Networking: Full DNS Server
It would be nice if Astaro could be used as a fully-functional DNS server with backward look up zones and all.
At the moment SOHO networks with no internal DNS server are unable to perform reverse DNS and other features.
Would it be possible to allow full configuration of DNS server via WebAdmin? So I could add zone files (including the importing of already existing files), make full customization of named.conf file via WebAdmin, slave dns zones, etc etc etc... I would like to know this because I have desire to slave OpenNIC (do NOT confuse this with OpenDNS) by operating my own T2 server ... [Visit http://opennicproject.org/howtos/72-running-an-opennic-teir-2 for more information]
It would be nice to be able to setup the Astaro firewall as a secondary server for my internal Network Zone along with zone transfers from my internal DNS server. Only internal interface to have access
christian kueppers commented
That´s what I´m looking for. Can´t be difficult.UTM is now creating a zone in BIND for every host and reverse entry, regardsless the DNS-Suffix.
Dave Crumbacher commented
At a minimum, supporting reverse DNS would be very helpful.
One more thing... I would prefer this (since by slaving OpenNICs root zone) I would avoid having to set DNS forwarders, and can instead receive DNS info/traffic from OpenNIC... I have tested this fully on Bind before, and would like this in Astaro. :)
This way, using OpenNIC as my trusted ROOT server... I trust OpenNIC fully, as I have used them previously (but using an already existing T2 server is a bit slow... Using my own is VERY FAST).
This is especially important as Astaro supports IPv6, and it would be really nice if it could automatically create IPv6 reverse DNS for RADVD clients.
Also, the ability to create multiple A records for an FQDN. That would solve a long-standing problem with Network Definitions. At present, it's not possible to create a network which is a list of IPs; each IP must be assigned to a separate Host definition, and then the separate definitions loaded into a Network Group. If it were possible to assign multiple IPs in a static DNS mapping, a 'DNS Group' Network Definition would solve the problem cleanly.
Andreas Melcher commented
I would suggest looking into http://cr.yp.to/djbdns.html for this task. There is a single program for each DNS task so that all duties are separated as one would like to have on a firewall. Furthermore the config files are already prepared to be worked on by programs. Most important: this tool has an extremely low memory and performance footprint which makes it usable even in the smallest boxes.
Would like a option to create internal zone both forward and reverrse so internal DNS would not be needed. There is another reqest for full fuction DNS so I will support that reqest as it more accurately reflects what I am asking for
Lotus Domino/Notes user has many cases that install an SMTP relay server and an outside public DNS server in the DMZ. There is a demand to want to use those functions in Astaro, and want to remove a DNS/SMTP relay server in the DMZ.
In a few words, there are two reasons:
1) Allowing the branch offices to be authoritative reduces load on the central server
2) Caches expire, an authoritative slave can continues to function indefinitely.
This is a required feature especially for the home use market. Everyone now has an access point and several devices in the home.
No - because in a split DNS configuration, I have zones that are only available to my internal network. So the ISP DNS servers have no knowledge of those domains. And just because the link to my primary internal DNS server might be down, does not mean that those internal domains are not needed. For example, even the branch office itself may need to resolve local resources (say an office printer).
Being able to slave domains also means that I can manage the domains using bind configuration files (or powerDNS etc etc) instead of the astaro GUI at each of dozens of sites.
If the local ISP DNS Forwarders are listed after the "master proxy" at each location then doesn't that give you what you want?
Ideally, I want each branch office to be able to function completely independently even if the core office is hit by a tornado (or a long power outage for that matter). Working as a cache is insufficient in two ways:
1) Caches expire, so if the outage is long the DNS server will eventually stop working. If I increase the cache timeout, then I can't change records quickly
2) Relying on a single proxy master makes it difficult for the branch offices to use their own local ISP DNS servers as forwarders, so that they can resolve domains that I don't serve directly from their own DNS service.
The second point is especially difficult in the case of split domains. Say my "external" ips are "foo.com" and my branch offices are "city1.foo.com" and "city2.foo.com", and that the internal and external domains are served by separate DNS servers. If the connection to the internal DNS servers goes down, then even though the external DNS servers are still working correctly, the branch offices will not be able to resolve even the "external" IPs which may be working fine.
In any event, slaving the domains allows each branch office DNS server to be authoritative for all internal domains and for the branch office domain itself, which is more tolerant of failures.
Interesting, Poul. Can you explain in just a few words why this cannot be accomplished by having the branch Astaro DNS Proxies point to the central DNS server as a unique forwarder? In the event of a network disruption, wouldn't the local DNS cache of each Astaro likely have the needed information?
Cheers - Bob
PS I'm not suggesting that my idea will work, I'm just trying to understand your idea better.
That's really useful for home users with no internal DNS. At the moment, I have not reverse dns ability
Yes, it shouldn't be that difficult to make the proxy into a full-fledged DNS.
Mark, do you have the Astaro listed as a forwarder for your internal DNS? Isn't this functionality already available if your internal DNS server allows it?