Topic: SME as an Internet DNS server

[plc]

Hi all.

I'm trying to setup an SMEServer to be used as the "public" DNS Server, so when an external user requests "www.mak.fr" it resolves to the SME Server. The server is also supposed to receive incoming mail from Internet clients.

The ".fr" root servers are already pointing to my SME Server.

I've already configured tinydns to listen to the external IP:
# config setprop tinydns ListenIP <myip>
# signal-event post-upgrade
# signal-event reboot

But I figured that the firewall (iptables) is blocking UDP connections to port 53. I tried to open it with the hint in the Manual:
# config set tinydns service access public status enabled UDPPort 53

But an "iptables -vL -n" will give me

Code: [Select]


Chain InboundUDP_3983 (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 denylog    all  --  *      *       0.0.0.0/0           !192.168.2.1        
   21  1191 denylog    udp  --  *      *       0.0.0.0/0            192.168.2.1         udp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.1         udp dpt:53
    0     0 denylog    udp  --  *      *       0.0.0.0/0            192.168.2.1         udp dpt:53

which seems to block it anyway. I've tried to open it manually with:
# iptables -I InboundUDP_3983 -p udp -i eth1 --dport 53 -j ACCEPT

But this rule will get wiped out next time, so it's not a fix either.

I also have another issue: the SME Server is behind a router [which is behind a cable modem], so there is an extra network between the server and modem, and the GUI won't let me change the MX record which resolves to the server's external IP [which is 192.168.2.1, the middle network], instead of the "public" one. I can, however, change the other hostnames (www, mail, etc).

Is there any simpler way to accomplish this? I'm walking in the right direction? I'm kind of lost here....

Best regards,
-plc

[pfloor]

You shouldn't need to do anything to the server.

How do you have your DNS records setup?  mak.fr doesn't resolve.

You should have mak.fr pointing to you external IP.

Then forward the required ports on you router to 192.168.2.1 or toss the router and put the server in Server-Gateway mode then your server will pick up the public IP.

[plc]

OK. I missed some points here. The server is already in "server and gateway" mode. DNS mak.fr was fictional, the domain in question is mav.pt. Verify that

$ dig mav.pt @ns.dns.pt

Code: [Select]


[...]
;; QUESTION SECTION:
;mav.pt.                                IN      A

;; AUTHORITY SECTION:
mav.pt.                 28800   IN      NS      ns1.mav.pt.
mav.pt.                 28800   IN      NS      ns2.mav.pt.

;; ADDITIONAL SECTION:
ns1.mav.pt.             28800   IN      A       81.84.254.138
ns2.mav.pt.             28800   IN      A       195.23.44.73
[...]


And the external IP is exactly 81.84.254.138. The second one 195.23.44.73 is a backup server.

The router is also configured to forward UDP 53 to the server's external IP (192.168.2.1).

What you (pfloor) suggest makes the server resolve [eg. mail.mav.pt] to the internal IP (192.168.1.1), so I had to change each entry in "hostnames and addresses" to the public IP (81...). The problem is that the server's original name (gw.mav.pt) is not editable, so it keeps resolving to the internal IP.

Try it: dig gw.mav.pt @81.84.254.138

Code: [Select]


[...]
;; QUESTION SECTION:
;gw.mav.pt.                     IN      A

;; ANSWER SECTION:
gw.mav.pt.              86400   IN      A       192.168.1.1


Also, the MX record isn't editable as well, so:

Code: [Select]


$ host -t mx mav.pt 81.84.254.138
[...]
Using domain server:
Name: 81.84.254.138
Address: 81.84.254.138#53
Aliases:

mav.pt mail is handled by 0 gw.mav.pt.

Since gw.mav.pt doesn't resolve to the external IP, the problem persists.

If I hadn't "config setprop tinydns ListenIP 192.168.2.1", the server wouldn't even reply, which seems to be a de facto measure imposed by SME Server's team: not publish tinyDNS to outside. However, I'm not convinced that is *not* possible... does anyone accomplished such a thing?

-plc

[CharlieBrady]

I'm trying to setup an SMEServer to be used as the "public" DNS Server, ...

I don't know why you'd bother doing that, since reliable easily managed public DNS services are freely available from multiple sources.

SME server itself cannot be used as "the" public DNS server for a domain - you always need at least two servers with synchronised data.

[plc]

I don't know why you'd bother doing that, since reliable easily managed public DNS services are freely available from multiple sources.

It's a matter of design. And being applied as an exercise to understand SME Server limitations.

SME server itself cannot be used as "the" public DNS server for a domain - you always need at least two servers with synchronised data.

I'm sorry but that's not true. Although the backup DNS server is recommended, it's still optional. More, SME Server/tinydns provide DNS services (although for serving loopback only), so it seems just a question of SME supporting this feature *or not*. If it does, I'm asking for the right method to achieve such result, because if I doit by hand (without config setprop stuff) I'll be braking upgrade support.

[EDITED]
I can always edit /var/service/tinydns/root/data and signal the event for reloading configurations, so the MX record gets changed. The problem is that all this seems *too* handcrafted, I'm probably missing some easier commands...
[/EDITED]

Any hints?

[CharlieBrady]

I don't know why you'd bother doing that, since reliable easily managed public DNS services are freely available from multiple sources.

It's a matter of design.

It's a matter of design of what?

And being applied as an exercise to understand SME Server limitations.

SME Server intentionally does not provide public DNS services. In the early days, that was partly because we did not trust the security of bind. As we now use djbdns, that is less of an issue. But DNS should always be configured only by people who know what they are doing. If someone understands DNS and DNS technology well, they will be able to work out how to modify SME server to serve public DNS.

SME server itself cannot be used as "the" public DNS server for a domain - you always need at least two servers with synchronised data.

I'm sorry but that's not true. Although the backup DNS server is recommended, it's still optional.

You're right that it is technically optional, but it's required by registrars in most DNS top level domains. Perhaps it isn't in .pt.

 More, SME Server/tinydns provide DNS services (although for serving loopback only), so it seems just a question of SME supporting this feature *or not*. If it does, I'm asking for the right method to achieve such result, because if I doit by hand (without config setprop stuff) I'll be braking upgrade support.

Any hints?

SME software does not and will not support that feature. I'm sure that there are better ways for you to use your time. If you insist on trying to do it, then have fun

[Normando]

Hi PLC. If you can configure SME as public DNS server please share your experience with us. A lot of people want to setup a public dns server.

Thank you

[StephenHodgman]

We are using smeserver as our internal fileserver. i.e. Server Only Mode
We use the tinydns as the dns server for our INTERNAL network.
We have remote offices who need to mirror the INTERNAL dns on their servers.
i.e. Have this Zone as a Slave
They are currently NOT running tinydns.
We have access to these offices over our VPN.  

I see that tinydns contains a program that will accept Zone Requests from Other sites.
http://cr.yp.to/djbdns/axfrdns.html
Does anyone have any sueful suggestions on how to make this work in SME Server?
By the traffic I have seen here it sounds like there are peple interested in this.

I realise the smeserver is not intended to be a DNS server on the big bad internet.  
However, I am sure there are many people like us that want an internal DNS that can be replicated easily...

Now, there is a way to replicate the data to another TinyDns server using rsync.  This is described here: http://cr.yp.to/djbdns/run-server.html

However, I need to allow NON-TinyDNS servers to make requests.
We will proceed and experiment but I would be very happy to receive input.
Thanks for your time,

[stefangk]

As far as I'm interested on this topic I do some findings and here are some useful links:

http://mirror.contribs.org/smeserver/releases/7/smedev/i386/RPMS/smeserver-tinydns-public-1.0.0-4.el4.sme.noarch.rpm
http://fisheye1.cenqua.com/browse/smeserver/smeserver-tinydns-public

first one is very promissing. On my test server it work fine as authoritive server.

I got generated from template system file

Code: [Select]

cp /var/services/tinydns/root/data /var/services/tinydns.public/root/data/
Then I removed local hosts section and changed everywhere internal domain with external and internal IP with my public IP.
At the end I do

Code: [Select]

tinydns-data and

Code: [Select]

svc -t /service/tinydns.public

AND IT WORKS!

[MasthaX]

Ok maybe i dont understand this very well but is it possible for SME server to act as an public DNS server without installing other programs on it. I wanted to do this. I made the records for my home server like this

F.E.

ftp.domain.com         Self 10.0.0.60    
mail.domain.com       Self 10.0.0.60    
proxy.domain.com     Self 10.0.0.60    
s1.domain.com          Self 10.0.0.60        
wpad.domain.com      Self 10.0.0.60    
www.domain.com       Self 10.0.0.60    

So when i order this domain and i will give my external IP will it resolve to my server and than forward to my information bays.

[stefangk]

What you need is one half of the functionallity of http://mirror.contribs.org/smeserver/releases/7/smedev/i386/RPMS/smeserver-tinydns-public-1.0.0-4.el4.sme.noarch.rpm.

1. You must have just your Public IP address and Public domain
2. You have to point your host (with your public IP) to be one of your DNS servers in domain configuration (usually provided by company who sell you domain)
3. Then download and install the above mentioned rpm with:

Code: [Select]

wget http://mirror.contribs.org/smeserver/releases/7/smedev/i386/RPMS/smeserver-tinydns-public-1.0.0-4.el4.sme.noarch.rpm
for installation of rpm do:

Code: [Select]

yum localinstall smeserver-tinydns-public-1.0.0-4.el4.sme.noarch.rpm
4. Copy data file from your internal dns with:

Code: [Select]

cp /var/services/tinydns/root/data /var/services/tinydns.public/root/data/
5. Edit data file

Code: [Select]

pico /var/services/tinydns.public/root/data/data
remove all local hosts
change IP addresses and domain everywhere and remove unneeded lines.
6. Compile data file with:

Code: [Select]

cd /var/services/tinydns.public/root/data
tinydns-data
7. Restart tinydns.public service to start resolving your domain from internet:

Code: [Select]

svc -t /services/tinydns.public

[MasthaX]

doublepost

[MasthaX]

What you need is one half of the functionallity of http://mirror.contribs.org/smeserver/releases/7/smedev/i386/RPMS/smeserver-tinydns-public-1.0.0-4.el4.sme.noarch.rpm.

1. You must have just your Public IP address and Public domain

I got my IP 84.41.201.x  and domain jurgen-meijer.nl

2. You have to point your host (with your public IP) to be one of your DNS servers in domain configuration (usually provided by company who sell you domain)

this part i dont get, how do i do this?

3. Then download and install the above mentioned rpm with:

Code: [Select]

wget http://mirror.contribs.org/smeserver/releases/7/smedev/i386/RPMS/smeserver-tinydns-public-1.0.0-4.el4.sme.noarch.rpm

Downloaded the file with Lynx

[bpivk]

Ok maybe i dont understand this very well but is it possible for SME server to act as an public DNS server without installing other programs on it. I wanted to do this. I made the records for my home server like this

F.E.

ftp.domain.com         Self 10.0.0.60    
mail.domain.com       Self 10.0.0.60    
proxy.domain.com     Self 10.0.0.60    
s1.domain.com          Self 10.0.0.60        
wpad.domain.com      Self 10.0.0.60    
www.domain.com       Self 10.0.0.60    

So when i order this domain and i will give my external IP will it resolve to my server and than forward to my information bays.

This will work. Just point your sub/domains to your ip on a free dns server (eg. zneedit).

[MasthaX]

thats not the point. I got my webserver running(http://myip). I just want to host my own DNS not a free DNS. I have bought a domain.