How to: Configure an External DNS Server for DNS Queries in UCS

Description:

In a Univention Corporate Server (UCS) environment, the internal DNS server successfully resolves queries for locally defined zones. However, in scenarios where DNS queries need to be resolved by an external DNS server (reachable only via IP), additional configuration is required.

This guide explains two methods for configuring UCS to forward DNS queries to an external server, either globally or for a specific zone.

1. Using UCR Variables to Configure a Global DNS Forwarder

The recommended approach for external DNS server configuration is via the UCR variable dns/forwarder. UCS uses LDAP to define DNS zones, and depending on the backend (LDAP or Samba), the corresponding BIND configuration files are used:

• LDAP backend: /etc/bind/named.conf.proxy
• Samba backend: /etc/bind/named.conf.samba4

The global forwarder (dns/forwarder) is only used for domains that do not have a locally defined UCS zone. If a zone is defined locally, the global forwarder will not be used. In such cases, a zone-specific forward (delegation) must be created.

Step 1: Check Existing UCR Variables

ucr search --brief dns/forwarder

Example output:

dns/forwarder1: 10.200.30.1
dns/forwarder2: <empty>
dns/forwarder3: <empty>

Step 2: Get Detailed Info on a UCR Variable

ucr info dns/forwarder1

Output description:

dns/forwarder1: 10.200.30.1
There are two types of DNS servers:
- External DNS server: resolves hostnames outside the UCS domain (e.g., ISP name server).
- Domain DNS server: local UCS DNS server, managing hostnames and IPs in the UCS domain.  

If a local address is not found, the external DNS server is automatically queried. This variable defines the first external DNS server.
Category: service-bind
Default: (not set)
Type: ipaddress

Step 3: Set the Forwarder and Restart DNS Service

ucr set dns/forwarder1=10.200.30.1
systemctl restart named.service

After this, all queries for non-local domains will be forwarded to the external DNS server.

2. Using LDAP Objects and the UMC to Configure a Forward Zone

This method involves creating a forward zone for the specific domain and linking it to the external DNS server via LDAP objects.

Step 1: Create a Forward Zone

• Ensure the forward zone in UCS has the correct IP address pointing to the external DNS server.
• Detailed instructions: UCS Documentation - Administration of DNS Data via UMC Module

Step 2: Create Required Records

For the forward zone to function correctly, the following LDAP objects are required:

1. Service Record linked to the forward zone
2. Host Record (A or AAAA) pointing to the external DNS server

• More details:

  • Service Records
  • Host Records

Step 3: Restart Named/BIND9 Service

After creating the forward zone and records, restart the DNS service:

Via Shell:

systemctl restart named.service

Via UMC:

1. Navigate to System → System Services
2. Search for “dns”
3. Select bind9 and choose Restart

Once restarted, DNS queries for the specific zone will be forwarded to the external DNS server.

See also: