Split DNS (Zimbra): Difference between revisions
m (Minor rewording and Meta updates) |
(→DNS Records: Updated) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[http://en.wikipedia.org/wiki/Split-horizon_DNS Split DNS] is required for Zimbra where your server is on an internal ([http://www.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces private address range]) network. | [http://en.wikipedia.org/wiki/Split-horizon_DNS Split DNS] is required for [[:Category:Zimbra|Zimbra]] where your server is on an internal ([http://www.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces private address range]) network<ref name="PrivAddr" />. | ||
Zimbra needs to be able to resolve its own Mail Exchanger (MX) DNS record, otherwise its services will not start. Therefore if your server is known publicly by one IP address, but in fact has a different internal address (and the public IP is NAT'ed to the internal IP) you'll need to use split DNS. This allows your server to be known by one IP address on the internet, and a different address internally, but with the same hostname regardless of where you are. There are two methods described below that enable you to achieve this... | Zimbra needs to be able to resolve its own Mail Exchanger (MX) [[Acronyms#D|DNS]] record, otherwise its services will not start. Therefore if your server is known publicly by one IP address, but in fact has a different internal address (and the public IP is [[Acronyms#N|NAT]]'ed to the internal IP) you'll need to use split DNS. This allows your server to be known by one IP address on the internet, and a different address internally, but with the same hostname regardless of where you are. There are two methods described below that enable you to achieve this... | ||
# [[#Localhost DNS Server Setup|Localhost DNS Server Setup]] - DNS server installed locally on the Zimbra server. | # [[#Localhost DNS Server Setup|Localhost DNS Server Setup]] - DNS server installed locally on the Zimbra server. | ||
# [[#Local Network DNS Server Setup|Local Network DNS Server Setup]] - DNS server on your local network, if you have one available. | # [[#Local Network DNS Server Setup|Local Network DNS Server Setup]] - DNS server on your local network, if you have one available. | ||
Note that Split DNS, Split-Horizon DNS, Split-Brain DNS all refer to the same technique, and the terminology can be used interchangeably. | '''Note that Split DNS, Split-Horizon DNS, Split-Brain DNS all refer to the same technique''', and the terminology can be used interchangeably. | ||
== DNS Records == | == DNS Records == | ||
Firstly, you need to own a public domain name, then | Firstly, you need to own a public DNS domain name, then create two DNS records... | ||
# '''MX record''' - Mail Exchanger (MX) record | # '''MX record''' - Mail Exchanger (MX) record | ||
#* EG <code> sandfordit.com [MX] -> mail.sandfordit.com </code> | #* EG <code> sandfordit.com [MX] -> mail.sandfordit.com </code> | ||
#* <code> sandfordit.com </code> is the domain you own, and <code> mail.sandfordit.com </code> is hostname of your email server (can be anything you like). Email addressed to <code><anything>@sandfordit.com</code> will be directed to the server in this record. | #* where <code> sandfordit.com </code> is the domain you own, and <code> mail.sandfordit.com </code> is hostname of your email server (the can be anything you like). Email addressed to <code><anything>@sandfordit.com</code> will be directed to the server in this record. | ||
#* You'll need to give the record a weighting (this allows you to have multiple email servers for the same domain). The lower the number the higher the server's priority, assuming you only have one email server, its common to use <code>10</code> | #* You'll need to give the record a weighting (this allows you to have multiple email servers for the same domain). The lower the number the higher the server's priority, assuming you only have one email server, its common to use <code>10</code> | ||
# '''A record''' - Standard DNS record | # '''A record''' - Standard DNS record | ||
#* EG <code> mail.sandfordit.com [A] -> 158.25.34.124 </code> | #* EG <code> mail.sandfordit.com [A] -> 158.25.34.124 </code> | ||
#* <code> 158.25.34.124 </code> is the static IP address assigned | #* <code> 158.25.34.124 </code> is the static IP address assigned to your email server. You'll need to set-up a NAT on your router (often called a virtual server in domestic firewalls/routers) to map incoming mail on TCP 25 to your email server's actual address (EG <code> 158.25.34.124:25 -> 192.168.1.150:25 </code>). | ||
Note, instead of an A record, | Note, instead of an A record, a CNAME record can be used instead (though the CNAME record will still need to point to a valid A record). Using a CNAME can be preferable, where you might, in the future, want to send inbound email traffic to another email server, addressed by a different A record. | ||
== Localhost DNS Server Setup == | == Localhost DNS Server Setup == | ||
Line 84: | Line 84: | ||
#* '''A record''' for your server's hostname and internal IP address | #* '''A record''' for your server's hostname and internal IP address | ||
#* '''MX record''', pointing to the A record just created | #* '''MX record''', pointing to the A record just created | ||
== Additional Notes == | |||
<references> | |||
<ref name="PrivAddr">For example, your Zimbra server may have an IP address of 10.0.1.5 or 192.168.3.7, but from the outside world its accessible via a public address such as 159.105.10.35</ref> | |||
</references> | |||
[[Category:Zimbra]] | [[Category:Zimbra]] | ||
[[Category:DNS]] | [[Category:DNS]] |
Latest revision as of 11:51, 5 June 2022
Split DNS is required for Zimbra where your server is on an internal (private address range) network[1].
Zimbra needs to be able to resolve its own Mail Exchanger (MX) DNS record, otherwise its services will not start. Therefore if your server is known publicly by one IP address, but in fact has a different internal address (and the public IP is NAT'ed to the internal IP) you'll need to use split DNS. This allows your server to be known by one IP address on the internet, and a different address internally, but with the same hostname regardless of where you are. There are two methods described below that enable you to achieve this...
- Localhost DNS Server Setup - DNS server installed locally on the Zimbra server.
- Local Network DNS Server Setup - DNS server on your local network, if you have one available.
Note that Split DNS, Split-Horizon DNS, Split-Brain DNS all refer to the same technique, and the terminology can be used interchangeably.
DNS Records
Firstly, you need to own a public DNS domain name, then create two DNS records...
- MX record - Mail Exchanger (MX) record
- EG
sandfordit.com [MX] -> mail.sandfordit.com
- where
sandfordit.com
is the domain you own, andmail.sandfordit.com
is hostname of your email server (the can be anything you like). Email addressed to<anything>@sandfordit.com
will be directed to the server in this record. - You'll need to give the record a weighting (this allows you to have multiple email servers for the same domain). The lower the number the higher the server's priority, assuming you only have one email server, its common to use
10
- EG
- A record - Standard DNS record
- EG
mail.sandfordit.com [A] -> 158.25.34.124
158.25.34.124
is the static IP address assigned to your email server. You'll need to set-up a NAT on your router (often called a virtual server in domestic firewalls/routers) to map incoming mail on TCP 25 to your email server's actual address (EG158.25.34.124:25 -> 192.168.1.150:25
).
- EG
Note, instead of an A record, a CNAME record can be used instead (though the CNAME record will still need to point to a valid A record). Using a CNAME can be preferable, where you might, in the future, want to send inbound email traffic to another email server, addressed by a different A record.
Localhost DNS Server Setup
In order to get round the fact that your exchange server won't have the same IP (or name even) on the public internet as it will on your internal network, a DNS server is installed on the exchange server to provide MX record resolution. Procedure assumes DNS (Bind) is already installed (use apt-get install bind9
.
Terminology...
- Private = Home or internal network IP address and network name (eg
192.168.1.150
andmail.home.int
) - Public = Global internet, ISP assigned IP address and registered domain name (eg
158.25.34.124
andmail.sandfordit.com
)
Firstly, add the IP('s) of the DNS servers you use for resolution on your other machines to your local DNS server's list of forwarders (so that your exchange server forwards DNS resolution requests for unknown names to your normal DNS servers), edit /etc/bind/named.conf.options
options { directory "/var/cache/bind"; query-source address * port 53; forwarders { 192.168.1.1; 158.25.30.10; }; auth-nxdomain no; # conform to RFC1035 };
Edit /etc/resolv.conf
to force the server to use its local DNS server for resolution
nameserver 127.0.0.1
Restart bind using /etc/init.d/bind9 restart
and check you can resolve external addresses properly.
Now create the internal zone that will eventually contain the local MX record for your exchange server, append the following to /etc/bind/named.conf.local
, using your publicly registered domain name
zone "sandfordit.com" { type master; file "/etc/bind/db.sandfordit.com"; };
Lastly create the database file for you DNS domain /etc/bind/db.sandfordit.com
, using your publicly registered domain name and private (internal) IP address for your exchange server...
; ; BIND data file for sandfordit.com ; $TTL 604800 @ IN SOA mail.sandfordit.com. admin.sandfordit.com. ( 070725 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS mail IN MX 10 mail IN A 192.168.1.150 mail IN A 192.168.1.150
Local Network DNS Server Setup
This is most appropriate to use if you have an existing internal DNS server, that internal clients are already using. Note that all clients
of the DNS server will use it to resolve all addresses for the domain that your Zimbra server is on. So if your domain is sandfordit.com
, all name resolution for that zone will be handled by it. So if you have a server on the internet (eg www.sandfordit.com
, you will need to have a local record for it added to your DNS. Otherwise local clients will request a DNS resolution with your local DNS, which will simply respond that there is no such host, and the local client will be unable to connect.
So if you have to create a new zone in order to get Split DNS working, you may need to add additional records that replicate existing public DNS records. If you already have a zone in your DNS server (which should already be up to date), or have no other device address in that DNS domain, then this shouldn't be a problem.
If you are in any doubt, installing a local DNS server on your Zimbra server is the safest way to proceed. Any problems you cause should be restricted to that server, and won't impact any other working servers. One of the biggest risks when tinkering with DNS is that records get cached, everywhere, so once you've fixed whatever problem you've caused, you may have to wait days for the fix to have rippled around.
- If it doesn't already exist, create a new zone for your domain, eg
sandfordit.com
- Within that zone, create an
- A record for your server's hostname and internal IP address
- MX record, pointing to the A record just created
Additional Notes
- ↑ For example, your Zimbra server may have an IP address of 10.0.1.5 or 192.168.3.7, but from the outside world its accessible via a public address such as 159.105.10.35