DNS is an important aspect of any Zimbra installation. This article will help those that are new on installing Zimbra to get an idea what needs to be configured to get started. There will also be some tips and best practices that will improve security and email deliverability that may be lesser know even to experienced administrators. Having a good DNS configuration will improve:
DNS and reliability
The first things to consider is rolling out Zimbra using a so called Split DNS.
Your Zimbra server has the domain name mail.example.com. When on the server itself you query the DNS A record for mail.example.com, the answer from DNS is an internal network address such as 10.0.0.1. However when someone from the Internet queries the A record for example.com the answer is a public IP address such as 184.108.40.206.
One of the benefits of a split DNS is that you can make sure network traffic does not needlessly have to pass though your router/firewall and or NAT. On top of that when set-up correctly the internal DNS should be 100% under your control. This makes the Zimbra system more reliable. Because even when external DNS would fail, internally Zimbra would run as normally.
Setting up Split DNS
The following steps will show you how to set-up a basic split DNS using the
/etc/hosts file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the
ip a command from the server.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:00:17:0a:8c:e4 brd ff:ff:ff:ff:ff:ff altname enp0s3 inet 10.0.0.229/24 brd 10.0.0.255 scope global ens3 valid_lft forever preferred_lft forever inet6 2603:c020:400d:567e:c37f:fdad:8a43:d3b4/128 scope global dynamic noprefixroute valid_lft 4699sec preferred_lft 4399sec inet6 fe80::17ff:fe0a:8ce4/64 scope link valid_lft forever preferred_lft forever
You will have to use the address that is listed after
inet under the device called ensX, ethX or enpX. In most cases it will start with 192.168. or 10.0. If you directly get a public IP for example 220.127.116.11 from your hosting provider on your Zimbra machine, you can use this IP.
Next you have to set this IP and the hostname in the
/etc/hosts file. The following line must be present or added as follows:
10.0.0.229 mail.example.com mail
You have to set-up the
/etc/hostname file as follows:
Next install DNSMASQ as follows:
apt-get install -y dnsmasq
Next disable systemd-resolved:
systemctl stop systemd-resolved systemctl disable systemd-resolved systemctl mask systemd-resolved
Next set this server to resolve DNS using the locally installed DNSMASQ:
rm -f /etc/resolv.conf echo "nameserver 127.0.0.1" > /etc/resolv.conf
You can optionally prevent changes from upstream package updates to resolv.conf by making this file immutable. This may cause problems when you update your system using apt-get, so be aware to revert if needed:
chattr +i /etc/resolv.conf #make immutable chattr -i /etc/resolv.conf #regular setting
Finally configure DNSMASQ by editing
/etc/dnsmasq.conf, in this example we will be using Quad9, Cloudflare and Google for upstream resolving of DNS. You have to change the IP in
listen-address with your actual internal IP.
server=18.104.22.168 server=22.214.171.124 server=126.96.36.199 server=188.8.131.52 server=184.108.40.206 server=220.127.116.11 # trust-anchor is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D dnssec dnssec-check-unsigned no-resolv listen-address=10.0.0.229 bind-interfaces bogus-priv domain-needed stop-dns-rebind rebind-localhost-ok cache-size=2000 #log-queries #log-facility=/var/log/dnsmasq.log
You can now restart your server and proceed with the installation of Zimbra. Please note that when running the Zimbra installer choose
N when asked to install zimbra-dnscache.
At the very minimum you will also have to set an MX record, you can use the command
dig to verify it is set correctly:
dig +short MX example.com 100 mail.example.com.
To find the actual IP of mail.example.com you use
dig again as follows:
dig +short A mail.example.com
Internally you should get the internal IP such as 10.0.0.229 in this example. Externally you would get 18.104.22.168 again this is just an example.
DNS and Performance
When using DNSMASQ you can control the cache of DNS, and since DNSMASQ runs locally it answer very quickly. This makes it that your email gets delivered faster.
After installation you can set the
zimbraMtaLmtpHostLookup directive. This tells Zimbra NOT to use DNS when delivering internal email. This increases performance.
zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native zmprov mcf zimbraMtaLmtpHostLookup native zmmtactl restart
DNS and Security
With the installation of DNSMASQ and the configuration as above you enforce DNSSEC this increases security. You should also implement SPF, DKIM, DMARC etc. Take a look at our email security webinars for in depth information on these topics.
You can use the following service via the command line: https://dnssec.vs.uni-due.de/ or http://conn.internet.nl/connection/ from a browser (in most cases you will not have a browser on your Zimbra server).
To test from the command line using
#The next query should return A record dig sigok.verteiltesysteme.net @127.0.0.1 #The next query should return SERVFAIL dig sigfail.verteiltesysteme.net @127.0.0.1
Currently, 20 December 2022 there is a cyber attack ongoing against the University of Duisburg-Essen so the test will not work.