wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:network:dnsforward

DNS forwarding

What is this?

When you install IPfire, you configure DNS name servers either manually or via DHCP from your provider. DNS forwarding allows you to configure additional name servers for certain zones. For these zones, all DNS queries will be forwarded to the respective name servers.

This is useful if you have a zone with non-public records like when you are using Microsoft Active Directory DNS services or an additional IPFire accessible through a VPN tunnel for example.

DNS-forwarding is not limited to use local name servers. It can also be used for Geo un-blocking services which allow access to streaming media services using reverse proxies. You can set up DNS forwarding for the media service sites only, so that you do not have to use the Geo un-blocking services' DNS server for all internet name resolution.

Configuration

A zone (internet domain) and the name server for that zone is required. Valid zone names are all fully qualified domain names. The name server where all queries for this zone are sent to must be defined by its IP address.

The comment field is optional.

Zones without DNS validation

It needs to be noted, that IPFire installations use unbound to resolve DNS names. IPFire is configured such, that the remote DNS server MUST provide validated DNS answers. Otherwise the DNS request will fail, and you will find related log entries. To spot them, use the WebGUI, there Logs / System Logs / Settings / Section: DNS-Unbound.

Unfortunately IPFire / Unbound does not provide validated answers when requested. When setting up a DNS forwarder for a VPN tunnel between two IPFire installation, see e.g. IPsec , DNS answers from the remote IPFire will be dropped, because no validated answers are provided. Consequently it is mandatory both IPFires must be configured such, that they accept DNS resolution without validated answer. This can only be configured “under the hood”, i.e. root console, i.e. NOT on the WebGUI.

To achieve that, additional Unbound configuration files need to be added.

  • Open root console.
  • Create file /etc/unbound/local.d/insecure.conf with the following content:
    # This is the file to include the remote zone example.com as an insecure zone
    #
    server:
          domain-insecure: example.com
  • Save the file.
  • Restart Unbound by the following command on the root console: /etc/init.d/unbound restart
configuration/network/dnsforward.txt · Last modified: 2018/09/07 18:18 by KaPe