Configuring additional IP sub networks for DNS
UCS Domain controllers do not answer (recursive) DNS queries from different sub networks:
dig +noquestion +noauthority +noadditional +nostats test.openresolver.com TXT
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +noquestion +noauthority +noadditional +nostats test.openresolver.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27510
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
Univention Corporate Servers are configured to answer only DNS queries from private IP address ranges by default to prevent abuse for DDoS attacks. If sub-networks with public IP addresses are used, the DNS server configuration must be adapted.
With errata66 the default configuration of the UCS DNS server BIND9 was changed to allow only queries from certain sub-networks:
- 127.0.0.1, ::1 (localhost)
- 10.0.0.0/8 (IPv4 private class A)
- 169.254.0.0/16 (IPv4 Link-Local Addresses)
- 172.16.0.0/12 (IPv4 private class B)
- 192.168.0.0/16 (IPv4 private class C)
- fc00::/7 (IPv6 Unique Local Addresses)
- fe80::/10 (IPv6 Link-Local Addresses)
- localnets (all requests from hosts in the same IP-subnet as the Domaincontroller)
This list can be configured through the UCR Variable dns/allow/query/cache, which defaults to localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets.
If multiple sub-networks are used in the domain, they must be added explicitly to that list separated by semicolon. This can be done on the command line logged in as the user root by running a command like the following on all DCs. The example adds the additional network “192.0.2.0/24”:
ucr set dns/allow/query/cache='localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets<ins>; 192.0.2.0/24</ins>
As an alternative the UCS variable can also be set through the corresponding UMC System module “Univention Configuration Registry”.
For multiple UCS servers it is advisable to setup a UCS Domain Policy of the type “Univention Configuration Registry”, which sets the UCR variable for all affected DCs.
The list is separated by semicolon, but not terminated by one!
After changing the configuration the generated files should be checked for validity using named-checkconf
. Afterwards the BIND9 daemons must be restarted:
service bind9 restart
Open DNS Resolvers pose a significant threat to the global network infrastructure by answering recursive queries for hosts outside of its domain. They are utilized in DNS Amplification attacks. Therefore a DNS server must be configured to answer queries only from allowed hosts.