Complete DNS records?

NethServer Version: 7.7
Module: DNS

Seems that DNS GUI is limited to adding A and CNAME entries? (EDIT: Now that I see it more thoroughly, not even CNAME!)
And the only option for different records (AAAA, MX, SRV etc.) is to edit the actual host file?

I also searched around and didn’t find anything different.
I looked both in the old GUI and the new GUI…
I consider this rather basic functionality, are there any plans to extend the GUI?

Not being able to see the complete records in the GUI, is a limitation not just for the edits, but even to have an idea of the entries already set (for example I suspect mail module does add MX record right?).

No, and don’t see any reason why it would–Neth is only intended to serve DNS over the LAN. The design is that it can act as your router, and when doing so it can provide DNS service to your LAN. When it’s being used in that way, there’s a benefit to being able to serve local hostnames, hence the ability to add those through the GUI. What benefit do you see to a local DNS server serving MX or SRV records?

None (but read the * part).
I thought it could also be used as external DNS (I know it is not common practice but I have used my own servers as authoritative servers for my domains before). Didn’t know it doesn’t have this feature. No harm done.

(*) Sometimes such entries (esp. SRV entries) are used for the internal configuration of software clients. For example some Microsoft services (or even many SIP related services).

Anyway, no go for that with NethServer. Clear.

Yeah, I’m pretty sure acting as a public DNS server is outside the scope of what was intended for Neth. I developed a module to let it act as a limited public DNS server for the sole purpose of Let’s Encrypt validation (see https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns), but I don’t think that’s as general-purpose as you’re intending.

As to mail configuration specifically, this might help:


You’d need to set the SRV record on your authoritative DNS host, but this would automate the rest of the configuration.

1 Like

Exactly. I need to set the record in my authoritative DNS and this will not work for internal clients - except if I point them to external DNS.
For clients using internal DNS (i.e. the common setup), the internal DNS will act as authoritative (even though is not) for the domain it belongs to, won’t it? So it won’t request resolution from the real authoritative DNS.
Correct me if I am wrong.

Even if this is not the case, internal clients will still need autoconfigure for the internal domain (usually a subdomain of the external or something .local). And with the existing DNS, this cannot be done.

No, Neth only acts as a DNS cache. If you make entries in the DNS page, it will serve those records in preference to whatever it finds on the Internet; otherwise, it will reach out to whatever DNS server you’ve configured (default is 8.8.8.8, IMO a poor choice) to satisfy any requests.

This isn’t a design decision I agree with, and it’s a step backward in functionality compared to Neth’s ancestor (SME Server)–but even that acted as a recursive resolver (rather than just querying a specified DNS server), and still wasn’t authoritative for local hosts.

Sure it can; the SRV record can still be created at your “real” DNS host and will propagate.

Hi @NLS welcome to NethServer community!

Not exactly, you have to change /etc/dnsmasq.conf because the UI only sets A records overrides. In NethServer many configuration files are obtained by a “template expansion”. You can customize the result at your will: see http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html#local-site-overrides-templates-custom-and-templates-user-custom

About “SRV” records, for instance ejabberd adds some automatically to /etc/dnsmasq.conf.

Yes, it is implemented by “dnsmasq” that is more than just caching: it “masquerades” the public DNS for the local LAN, so you can define local overrides as long as your client points to it and it can run as DHCP. For sure it doesn’t act as authoritative DNS.

As you can see you have many options!

Just for reference: http://docs.nethserver.org/en/v7/dns.html

Really, true DNS is vital for a home/office server setup.
I don’t understand how some people don’t see it.
First of all there is the “split DNS” feature. To set local addresses for local connections.
In other words, if a mobile client uses “mail.mydomain.com” and asks a DNS for this, the “Internet” DNS (in the bus for example) will properly report the public IP (or even a cname matching a dyndns IP), when if connected in the LAN of the server, the local DNS will instead route than FQDN to a LOCAL IP.
If this is not implemented, many routers are smart enough to not route this to the Internet (only to come “back inside” - which is sometimes also an issue for some cheap routers).
Zentyal (mention this only because it was a recent comparison I made - although Zentyal still “lost” overall), does implement a less-than-full-but-still-ok DNS server. It allows cnames and MX records. Also IIRC allows for setting resolution for more than one domains (thus SOA is also a vital record).

I think the team should really revisit the subject.

2 Likes

Sorry I think I don’t understand this sentence.

AFAIK a LAN client asks the internal DNS server (dnsmasq) and gets an internal IP as response. There’s no router in the middle. This is a well-proven scenario, supported by dnsmasq since the beginning

http://www.thekelleys.org.uk/dnsmasq/doc.html

1 Like

True.

That said I really hope for a real DNS server. I can describe many scenarios this is needed.

Let’s say you want to create custom records for the domain nethserver.org, you could use unbound behind your dnsmasq installation.
I don’t have a system to tests it right now, but you should do something like this:

  • configure unbound to listen on a different port
  • create a template-custom for dnsmasq to forward requests for nethserver.org to the unbind instance
  • configure DNS records on unbound

This should work for a LAN scenario.

2 Likes

If you use Samba as your domain controller, you can also do this using the RSAT tools in Samba DNS. The clients should use the DNS server of the domain controller anyway and not the DNS server of the NethServer installation.

2 Likes

You mean there is an additional DNS service without own GUI in Samba container?
Maybe just expose the settings then?

That’s exactly what it is. A configuration is done exclusively via the Microsoft (RSAT) tools. There is still the possibility of a configuration via the samba-tool and the admin-tools, but the admin-tools are not integrated in the container.

https://wiki.samba.org/index.php/DNS_Administration

Well I tried to nslookup with server set as the IP of the Samba container.
It times out when I request a resolution (even for local domain).

EDIT:
Scratch that. It is a hiccup of the server being in a test VM environment.
I can ping “main” NS address, I cannot for some reason ping AD container address.
If I use own terminal, I can ping it and nslookup using the AD address as server.

If you use samba DC in a VM you need to enable promiscuous mode:

http://docs.nethserver.org/en/v7/accounts.html#installing-on-a-virtual-machine

2 Likes

So I saw the DNS not being a full DNS limitation in practice after all…

I checked my VPN (done over the routers, not software) with my work, did the appropriate changes. VPN works ok. DNS resolution doesn’t.

The other side of the VPN is a Windows 2016 domain network.
So the normal process would be to make a stub zone in my Windows 2016 DNS, to let my work network know about my LOCAL domain. So the public DNS (that does work in my hosting provider), cannot help at all, if I want to pass things throught the VPN and still use FQDN instead of IP.
But I cannot use a stub zone, because none of the remote (my home side) DNS can respond as a proper DNS server. Not my router, not my NethServer.
Actually my NethServer SAMBA (which is a docker with own IP) DOES respond like a proper DNS, but… is useless to me as it doesn’t know any other machine than itself and there is no user friendly way to pass DNS information from NS own basic DNS.

So I had to falsely create a normal zone in my work DNS (i.e. making it think it is authoritative for my local.myhome.net domain) and manually entered host names, so that someone over VPN contacting myserver.local.myhome.net, actually resolve it and access it through the VPN.

I wonder if instead of re-implementing a better VPN, all we need is an interface to the SAMBA provided DNS as MAIN DNS (obviously for NS systems with enabled SAMBA docker).