modify/Delete • IP Address - This is the IPv4 or IPv6 address of the name server. • Expire (TTL) - This is the globally defined length of life, future name server records are expected to have. The format for the Time to Live (TTL) is days:hours:minutes:seconds. Add a New Host To introduce a new host, right-click the main window and select New Host. Entries made in the individual tabs will be saved in separate rows of type A, TXT, HINFO and WKS within the main configuration window.