DNS

Server Management > Network Services > DNS

DNS (Domain Name System) is the system by which hostnames and domain names are resolved to IP addresses and other critical domain-based infrastructure is defined. In order for domain-based services to function properly, it is critical to have a properly configured DNS server.

BlueOnyx utilizes the world's most widely used DNS server software known as BIND. The BlueOnyx GUI includes a management interface to bring simplicity and ease-of-use to this highly-complex system.

The DNS Management page presents two Edit buttons: one for primary services and another for secondary. In addition, there are 4 sub-tabs to assist in managing operational aspects of the DNS server which are split into these sections:


Edit Primary Services: Click this button to manage DNS records for domains and networks that this server is registered to serve. Primary DNS service is also called Master DNS service.

Edit Secondary Services: Click this button to manage secondary DNS service for domains and networks. Secondary service is that which is “slaved” from another DNS server.


Basic

Enable Server: Turn Domain Name System (DNS) server functionality on or off. Turning this feature on allows this server appliance to act as a local domain name server for itself and for its clients. A domain name server translates textual host names and domain names into numerical IP addresses, and vice-versa.


Advanced

The advanced settings that apply to the the DNS server. These settings will impact all zones served by the server.

Start of Authority (SOA) Default Values

You can fine tune the primary domain and network authority settings known as the Start of Authority (SOA) settings independently of each other.

  • Default DNS Administrator Email Address: email address of the administrative contact for all newly added domains and networks. Please enter a properly formatted email address. For example, user@example.com is a valid entry.
  • Default Refresh Interval (Seconds): the default refresh interval for all newly added domains and networks. This value is the interval at which the secondary domain name server will try to synchronize its records with the primary domain name server. Please enter an integer between 1 and 4096000. The default value is 10800 (3 hours).
  • Default Retry Interval (Seconds): the default retry interval for all newly added domains and networks. If for some reason the secondary domain name server is not able to contact the primary domain name server to synchronize its records, this value is the interval at which the secondary domain name server will try repeatedly to contact the primary domain name server. Please enter an integer between 1 and 4096000. The default value is 3600 (1 hour).
  • Default Expire Interval (Seconds): If for some reason the secondary domain name server is repeatedly not able to contact the primary domain name server to synchronize its records, this value is the interval after which the secondary domain name server will no longer consider its domain information valid. It will then stop serving domain information until the primary domain name server can be contacted again. Please enter an integer between 1 and 4096000. The default value is 604800 (7 days).
  • Default Time-To-Live Interval (Seconds): This value is the length of time for which other domain name servers will cache the domain information retrieved from this domain name server and will assume it to be valid without checking with this domain name server again. Please enter an integer between 1 and 4096000. The default value is 86400 (1 day).
Server Settings
  • Allow DNS Query Access: This is enabled by default. Allows servers on the Internet to query your DNS server for DNS information.
  • Allow Queries from Everyone: Allow query access from the entire internet. If you run an authoritative nameserver for domains, then you should turn this on. If your nameserver is supposed to be private, you can turn it off.
  • Allow Queries from these Networks: Specify which IP address ranges are allowed to query your DNS server. By default only localhost is allowed. If you tick the checkbox for “Allow Queries from Everyone”, then it will override whatever extra address ranges you put here and will allow anyone query access.
  • Allow DNS Cache Access: Enabling caching, also called recursion, allows resolution of domains and network zones that other name servers are authoritative for. However, running such an open DNS server exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges.
  • Open DNS Server: NOT RECOMMENDED! If you tick this box, your DNS server will be entirely open and will resolve DNS for anyone and everyone. That is a really bad idea. This exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges.
  • Allow Cache access from these Networks: You can limit which address ranges can query your server to specific IP addresses or ranges, but doing so will prevent other servers than those that are included in the IP range(s) you provide from accessing your DNS.
    • Enabling caching, also called recursion, allows resolution of domains and network zones that other name servers are authoritative for. Disabling caching is useful when operating this server on a private network.
  • Forwarding Servers: Forwarding domain name servers are used when Allow DNS Cache Access is enabled and when root domain name servers are not directly accessible due to a limited or restricted Internet connection. Please enter a series of four numbers between 0 and 255 separated by periods. For example, 192.168.1.1 is a valid entry.
    • If the BlueOnyx server is being used on a private network or in conjunction with a restrictive firewall, you can specify a forwarding DNS server(s) by IP address. If a DNS server cannot answer a DNS query, it forwards the query to the forwarding DNS server to get the needed response, then answers back to the client.
  • Zone Transfer Access by IP Address: Enter the IP addresses that are allowed to download all records maintained by this domain name server through zone transfers.
    • A zone transfer allows another DNS server to download the complete list of hosts maintained by your DNS server. Zone transfers are used by secondary domain name servers to synchronize their records with primary domain name servers.

By default, zone transfers are not allowed to any domain. You must explicitly enter any domain names that are allowed to perform zone transfers, or no domain will be able to perform zone transfers.

DNS Rate Limits

DNS Response Rate Limiting (DNS RRL) is an experimental protection feature for domain name servers. This mechanism keeps BIND 9 from being used in amplifying reflection denial of service attacks as well as partially protecting BIND 9 itself from some denial of service attacks. By default it should be enabled.

  • Rate Limits Enabled: Tick this box to enable rate limiting (recommended!)
  • Responses per Second: Responses-per-second is a limit on identical responses instead of a limit on all responses or even all responses to a single client. 10 identical responses per second is a generous limit except perhaps when many clients are using a single IP address via network address translation (NAT). The default limit of zero specifies an unbounded limit to turn off rate-limiting in a view or to only rate-limit NXDOMAIN or other errors.
  • Window: Rate limiting uses a credit or token bucket scheme. Each identical response has a conceptual account that is given RESPONSES-PER-SECOND and ERRORS-PER-SECOND credits every second. A DNS request triggering some desired response debits the account by one. Responses are not sent while the account is negative. The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. A DNS client that sends requests that are not answered can therefore penalized for up to window seconds even after the abusive query flow stops.
Extended DNS logging

WARNING: This should only be used for debugging, as it will log any query to your DNS server to /var/log/messages. Even on a lightly used DNS server this creates a lot of log entries. But you might want to briefly enable extended DNS logging to see if your DNS Rate Limits are working correctly.


Zone Format

Choose a zone file format for subnetting on a non-octet boundary which is compatible with your local reverse delegation method. RFC2317 is the standard format. DION and OCN-JT are much less commonly used.


Auto DNS

Add additional host names for Auto DNS. This will allow you to setup domains in a snap.

  • Host Names: Enter the default hostnames that you wish to be added to a domain's DNS configuration. All of the hostnames entered here will generate A records pointing to the configured IP address of the site.
  • Mail Server Host Name: Enter the default hostname of the mailserver for the domain. As new sites are added, an MX record will be added for the domain based on this entry.