NethServer as public DNS authoritative server


Hi all,

I was wondering if I could use NethServer as authoritative DNS server for my domain. Since I need to migrate from another server, the DNS should originally serve the zone as is now before switching over one per time the A records to the NethServer itself (and MX).

Is it possible?

NethServer Version: 7.1903


AFAIK the DNS Server inside Nethserver is based on DNSMask and is also used for DHCP (Not part of the problem). However, the DNS doesn’t allow a lot of features, like setting any form of MX. These are hardcoded in to NethServer… (With internal GREEN - IPs).

In short - not suitable for external DNS…

Your best choice would be to setup a bland vanilla Linux in a VM and point the needed DNS Ports (UDP 53 / TCP if needed) to the VM from your firewall. On this VM you could install BIND, or eg UNBOUND, both can handle external DNS.

The VM can be in NethServer - or in Proxmox or some other Hypervisor, depending on your setup.

To get a webinterface for administration of BIND you could install Webmin on that linux VM. Configuring BIND with CLI and Textfiles isn’t for the faint of heart… :slight_smile:

If you have a Synology NAS, there’s a usable module for DNS - that can handle external DNS too. The interface is usable, not great!

My 2 cents


Is it updated?

Closest thing that seems authoritative DNS server is the SAMBA AD container, but is confined to the DNS for the AD, not public.


Besides which, you wouldn’t want internal AD information, even if only Internal IPs, released to the internet…


My 2 cents

Thanks all for the replay.
Since it’s supposed to be installed on a VM (that I’ll buy) virtualizing another machine would be difficult.
Since the VM won’t have any LAN, is it possible to move dnsmasq to another port and install another DNS server e.g. bind?

Think it might be possible to install bind and do it that way. I can’t remember if someone has tried this before, I know that there has been some discussion around it.

If you do do it, you would need to do a split-brain DNS setup so your local private IP addresses don’t get leaked out.

what do you exactly mean? I can’t get the point… the VM should have only one IP: the wan one. So which local address?
In second instance, as i remember, bind exposes only the content of the files you tell him to or? So if I do not put any wrong address into should be fine(?)

BIND has a concept of “views”, which entail WHERE the query is coming from. You’ld need a “view” from Internet (eg, and maybe one for Internal Administration.

Split-Brain DNS:

This means two different DNS (Can be the same), with different contents.

The Internal one knows everything about your domain, eg internal AD, external Mailserver, your printers, NAS and other stuff the Internet doesn’t need to know about. This one gives out internal AND - if needed - also external IP Addresses. (eg external hosted website).

The External one has much less info, basically a “need to know” principle: Your Public Website, MX records pointing to your mailserver and other stuff maybe. But nothing internal! This DNS only has external Internet IPs…

Hope that helps!

My 2 cents

Right, to keep track of this, that’s the procedure i followed:

  1. yum install -y bind bind-utils
  2. systemctl stop dnsmasq; systemctl disable dnsmasq; expand-template /etc/resolv.conf (I don’t have any lan so don’t need any DHCP, otherwise you can use something like port=0 to disable just the DNS)
  3. replaced under /etc/named.conf
    recursion no;

then normally configured bind and it rocks! Now if I query the server for my domain I get answers, if I query from some other domain, I get no answer (which is the intended behaviour, I don’t want to act as a global nameserver). NethServer itself can resolve through an /etc/resolv.conf without

Hope it can help somebody else

1 Like

The problem is that Nethserver relies on dnsmasq for preconfiguration of mail, dc and many more.
If you disable dnsmasq many packages won’t work anymore.

In my case I’ll use LDAP and access it only by localhost. For e-mail stuff (MX record and DKIM) I’ll configure by hand… not a problem. I think there isn’t anything else using DNS.

This is what I found directly using dnsmasq for preconfiguration, this does not mean it’s not workable at all but it could make problems:

squid, ipsec, sssd, ejabberd, samba, mail, dc