DNS Server on DC does not resolve external name

dns
ddos
recursive
query
ip
subnet

#1

Configuring additional IP sub networks for DNS

Problem

UCS Domain controllers do not answer (recursive) DNS queries from different sub networks:

dig +noquestion +noauthority +noadditional +nostats test.openresolver.com TXT

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +noquestion +noauthority +noadditional +nostats test.openresolver.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27510
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

Answer

Univention Corporate Servers are configured to answer only DNS queries from private IP address ranges by default to prevent abuse for DDoS attacks. If sub-networks with public IP addresses are used, the DNS server configuration must be adapted.

Default configuration

With UCS-4.0 erratum66 the default configuration of the UCS DNS server BIND9 was changed to allow only queries from certain sub-networks:

  • 127.0.0.1, ::1 (localhost)
  • 10.0.0.0/8 (IPv4 private class A)
  • 169.254.0.0/16 (IPv4 Link-Local Addresses)
  • 172.16.0.0/12 (IPv4 private class B)
  • 192.168.0.0/16 (IPv4 private class C)
  • fc00::/7 (IPv6 Unique Local Addresses)
  • fe80::/10 (IPv6 Link-Local Addresses)
  • localnets (all requests from hosts in the same IP-subnet as the Domaincontroller)

Customization

This list can be configured through the UCR Variable dns/allow/query/cache, which defaults to localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets.

If multiple sub-networks are used in the domain, they must be added explicitly to that list separated by semicolon. This can be done on the command line logged in as the user root by running a command like the following on all DCs. The example adds the additional network “192.0.2.0/24”:

ucr set dns/allow/query/cache='localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; 192.0.2.0/24'

As an alternative the UCS variable can also be set through the corresponding UMC System module “Univention Configuration Registry”.

For multiple UCS servers it is advisable to setup a UCS Domain Policy of the type “Univention Configuration Registry”, which sets the UCR variable for all affected DCs.

Notice
The list is separated by semicolon, but not terminated by one!
After changing the configuration the generated files should be checked for validity using named-checkconf. Afterwards the BIND9 daemons must be restarted:
named-checkconf /etc/bind/named.conf.proxy
named-checkconf /etc/bind/named.conf.samba4
service bind9 restart

Background

Open DNS Resolvers pose a significant threat to the global network infrastructure by answering recursive queries for hosts outside of its domain. They are utilized in DNS Amplification attacks. Therefore a DNS server must be configured to answer queries only from allowed hosts.