DNS Management
Getting started with DNS Management
TCPWave DDI is the industry’s leading AI based DDI solution optimized for large-scale retail, remote and branch office deployments. The solution delivers secure, reliable, and centrally-managed DNS, DHCP, and IPAM services. You can deploy TCPWave DDI across thousands of sites and reduce the total cost of ownership by leveraging low-cost hardware, virtual appliances, license pooling, and license portability. TCPWave DDI provides a secure environment for IPAM and integrated cybersecurity protection against DDoS, data exfiltration, and other DNS attacks.
Configuring TCPWave IPv4 DNS Appliances
DNS Management in TCPWave IPAM provides comprehensive control over all aspects of DNS configurations. The following sections give detailed insights into each component of DNS Management:
DNS Appliances: This section allows you to manage various DNS server types, ensuring secure configuration changes. The appliances include:
ISC BIND Authoritative Appliance:
Function: This appliance is responsible for providing authoritative DNS responses. It’s where the DNS records are stored and managed.
Use Case: Ideal for organizations that manage their own domain names and need to control DNS responses directly.
Key Features: High reliability, support for DNSSEC (DNS Security Extensions), and compatibility with a wide range of DNS standards.
ISC BIND Cache Appliance:
Function: Primarily serves as a DNS caching server. It stores DNS query results temporarily to speed up subsequent requests for the same information.
Use Case: Useful in reducing DNS lookup times and reducing traffic to authoritative servers.
Key Features: Efficient caching mechanisms, query optimization, and reduced bandwidth usage.
NSD Authoritative Appliance:
Function: Like the ISC BIND Authoritative, NSD (Name Server Daemon) provides authoritative DNS services but is designed to be leaner and more efficient.
Use Case: Best suited for environments where performance and speed are critical, especially in handling large volumes of DNS queries.
Key Features: High-performance, lightweight, and designed for simplicity, making it a suitable choice for high-traffic servers.
UNBOUND Cache Appliance:
Function: This appliance acts as a validating, recursive, and caching DNS resolver. It is designed to be fast and secure.
Use Case: Ideal for organizations looking for a robust caching mechanism with built-in security features like DNSSEC validation.
Key Features: Security-focused with features like automatic DNSSEC validation, and it provides excellent caching capabilities.
DNS Proxy Appliance:
Function: Serves as an intermediary for DNS requests. It forwards requests to other DNS servers and returns responses to the clients.
Use Case: Useful in scenarios where direct communication between the client and the DNS server is not possible or desirable.
- Key Features: Provides a layer of abstraction and control, can enforce policies, and can be used to redirect or manipulate DNS traffic.
Operations you can perform here include: - Add: Introduce a new DNS appliance into the network. - Clone: Duplicate existing appliance settings for a new appliance. - Edit: Modify configurations of existing appliances. - Delete: Remove appliances from the network. - Download Config: Obtain the current configuration settings of an appliance. - Bookmark: Mark specific appliances for quick access. - Deploy Firmware: Update or upgrade the appliance firmware. - Sync All: Synchronize settings across all appliances. - Import: Bring in configurations from external sources. - Manage Services: Control and adjust various services running on the appliances.
DNS Zones: This area deals with the administration of DNS zones, including their creation, modification, and deletion. It’s crucial for organizing and managing the domain name space within the network.
DNS Configuration: This section is dedicated to configuring global DNS settings as well as individual appliance configurations. It includes settings for resolution, forwarding, and other DNS operational parameters.
DNS Security: Here, the focus is on securing the DNS infrastructure. This involves implementing DNSSEC and other security protocols to protect against DNS-based threats and vulnerabilities.
DNS Templates: This feature simplifies the setup of new DNS services. Templates for common DNS configurations are provided, enabling quick and consistent deployment across multiple DNS appliances.
Contingency Switch: This is a critical feature for high availability and disaster recovery. It allows for the quick switching of DNS configurations in emergency scenarios or during maintenance periods.
Each of these sections plays a vital role in the effective management of DNS within an organization’s network, ensuring reliability, security, and efficiency of DNS services. The TCPWave IPAM’s interface and tools are designed to provide administrators with robust control over these diverse aspects of DNS management.
Adding a TCPWave DNS Appliance:
Navigation: Access DNS Appliances by navigating to Network Management >> DNS Management >> DNS Appliances. The DNS Appliances page is displayed. Creation: Click on the designated button to create a new DNS Appliance. You’ll be redirected to the DNS Appliance >> Create Appliance page.
Appliance Configuration:
- Selection of Appliance Type: In the Appliance Attributes section, choose from the following DNS Appliance Types:
ISC BIND Authoritative Appliance
ISC BIND Cache Appliance
NSD Authoritative Appliance
UNBOUND Cache Appliance
DNS Proxy Appliance
Configuration Options for ISC BIND Authoritative Appliance:
Stealth Appliance: Choose this option for a hidden master DNS Appliance.
Enable Recursion: Activating this option allows BIND Auth Appliance to resolve non-managed zones, offering two sub-options:
Internal Cache Appliance: Default setting, acting as an internal cache pointing to internal roots.
Enable DNS over TLS: Encrypts DNS queries, enhancing privacy and security.
Constraints for AUTH+CACHE Creation:
At least one root appliance must be defined.
Stealth appliance cannot function as an AUTH+CACHE appliance.
NSD, being a slave-only appliance in TCPWave IPAM, is ineligible as an AUTH+CACHE appliance.
The root zone isn’t deleted if at least one AUTH+CACHE appliance is defined.
Configuration Options for ISC BIND Cache Appliance:
Enable Recursion: This function is similar to the BIND Authoritative Appliance, with additional options:
Service DMZ Visible Zones from Internal Network: Applicable for external cache appliances.
Enable Automatic DNSDR: Converts an internal BIND Cache appliance to a standalone master under certain conditions.
Enable DNS over TLS: Same as in the BIND Authoritative Appliance.
Configuration for NSD Authoritative Appliance: Proceed to step 9.
Configuration for UNBOUND Cache Appliance: Similar to ISC BIND Cache Appliance.
Configuration for DNS Proxy Appliance: Proceed to step 9.
Organization and Appliance Details:
Create an Organization and select it from a dropdown.
Enter the IPv4 address, hostname, and domain name of the DNS appliance.
Choose an appliance group.
Time Zone and Template Attributes:
Select the time zone.
Assign templates like Firewall, RPZ, and NSM based on the appliance type.
Monitoring and Notes:
Enable or disable monitoring services.
Provide a description for the appliance.
DNS Views:
Enable DNS Views from the Global Policy Management section to access the DNS Views tab, displaying available and selected views.
Banner:
Enter a message to be displayed post-login on the DNS appliance.
NTP and DNS Resolver Configuration:
Configure NTP settings, including appliance synchronization and upstream authentication.
Set DNS Resolver configurations and search suffixes.
Monitoring Setup:
Define SNMP configurations including Trap Sinks, Community String, and processes to monitor.
Configure SNMPv3 attributes.
Set TCPWave Watchdog configurations for system resource monitoring.
SNMPv3 Configuration:
Add SNMPv3 users with authentication and encryption settings.
PAM Settings:
Enable LDAP, TACACS+, and iDRAC settings, including passwords and IP addresses.
Elevated Privileges:
Manage sudoers settings and configurations for different user roles.
Syslog-NG Configuration:
Define Syslog-NG options, sources, filters, destinations, and targets for efficient log management.
DNS High Availability:
Configure Anycast Routing Protocols (BGP, OSPF, VRRP) for DNS High Availability.
Zebra Configuration:
Set up Zebra for interface monitoring and routing information advertisement in BGP or OSPF.
Network Configuration:
Manage network interfaces, routing tables, and IP routing information.
Configure DNS interfaces for delegation, query sourcing, and transfers.
Updating and Synchronization:
Regularly update and sync the appliance configurations to maintain consistency and operational efficiency across the network.
This technical documentation provides comprehensive guidelines for adding and configuring TCPWave DNS Appliances, ensuring a detailed understanding of the features and options available in the TCPWave IPAM platform.
Configuring TCPWave Microsoft IPv4 DNS Appliances
TCPWave’s integration with Microsoft DNS and DHCP servers streamlines management tasks by eliminating the need for additional software agents on Microsoft servers. This integration utilizes Microsoft’s LDAP (Lightweight Directory Access Protocol) to establish communication with Active Directory (AD) services, ensuring seamless interaction. By employing SOAP (Simple Object Access Protocol), a widely accepted communication standard, TCPWave ensures compatibility across different platforms.
Through TCPWave’s IP Address Management (IPAM) system, administrators can remotely execute PowerShell commands on Windows servers, facilitating efficient management. Integration with Microsoft AD enables TCPWave IPAM to interface with Microsoft’s DNS and DHCP services, enabling synchronization and management of zones.
From the TCPWave interface, users can perform various operations such as adding, editing, deleting, bookmarking, and accessing context menus for streamlined management of DNS and DHCP configurations. This integration simplifies administrative tasks and enhances operational efficiency.
You can perform the following operations from this interface:
Add
Edit
Delete
Bookmark
Context Menu
Adding a Microsoft DNS Appliance involves the following steps:
Go to “Network Management” >> “DNS Management” >> “DNS Appliances” >> “Microsoft DNS Appliances” to access the Microsoft DNS Appliances page.
Click on the “+” icon to proceed to the “Create Microsoft DNS Appliance” page.
Complete the necessary details under “Appliance Attributes”: - Choose the organization. - Enter the IP address of the Microsoft remote object. - The Appliance Name is auto-filled based on the object’s IP address. - Enable the “Use HTTPS” checkbox for HTTPS mode connection. - Provide the login credentials (Username and Password) for the Microsoft appliance. - Add a brief description of the Microsoft DNS appliance.
- Auto Sync Attributes:
Select the “Enable Auto Sync” checkbox for automatic synchronization from the Microsoft DNS Appliance to IPAM.
If Split Brain is configured on the Microsoft DNS Appliance to IPAM, check the corresponding checkbox.
Set the Auto Sync Interval for the frequency of synchronization.
Choose the Read/Write Options to specify the allowed operations by TCPWave IPAM on the Microsoft appliance.
Click “OK.” A validation message prompts you to confirm the addition of the appliance.
Click “YES.” Upon form submission, the system conducts ping and port 53 checks. Ensure that DNS service is installed on the remote object. A validation message displays the object’s name and IP address, asking for confirmation to create the DNS appliance.
Click “YES.” The added Microsoft DNS Appliance appears in the Microsoft DNS Appliances grid, where you can search and sort using column headers.
Non-Managed DNS Masters
Non-Managed DNS Masters is a feature that enables TCPWave DNS appliances to act as slave zones for master zones hosted on non-managed DNS appliances. This means that TCPWave DNS appliances can replicate and synchronize zone data from these non-managed DNS appliances. The zone data from non-managed zones is stored locally on TCPWave DNS appliances in a designated folder (/opt/tcpwave/chroot/var/named/zone/slaves).
The DNS Cache Fault Tolerance feature of TCPWave IPAM periodically backs up these zone files. This backup mechanism ensures that in the event of a disaster or cache failure on the DNS appliances, the zone data can be recovered efficiently.
From the Non-Managed DNS Masters interface, users can perform various operations:
Add: Add new non-managed DNS masters to the configuration.
Edit: Modify existing configurations of non-managed DNS masters.
Delete: Remove non-managed DNS masters from the configuration.
Change Password: Change the password associated with non-managed DNS masters.
Bookmark: Bookmark specific configurations for quick access.
Additionally, users can adjust settings such as Refresh, Column Visibility, and Preferences. More options are available based on the permissions assigned to the user’s role, which can be checked in the Administrator Roles section.
The interface also provides a dropdown menu to select the number of records to be displayed.
Please note that access to this section may be enabled or disabled based on the permissions granted to the user’s role. For detailed information about your role permissions, refer to the Administrator Roles section.
Adding a Non-Managed DNS Master involves the following steps:
Go to “Network Management” >> “DNS Management” >> “DNS Appliances” >> “Non-Managed DNS Masters” to access the Non-Managed DNS Masters page.
Click on the “+” icon to proceed to the “Create Non-Managed DNS Masters” page.
Under “Master Attributes,” provide the following details: - Organization: This field auto-populates. - IPv4 Address: Enter the IP address of the Non-Managed DNS master. - Appliance Name: Input the name for the Non-Managed DNS master appliance. - Appliance Type: Choose the type of Non-Managed DNS master, either “External DNS” or “PowerDNS.”
Under “Secure Transfer Details,” fill in the necessary information: - TSIG Key Name: Enter the TSIG key name of the Non-Managed DNS master. - TSIG Algorithm: Select the appropriate algorithm from the drop-down list. - Secret Key: Input the secret key of the Non-Managed DNS master. - Description: Provide a brief description for the Non-Managed DNS master. - Username (for PowerDNS): If the appliance type is “PowerDNS,” enter the username. - Password (for PowerDNS): If the appliance type is “PowerDNS,” enter the password.
Click “OK.” A validation message prompts you to confirm the creation of a new Non-Managed DNS Master.
Click “YES.” Upon confirmation, a message confirms the successful creation of the Non-Managed DNS Master.
The added Non-Managed DNS Master is now visible in the Non-Managed DNS Masters grid, allowing you to search and sort using column headers.
DNS Domains in TCPWave IPAM
Overview
In the context of TCPWave IPAM (IP Address Management), a ‘DNS Domain’ is a distinct segment of a DNS (Domain Name System) zone. This segment is unique in that it is not directly managed by any DNS appliance within the TCPWave ecosystem. For a DNS Domain to be actively resolved (i.e., translated into an IP address) by TCPWave’s managed DNS appliances, it must be encapsulated within a managed zone that bears the same domain name.
Operational Functionalities
The TCPWave IPAM interface provides a suite of functionalities for the comprehensive management of DNS Domains. These functionalities enable administrators to efficiently handle domain-related tasks. The available operations are:
Add: This function allows for the creation of a new DNS Domain within the system. It involves specifying domain details like its name, organizational association, and description.
Edit: This option facilitates modifications to existing DNS Domains. Users can update various attributes of a domain, such as its name or description, to reflect any changes in its purpose or configuration.
Delete: This functionality permits the removal of a DNS Domain from the system. It’s crucial in scenarios where a domain is no longer needed or must be decommissioned for compliance or organizational reasons.
Manage Permissions: This critical feature controls access rights to the DNS Domain. It allows the assignment of different levels of permissions to various user roles, ensuring that only authorized personnel can make changes to the domain settings.
Bookmark: This convenience feature enables users to mark specific DNS Domains for quick access. It is particularly useful for administrators who frequently work with a large number of domains and need to access certain ones regularly.
Import: This function supports the bulk importation of DNS Domain data, typically from CSV files. It is a time-saving feature for adding multiple domains to the system simultaneously, especially useful during initial setup phases or large-scale migrations.
Adding a DNS Domain in TCPWave IPAM
Overview
Adding a DNS Domain in TCPWave IPAM is a straightforward process, involving navigation through the system’s interface and entering specific domain details. This functionality is crucial for expanding your network’s DNS structure by introducing new domain segments.
Step-by-Step Procedure
Navigation to DNS Domains Page: - Begin by navigating to the DNS Domains section. This can be done by following this path: Network Management >> DNS Management >> DNS Zones >> DNS Domains. - Upon completion of this navigation, the system will display the DNS Domains page, which is the starting point for adding new domains.
Initiating Domain Creation: - To start the process, click on the designated button to add a new domain. This action will lead you to the DNS Domain >> Create Domain page, dedicated to defining new domain attributes.
Filling in Domain Details: - Within the Properties section, under Domain Attributes, you will find fields to input the domain’s details:
Organization: Select the appropriate organization from a dropdown menu. This association is vital for categorizing the domain within the correct organizational structure.
Name: Enter the desired name for the domain. This should be a unique identifier that clearly represents the domain’s purpose or relation within the network.
Description: Provide a concise yet informative description of the domain. This could include its intended use, associated services, or any other relevant information.
Confirmation and Validation: - After entering the details, click OK to submit your entries. A validation message will appear, prompting you to confirm the addition of the new DNS domain: “Are you sure you want to add the DNS domain? Click Yes to proceed.”
Finalizing the Addition: - Click YES to confirm your action. The system will then display a confirmation message, “Domain has been created successfully,” indicating the successful addition of the new DNS domain.
Post-Addition
Once the DNS Domain is added, it will be listed in the DNS Domains grid. This grid is designed with searchable and sortable columns, allowing for efficient management and quick access to the newly created domain as well as existing ones.
DNS Proxy Root Zones
DNS proxy serves as a protective measure against issues like DNS Cache poisoning, especially in B2B relationships. The root appliance delegates the responsibility to the DNS Proxy Appliance, which then communicates with third-party DNS servers to fetch answers.
Sequence of Flow
End user computing device queries the DNS Cache remotely.
DNS cache remote forwards the query to the internal root Appliance on behalf of the client.
DNS root Appliance responds to the DNS cache with a referral to the DNS proxy Appliance.
DNS cache now queries the DNS proxy.
DNS proxy queries the third-party DNS.
Third-party DNS responds to the DNS proxy with an answer.
DNS proxy sends the response to the DNS cache remote.
DNS cache provides the answer to the end-user device.
Moreover, DNS Proxy minimizes the number of firewall ports that a multinational corporation needs to open with third parties, enhancing security.
Operations in DNS Proxy Root Zones Interface
From the DNS Proxy Root Zones interface, users can perform the following operations:
Add: Add a new root zone.
Edit: Modify an existing root zone.
Delete: Remove a root zone.
Bookmark: Bookmark a specific root zone for easy access.
Context Menu: Access additional options related to specific root zones.
This interface facilitates efficient management and configuration of DNS Proxy Root Zones, ensuring enhanced security and streamlined communication with third-party DNS servers.
Adding DNS Proxy Root Zone
To add a DNS Proxy Root Zone, follow these steps:
Go to Network Management >> DNS Management >> DNS Zones >> DNS Proxy Root Zones to access the DNS Proxy Root Zones page.
Click on the “Add” button. This action will lead you to the Proxy Root Zones >> Create Proxy Root Zone page, containing two tabs: Proxy Root Zone and Proxy Root Appliances.
Proxy Root Zone:
Under Proxy Root Zone Details, provide the following information: - Organization: Select an Organization from the dropdown. - Default TTL: Enter a positive integer value and select the required time unit from the dropdown. - Contact: Select a contact from the dropdown. - Allow Query: Configure the General Address Match List by clicking on this field. - Type: Choose a type from the dropdown (IPv4/ACL). - Value: Enter an IP Address (e.g., 172.16.0.61). - ACL Name: Select a name from the dropdown. - Exclude: Click to exclude the data. - Description: Enter the description for the DNS Proxy Root Zone.
Under SOA Record, provide the following information: - Email Address: Enter an email address. - Refresh Time, Retry Time, Expire Time, Negative Cache: Enter positive integer values and select the required time units from the dropdown.
Proxy Root Appliances:
Select the appropriate appliances from the list.
Adding a DNS Proxy Appliance:
To create a DNS Proxy Appliance: - Create a TCPWave Remote object first. - Then create a Proxy Appliance template with Dynamic updates enabled, TISG key, and loggers. - Navigate to Network management >> DNS Management >> DNS Templates >> DNS Appliance templates. - Create a new Appliance Template with DNS Appliance type as DNS Proxy Appliance. - Additionally, create a new Option Template for DNS Proxy Appliance. - Finally, create a Proxy DNS Appliance under Network management >> DNS Appliances.
Click “OK”. You’ll receive a validation message asking for confirmation.
Confirm by clicking “Yes”. A success message will indicate that the DNS Proxy Root Zone has been created successfully.
Once the Proxy Root Zone is created, it will send Proxy configuration for named and unbound to the remote. Verify if both named and unbound are running with the monit summary command.
DNS Proxy Root Zone Records
Select a proxy root zone from the DNS Proxy Root Zones Resource Records grid.
Perform operations like Add or Delete.
Adding DNS Proxy Root Zone Resource Records
Click on the “Add” button. The system will display the Add Resource Record widget.
Depending on the selected record type (A, NS, CNAME, MX, SRV, TXT, NAPTR), provide the necessary information in the fields provided.
Click “ADD”. Confirm the action when prompted.
The added record will be displayed in the grid.
These steps guide you through the process of adding a DNS Proxy Root Zone and its associated resource records.
DNS Views in TCPWave IPAM
Overview
DNS Views in TCPWave IPAM represent a powerful mechanism, particularly beneficial in environments with firewalls. They enable the presentation of different DNS appliance configurations to distinct communities of hosts, based on specified criteria. This feature is crucial for maintaining varied DNS responses according to the originating request’s characteristics.
Key Features and Functionalities
Customized DNS Responses: - Views allow tailored DNS responses based on the community of hosts. This is especially useful for providing different DNS information to internal versus external users.
Parameter Acceptance: - TCPWave IPAM accepts various parameters for configuring DNS Views, including match-clients, match-destinations, and match recursions. These parameters help define which requests are served by which view.
Recursion in Views: - View level recursion is operational only when appliance-level recursion is enabled. This feature allows for recursive DNS queries within specific views. - Before enabling recursion in views, it’s mandatory to first activate it at the appliance level and designate the appliance as either an internal or external cache appliance.
Zone Association: - A DNS zone can be shared across multiple views or tied to a single view. - The order of views is significant, with the default view always positioned at the end of the list. - Zones can only be associated with those views which are common across all master appliances for that particular zone. - On remote DNS appliances, all zone files for any given view are stored in a view-specific folder, ensuring organized and isolated management.
Global Policy Management: - Views can be enabled or disabled through the Global Policy Management interface, providing centralized control over this feature.
Operational Functionalities
The DNS Views interface in TCPWave IPAM offers a range of operations for efficient view management:
Add: Create a new DNS View, defining its specific parameters and associations.
Clone: Duplicate an existing view, useful for creating similar views with slight variations.
Edit: Modify the settings or parameters of an existing view to accommodate changes in network or policy requirements.
Delete: Remove a DNS View that is no longer needed, ensuring the DNS configuration remains up-to-date and uncluttered.
Bookmark: Mark a DNS View for quick access, streamlining the management of frequently accessed views.
Adding a DNS View in TCPWave IPAM
Overview
Adding a DNS View in TCPWave IPAM is a process designed to create tailored DNS configurations for different sets of clients within a network. This feature is particularly useful in environments requiring differentiated DNS responses based on client or destination characteristics.
Step-by-Step Procedure
Navigation to DNS Views Page: - Access the DNS Views section by following: Network Management >> DNS Management >> DNS Zones >> DNS Views. This will display the DNS Views page.
Initiating View Creation: - Click the appropriate button to create a new DNS View. This action opens the DNS Views >> Create View page.
Configuring View Attributes: - Under Properties >> View Attributes, complete the following settings:
Organization: Select an organization from the drop-down list.
View Name: Enter a name for the DNS View.
Match Clients: Define the clients for the DNS View. Options include: - Normal: For IP address or ACL-based matching.
Select Type (IPv4/ACL), enter Value (e.g., 172.16.0.61), choose ACL Name, and use options to include or exclude data.
Geo-IP Type: Uses MaxMind GeoIP Country Database for country-based matching. - Select Countries, and the system will display the country code in the selected data grid.
Match Destinations: Define the destinations for the DNS View. Similar to Match Clients, input Type, Value, ACL Name, and inclusion or exclusion options.
Enable Recursion: Checkbox to enable or disable recursion for the DNS View.
Match Recursive Only: Checkbox to enable or disable matching recursive queries only.
Allow Recursion: Specify recursion settings for the DNS View.
Forward and Forwarders (BIND Authoritative only): Define forward behavior and list IP addresses for query forwarding.
Confirming the Addition: - Click OK to submit the details. A validation message will appear: “Are you sure you want to add the DNS View? Click Yes to proceed.”
Finalizing the DNS View Creation: - Click YES to confirm. A confirmation message, “DNS View has been created successfully,” will display, indicating the successful addition.
Post-Creation
After the DNS View is added, it will be displayed under the DNS Views grid with searchable and sortable column headers, allowing for efficient management and quick access to the newly created view.
Managed DNS Zones in TCPWave IPAM
Overview
Managed DNS Zones in TCPWave IPAM are essential components in the domain name system (DNS) architecture. They are closely tied to domain names and act as authoritative sources for DNS information pertaining to those domains. Managed zones encompass a variety of DNS records that facilitate the mapping between domain names and their corresponding IP addresses, along with other relevant information.
Characteristics and Functionalities
DNS Record Types: - A Managed DNS Zone contains various DNS record types including:
A Records: Map domain names to IPv4 addresses.
CNAME Records: Define alias names for real names.
MX Records: Specify mail exchange servers for a domain.
NS Records: Indicate the servers that are authoritative for a zone.
SRV Records: Provide information about available services.
TXT Records: Hold text information for various purposes.
Cloud Hosting: - Zones can be hosted on cloud providers, integrating traditional DNS management with modern cloud-based infrastructures.
Automatic Cloud Updates: - Any updates made in managed zones are automatically synchronized with managed cloud services, ensuring consistency across different platforms.
Operational Functionalities
The interface for managing DNS Zones in TCPWave IPAM offers a comprehensive set of operations:
Add: Initiate and configure a new DNS Zone within the system.
Clone: Create a copy of an existing zone, useful for similar configurations with minor differences.
Edit: Modify the settings or records of a DNS Zone to reflect changes in network or domain configurations.
Delete: Remove a DNS Zone that is no longer required, ensuring the DNS structure remains current and streamlined.
Manage Permissions: Control access rights to the DNS Zone, assigning varying levels of permissions to different users or roles.
Bookmark: Mark a DNS Zone for quick access, facilitating efficient management of frequently accessed zones.
Import: Bulk import DNS records into a zone, particularly useful for large-scale deployments or migrations.
Undo: Revert changes made to a zone, a critical feature for maintaining stability and correctness in DNS configurations.
Import Alias Records: Specifically import alias records (like CNAME records) to streamline the management of domain aliases.
Adding a Managed DNS Zone in TCPWave IPAM Overview
Creating a Managed DNS Zone in TCPWave IPAM involves a detailed process to set up a zone with specific attributes, Active Directory settings, DNS views, and various resource records. This setup is crucial for maintaining authoritative DNS information for domains, especially in complex network environments.
Detailed Steps for Adding a Managed DNS Zone
Accessing the Managed DNS Zones Page: - Navigate to Network Management >> DNS Management >> DNS Zones >> Managed DNS Zones. This displays the Managed DNS Zones page.
Initiating Zone Creation: - Click the button to start creating a new DNS Zone. The system displays the Managed DNS Zones >> Create Zone page with several tabs for configuration.
Configuring Zone Attributes: - In the Zone tab:
Organization: Select from the dropdown.
Name: Enter the zone name.
Apply Template: Choose a Zone Template.
Slave Cloud Provider TSIG Key Name: Select if the zone template includes cloud providers as slaves.
Contact: Choose a contact from the dropdown.
Description: Provide a brief description of the zone.
Non-managed Secondaries: Configure settings for non-managed secondary servers, if applicable.
DNSSEC Attributes: Enable DNSSEC and choose between NSEC and NSEC3 options.
Restricted Zone Attributes: Mark the zone as restricted if necessary.
Monitoring and DMZ Attributes: Set up monitoring services and DMZ visibility.
Active Directory Configuration: - In the Active Directory tab:
Configure the AD Forest (Parent or Child).
Manage Domain Controllers associated with the zone.
Set up secure AD updates and define Allow-Update ACLs.
DNS Views and MS DNS Split Brain Settings: - Configure DNS Views and MS DNS Split Brain settings if relevant to your network setup.
Managing Resource Records: - In the Resource Records tab, add various DNS records like A, AAAA, NS, CNAME, MX, etc. - Configure each record type with specific attributes like TTL, owner name, and record data.
Extensions and Cloud Alias Records: - Add any extended attributes if required. - In the Cloud Alias Records tab, set up AWS Alias resource records if the zone is associated with AWS cloud providers.
Finalizing the Zone Setup: - Once all settings are configured, click OK. - A validation message appears for confirmation. - Click YES to confirm. A message stating “Zone has been created successfully” confirms the successful setup.
Post-Creation
The newly created DNS Zone will be listed in the Managed DNS Zones grid, complete with searchable and sortable columns for efficient management.
Managed DNS IPv4 Reverse Zones in TCPWave IPAM
Overview
In TCPWave IPAM, Managed DNS IPv4 Reverse Zones play a crucial role in mapping IP addresses to their corresponding domain names, effectively functioning in the opposite direction of standard DNS queries. These zones are particularly important for services like email, where reverse DNS lookups are often used to validate IP addresses.
Automated and Manual Creation
Automated Creation: For all networks within TCPWave IPAM, reverse zones are automatically generated.
Manual Creation for Subnets: Users have the flexibility to create reverse zones for subnets either during subnet creation or later through the reverse zone interface. This involves specifying the subnet address and subnet mask.
Operations in the Reverse Zone Interface
Add: Initiate the creation of a new reverse zone. This is particularly relevant for subnets where reverse zones are not automatically generated.
Clone: Create a copy of an existing reverse zone. Useful for creating similar zones with slight variations in settings.
Edit: Modify the details and settings of an existing reverse zone. This can include changes to the subnet address, subnet mask, or other configuration details.
Delete: Remove a reverse zone that is no longer required. This step is crucial for maintaining an up-to-date and streamlined reverse DNS architecture.
Split: Divide a larger reverse zone into smaller segments. This operation is beneficial for managing reverse DNS mappings in more granular subnets.
Bookmark: Mark a reverse zone for quick access. This feature is handy for administrators who frequently need to access specific reverse zones.
Undo: Revert changes made to a reverse zone. This function is essential for correcting mistakes or rolling back to previous configurations.
Effective Management of Reverse Zones
The ability to efficiently manage IPv4 Reverse Zones is vital for ensuring accurate reverse DNS lookups across the network. TCPWave IPAM’s interface facilitates this management by providing a comprehensive set of tools and operations that cater to various reverse zone requirements.
Adding a DNS IPv4 Reverse Zone in TCPWave IPAM
Overview
Creating a DNS IPv4 Reverse Zone in TCPWave IPAM is essential for mapping IP addresses back to domain names. This process is particularly important for services like email verification and network troubleshooting.
Step-by-Step Procedure
Accessing Reverse Zones Page: - Navigate to Network Management >> DNS Management >> DNS Zones >> Managed DNS Reverse Zones. This opens the Managed DNS IPv4 Reverse Zones page.
Initiating Reverse Zone Creation: - Click the button to start creating a new reverse zone. This action opens the Managed DNS IPv4 Reverse Zones >> Create Reverse Zone page with various configuration tabs.
Configuring Reverse Zone Attributes: - Under the Zone tab, fill in the following:
Organization: Select from the dropdown.
IP Address: Enter the network or subnet IP address.
Mask: Choose the network or subnet mask.
Name: This is auto-populated based on the IP address and mask.
Apply Template: Choose a Zone Template.
Slave Cloud Provider TSIG Key Name: Select if applicable.
Contact: Choose from the dropdown.
Description: Provide a brief description of the reverse zone.
DNSSEC, Monitoring, and DMZ Settings: - Enable DNSSEC and select the NSEC option. - Enable monitoring services under Monitoring Attributes. - Set DMZ visibility under DMZ Attributes.
Microsoft AD Integration (if applicable): - Configure Microsoft AD integration settings if the zone template includes a Microsoft DNS Appliance as master.
Non-managed Secondaries Configuration: - Set up custom allow name servers and protect zone transfers with TSIG if required.
Managing Resource Records: - Add various types of DNS resource records based on the organization’s selection. - Configure each record with details like type, class, TTL, IP address, hostname, and domain name.
Finalizing the Reverse Zone Setup: - Once all configurations are complete, click OK. - A validation message appears for confirmation. - Click OK again to confirm. A message stating “Reverse Zone has been created successfully” confirms the successful setup.
Post-Creation
The new DNS IPv4 Reverse Zone will be listed in the DNS Reverse Zones grid with searchable and sortable columns, enabling efficient management and access.
Managing IPv6 Reverse DNS in TCPWave IPAM
Overview
IPv6 reverse DNS, commonly referred to as IPv6 reverse zone or IPv6 PTR record, is a critical aspect of DNS management. It involves mapping IPv6 addresses back to hostnames, which is integral for various network management activities, including security, troubleshooting, and verification.
Implementation of IPv6 Reverse DNS
PTR Records: The implementation of IPv6 reverse DNS is achieved by creating PTR records in the DNS zone file for the corresponding reverse DNS zone.
Structure of PTR Records: For instance, the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 would have its PTR record in the reverse zone 4.3.3.7.0.3.e.2.a.8.8.0.0.0.0.3.a.5.8.3.b.d.0.1.0.0.2.ip6.arpa.
Reverse DNS Lookup: This setup enables reverse DNS lookups, where querying an IPv6 address in DNS returns the associated hostname.
Operations in IPv6 Reverse DNS Interface
Add: Create a new IPv6 reverse DNS zone. This involves specifying the IPv6 address and setting up the corresponding PTR record.
Clone: Duplicate an existing IPv6 reverse DNS zone. Useful for creating similar configurations for different IPv6 addresses.
Edit: Modify the settings or PTR records of an existing IPv6 reverse DNS zone. Adjustments might be needed as network configurations change.
Delete: Remove an IPv6 reverse DNS zone that is no longer needed. This step is crucial to keep the reverse DNS infrastructure up-to-date.
Split: Divide a larger IPv6 reverse DNS zone into smaller segments for better management and organization.
Bookmark: Mark a specific IPv6 reverse DNS zone for quick reference. This is particularly helpful for zones that require frequent access or monitoring.
Undo: Revert changes made in the IPv6 reverse DNS setup, an essential feature for correcting misconfigurations or errors.
Importance in Network Management
Proper management of IPv6 reverse DNS zones in TCPWave IPAM is essential for maintaining accurate network mappings and ensuring efficient network operations. These reverse lookups are particularly valuable for network administrators in diagnosing issues, verifying identity, and enhancing overall network security.
Adding a DNS IPv6 Reverse Zone in TCPWave IPAM
Overview
Creating a DNS IPv6 Reverse Zone in TCPWave IPAM is a process of setting up reverse DNS for IPv6 addresses. This setup is essential for mapping IPv6 addresses back to hostnames, commonly used for verification purposes, security, and network management.
Step-by-Step Procedure
Accessing the IPv6 Reverse Zones Page: - Navigate to Network Management >> DNS Management >> DNS Zones >> Managed DNS Reverse Zones. The Managed DNS IPv6 Reverse Zones page will be displayed.
Initiating Reverse Zone Creation: - Click the button to create a new IPv6 reverse zone. This opens the Managed DNS IPv6 Reverse Zones >> Create Reverse Zone page with various configuration tabs.
Configuring Reverse Zone Attributes: - In the Zone tab, fill in the following details:
Organization: Select the appropriate organization from the dropdown.
IP Address: Enter the IPv6 block IP address.
Mask: Choose the network or subnet mask.
Name: This will be auto-populated based on the IP address and mask.
Apply Template: Select a Zone Template from the dropdown.
Contact: Choose a contact from the dropdown.
Description: Provide a brief description of the reverse zone.
DNSSEC Settings: - Enable DNSSEC if required and select the appropriate NSEC option from the dropdown.
Monitoring and DMZ Settings: - Under Monitoring Attributes, enable monitoring services. - In DMZ Attributes, set DMZ visibility as needed.
Microsoft AD Integration (Optional): - Configure Microsoft AD integration settings if applicable, based on the DNS Zone template.
Non-managed Secondaries Configuration: - If selected, configure custom allow name servers and set up TSIG keys for secure zone transfers.
Adding Resource Records: - In the Resource Records tab, add necessary resource records by selecting the record type, class, TTL, IP address, hostname, domain name, and other relevant details.
Finalizing the Reverse Zone Setup: - Once all configurations are complete, click OK. A validation message appears for confirmation. - Click OK again to confirm. A message stating “Reverse Zone has been created successfully” confirms the successful setup.
Post-Creation
The newly created DNS IPv6 Reverse Zone will be listed in the DNS Reverse Zones grid with searchable and sortable columns for efficient management.
Managed Mirrored Zones in TCPWave IPAM
Overview
Managed Mirrored Zones in TCPWave IPAM are designed for replicating DNS Zone data from a primary (parent) zone to a secondary (cloned) zone. This feature ensures that DNS records such as A, CNAME, MX, TXT, and SRV records in the parent zone are duplicated exactly in the mirrored zone. It’s a valuable functionality for scenarios requiring duplicate DNS configurations across different zones.
Key Characteristics and Limitations
Data Cloning: DNS record types from the parent zone are mirrored into the cloned zone, maintaining one-to-one replication.
Active Directory Restriction: Parent zones enabled for Active Directory cannot be used for mirrored zones.
Sub-Zone Exclusion: Sub-zones of the parent zone are not included in the mirroring process.
Dynamic DNS Update Limitation: Dynamic DNS updates in the parent zone are not automatically replicated in the mirrored zone.
Automatic Monitoring: Mirrored zones are automatically monitored by TCPWave IPAM.
Data Consistency: Mirrored zones contain the same data as their corresponding actual zones.
Mirrored Zone Limit: The maximum number of mirrored zones per parent zone is configurable in the global option, ranging from 1 to 500, with a default value of 100. Exceeding this limit triggers a system warning.
Operations in the Mirrored Zone Interface
Add: Create a new mirrored zone, cloning the data from a specified parent zone.
Edit: Modify settings or configurations of an existing mirrored zone. Note that changes in the mirrored zone do not affect the parent zone.
Delete: Remove a mirrored zone that is no longer needed or relevant.
Bookmark: Mark a mirrored zone for quick access, useful for administrators who frequently manage specific mirrored zones.
Considerations and Best Practices
Use Case: Mirrored zones are ideal for testing, backup, or specific scenarios where DNS data duplication is required without impacting the primary DNS infrastructure.
Maintenance: Regularly monitor and manage mirrored zones to ensure they align with their parent zones, especially if dynamic updates occur in the parent zone.
Compliance: Ensure that the use of mirrored zones complies with organizational DNS policies and security guidelines.
Adding a Mirrored Zone in TCPWave IPAM
Overview
Adding a Mirrored Zone in TCPWave IPAM is a process designed for duplicating the DNS Zone data from a primary zone to a secondary mirrored zone. This functionality is particularly useful for creating exact replicas of DNS configurations for various purposes, such as testing or backup.
Step-by-Step Procedure
Accessing the Mirrored Zones Page: - Navigate to Network Management >> DNS Management >> DNS Zones >> Managed Mirrored Zones. This action opens the Managed Mirrored Zones page.
Initiating Mirrored Zone Creation: - Click the button to create a new mirrored zone. This opens the Managed Mirrored Zone >> Create Mirrored Zone page.
Configuring Mirrored Zone Attributes: - Under Mirrored Zone Attributes, complete the following settings:
Organization: Select the appropriate organization from the dropdown. The system will auto-populate the zone data based on this selection.
Zone: Choose the primary zone you wish to mirror from the dropdown menu.
Mirrored Zones: Enter the names of the mirrored zones. Use a comma to separate multiple zone names, for example, mirror.com,zone.com.
Description: Provide a brief description for the mirrored zones.
Finalizing the Addition: - Click OK to proceed. A validation message will appear: “Are you sure you want to add the mirrored zone? Click Yes to proceed.” - Click YES to confirm. A confirmation message “Mirrored Zone(s) have been created successfully” indicates that the mirrored zones have been successfully added.
Post-Addition
Once the mirrored zones are added, they will be displayed in the Managed Mirrored Zones grid with searchable and sortable columns. This allows for easy management and access to the newly created mirrored zones.
DNS Forwarders in TCPWave IPAM
Overview
DNS Forwarders in TCPWave IPAM are used to define forwarding rules at the DNS appliance template level. These rules determine how DNS queries are handled and redirected, particularly in BIND Auth, BIND Cache, and Unbound appliance types within the DNS appliance template screen. Setting up forwarders is crucial for efficient DNS query resolution and network traffic management.
Functions and Operations of DNS Forwarders
Creation of Forwarder Categories: - Forwarder categories are created at the appliance template level. This allows for organized and centralized management of forwarding rules.
Appliance Types for Forwarders: - The DNS forwarders tab is specifically enabled for appliance types such as BIND Auth, BIND Cache, and Unbound.
Operations in the DNS Forwarders Interface
Add: Initiate the creation of a new forwarder category. This involves specifying the forwarding rules and the destination DNS servers where queries should be directed.
Edit: Modify existing DNS forwarder settings. This operation is essential for updating forwarding rules or destinations based on changes in network topology or DNS strategy.
Delete: Remove a DNS forwarder category that is no longer needed. This step is critical for maintaining an up-to-date DNS forwarding structure.
Bookmark: Mark a particular DNS forwarder category for quick access. This is useful for administrators who frequently manage specific forwarders.
Importance in Network DNS Strategy
Efficient Query Resolution: Forwarders play a vital role in optimizing DNS query resolution by directing queries to specific, often more efficient, DNS servers.
Load Balancing and Traffic Management: Forwarders can be used to balance DNS traffic load and manage network traffic more effectively.
Enhanced Control and Flexibility: They provide administrators with greater control over how DNS queries are handled within the network, enhancing overall DNS management.
Adding a DNS Forwarder in TCPWave IPAM
Overview
Adding a DNS Forwarder in TCPWave IPAM involves creating a forward category that specifies how DNS queries should be redirected or handled. This process is essential for efficient DNS management, ensuring queries are directed to appropriate servers for resolution.
Step-by-Step Procedure
Accessing the DNS Forwarders Page: - Navigate to Network Management >> DNS Management >> DNS Zones >> DNS Forwarders. This action opens the DNS Forwarders page.
Initiating Forwarder Creation: - Click the button to create a new DNS forwarder. This opens the DNS Forwarders >> Create DNS Forwarders page.
Configuring Forwarder Details: - Complete the following fields:
Forward Category: Enter a name for the new forward category. This name should reflect its purpose or the type of queries it will handle.
Description: Provide a brief description of the forward category for clarity and future reference.
Setting Up Forwarders: - Click the button to open the Forwarders pop-up. Fill in the following details:
Zone Name: Enter the name of the zone to which the forwarder will apply.
IPv4 Addresses: Input the IPv4 addresses of the destination DNS servers, separated by semicolons.
IPv6 Addresses: Similarly, input the IPv6 addresses of the destination DNS servers, if applicable, also separated by semicolons.
Finalizing the Addition: - Click OK to proceed. A validation message will appear: “Are you sure you want to add the DNS Forwarder Category? Click YES to proceed.” - Click YES to confirm. A confirmation message “DNS Forwarders has been added successfully” indicates the successful addition.
Post-Creation
Once the DNS forwarder is added, it will be displayed in the DNS Forwarders grid with searchable and sortable columns. This allows for easy management and access to the newly created forwarder.
Non-Managed DNS Zone in TCPWave IPAM
Overview
Non-Managed DNS Zones in TCPWave IPAM are designed to support master zones from non-managed DNS servers by treating TCPWave DNS appliances as slave zones. This setup allows for the integration and management of DNS zones that are not directly controlled within the TCPWave environment but still require monitoring and maintenance.
Key Features
Zone Data Location: The data for non-managed zones resides in a specific directory (/opt/tcpwave/chroot/var/named/zones/slaves) on TCPWave DNS appliances.
DNS Cache Fault Tolerance: TCPWave IPAM’s cache fault tolerance feature periodically backs up these zone files. This is crucial for disaster recovery and maintaining the integrity of DNS internal cache appliances.
Operations in Non-Managed DNS Zone Interface
Add: Create a new non-managed DNS zone. This involves specifying the zone details and configuring it to be treated as a slave zone in TCPWave DNS appliances.
Edit: Modify the settings or configurations of an existing non-managed DNS zone. Adjustments might be needed as the external master zone changes or for maintenance purposes.
Delete: Remove a non-managed DNS zone that is no longer needed or relevant. This step is essential to keep the DNS architecture streamlined and up-to-date.
Bookmark: Mark a specific non-managed DNS zone for quick access. This feature is handy for zones that require frequent monitoring or updates.
Importance in DNS Management
Flexibility in DNS Management: Allows TCPWave users to manage external DNS zones effectively within their TCPWave environment.
Disaster Recovery: The backup feature ensures that there is minimal disruption in case of failures, providing a robust solution for DNS management.
Seamless Integration: Facilitates the integration of external DNS servers into the TCPWave ecosystem, expanding the scope of DNS management capabilities.
Adding a Non-Managed DNS Zone in TCPWave IPAM
Overview
Adding a Non-Managed DNS Zone in TCPWave IPAM involves configuring a DNS zone that is not directly controlled by the TCPWave system but requires integration for effective DNS management. This process is vital for organizations that utilize external or third-party DNS services alongside TCPWave’s managed services.
Step-by-Step Procedure
Accessing the Non-Managed DNS Zone Page: - Navigate to Network Management >> DHCP Management >> DHCP Zones >> Non-Managed DNS Zone. This opens the Non-Managed DNS Zones page.
Initiating Non-Managed Zone Creation: - Click the button to start creating a new Non-Managed DNS Zone. This action opens the Non-Managed DNS Zones >> Create Non-Managed DNS Zone page.
Configuring Basic Zone Information: - Under the Basic Zone Information tab, fill in the following details:
Organization: Select the appropriate organization from the dropdown.
Name: Enter a name for the non-managed DNS zone.
Type: Choose the type of non-managed DNS master (External DNS or PowerDNS). - If External DNS is selected:
TSIG Key Name: Enter the TSIG key name.
TSIG Algorithm: Select an algorithm.
Secret Key: Input the secret key.
If PowerDNS is selected: - PowerDNS Masters: Choose a PowerDNS master. - Generate Empty Forwarders: Option to generate empty forwarders in DNS for all zones using this template.
Description: Provide a brief description of the non-managed DNS master.
Master and Slave DNS Appliances Configuration: - View and select the appropriate Non-Managed DNS Masters and TCPWave managed slave DNS appliances. - Note that selecting at least one master and one slave is mandatory if the Zone type is External DNS.
Finalizing the Non-Managed DNS Zone Setup: - Click OK to proceed. A validation message will appear: “Are you sure you want to create a Non-Managed DNS Zone? Click YES to proceed.” - Click YES to confirm. A confirmation message “Non-Managed DNS Zone has been created successfully” indicates the successful setup.
Post-Creation
Once the Non-Managed DNS Zone is added, it will appear in the Non-Managed DNS Zone grid with searchable and sortable columns, enabling efficient management and monitoring.
DNS Flatten
DNS flattening refers to the process of transforming a hierarchical DNS structure into a flat DNS structure. This is often done to simplify DNS management and improve performance. In a flattened DNS zone, all records are stored at the root of the domain rather than being distributed across various subdomains.
DNS Flatten Zones
DNS Flatten Zones enable the creation of CNAME records at the root of a domain while adhering to RFC standards.
Operations Available
Add: Create a new CNAME record.
Clone: Duplicate an existing CNAME record.
Edit: Modify an existing CNAME record.
Delete: Remove a CNAME record.
Bookmark: Save a CNAME record for quick access.
Sync: Synchronize changes across multiple instances or environments.
This interface provides efficient management of CNAME records at the root level of a domain, ensuring compliance with RFC standards.
Adding DNS Flatten Record
To add a DNS Flatten Record, follow these steps:
Go to Network Management >> DNS Management >> DNS Zones >> DNS Flatten.
Click on the “Add” button. This action will lead you to the DNS Flatten >> Create Record page.
Under DNS Flatten Record Attributes, provide the following details: - Organization: Select the appropriate organization from the dropdown. - Zone Name: Enter the name of the zone (e.g., example.com). - Owner Name: Specify the owner name of the DNS Flatten record (e.g., www.example.com). - Initial IP Address: Enter the initial IP address of the DNS Flatten record (e.g., 10.1.20.222). - Contact: Select a contact from the dropdown list. - Description: Add a description for the DNS Flatten record. - Enable Monitoring Service: Check this box to enable monitoring services. - Name Server-#: Enter the name server of the zone (e.g., ns1.example.com). - IP Address-#: Enter the IP address of the name server (e.g., 10.1.20.220).
Click “OK”. A validation message will appear asking for confirmation.
Confirm by clicking “YES”. A confirmation message will indicate that the DNS Flatten Record has been created successfully.
The newly added DNS Flatten Record will be displayed in the DNS Flatten Zones Management grid, allowing for easy management with searchable and sortable columns.
Query Alternate Resolvers
The Query Alternate Resolvers feature enables users to resolve queries for specific zones from business partners or third parties, including those in public cloud computing services such as vendors in the Amazon Web Services (AWS) Marketplace.
Sequence of Flow
End user computing device initiates a DNS query to the DNS Cache remote.
DNS cache remote forwards the query to the internal root Appliance on behalf of the client.
DNS root Appliance responds to the DNS cache with a referral to the DNS proxy Appliance.
DNS cache then queries the DNS proxy.
DNS proxy communicates with the alternate resolvers.
Alternate resolvers respond to the DNS proxy with an answer.
DNS proxy forwards the response to the DNS cache remote.
DNS cache provides the answer to the end-user device.
Additionally, DNS Proxy minimizes the number of firewall ports that a multinational corporation needs to open with third parties.
Operations Available
From the DNS Proxy Root Zones interface, users can perform the following operations:
Add: Add a new DNS Proxy Root Zone for managing queries to alternate resolvers.
Edit: Modify existing DNS Proxy Root Zones configurations.
Delete: Remove DNS Proxy Root Zones that are no longer needed.
Bookmark: Save frequently accessed DNS Proxy Root Zones for quick reference.
Context Menu: Access additional options and functionalities related to DNS Proxy Root Zones.
This interface streamlines the management of DNS queries to alternate resolvers, enhancing flexibility and security in resolving queries from business partners or third parties.
Adding DNS Proxy Root Zone
Navigate to Network Management >> DNS Management >> DNS Zones >> DNS Proxy Root Zones. The system will present the DNS Proxy Root Zones page.
Click on the designated option to initiate the creation process. This action will lead to the Create Proxy Root Zone page within the Proxy Root Zones section. Here, you’ll find two tabs: Proxy Root Zone and Proxy Root Appliances.
Proxy Root Zone:
Under Proxy Root Zone Details, provide the following information: - Organization: Choose an organization from the dropdown menu. - Default TTL: Enter a positive integer value and select the appropriate time unit from the dropdown. - Contact: Select a contact from the available options. - Allow Query: Clicking on this field will prompt a General Address Match List popup. - Type: Select a type from the dropdown (IPv4/ACL). - Value: Input an IP Address (e.g., 172.16.0.61). - ACL Name: Select a name from the dropdown. - Exclude: Click to exclude the data. - Description: Provide a description for the DNS Proxy Root Zone.
Under SOA Record, complete the following details: - Email Address: Enter the relevant email address. - Refresh Time: Enter a positive integer value and select the required time unit from the dropdown. - Retry Time: Enter a positive integer value and select the required time unit from the dropdown. - Expire Time: Enter a positive integer value and select the required time unit from the dropdown. - Negative Cache: Enter a positive integer value and select the required time unit from the dropdown.
Proxy Root Appliances:
This section displays the list of appliances. Choose the necessary appliances from the provided list.
Adding a DNS Proxy Appliance:
To create a DNS Proxy Appliance: - Initially, create an object of type TCPWave Remote. - Navigate to Network management >> DNS Management >> DNS Templates >> DNS Appliance templates and follow the prompts to create a new Appliance Template. - Select the DNS Appliance type as DNS Proxy Appliance and proceed with the creation process. Refer to DNS Appliance Template for detailed instructions. - Create a proxy Appliance template with Dynamic updates enabled, TISG key, and loggers. - Additionally, create a new option template for DNS Proxy Appliance and configure it accordingly.
Once all necessary configurations are made, click OK. The system will validate your entries and prompt a confirmation message asking if you’re sure you want to add the DNS Proxy root zone. Click Yes to proceed.
Upon confirmation, the system will display a success message indicating that the DNS Proxy Root Zone for the selected organization has been created successfully.
After creating a Proxy Root Zone, ensure to check if both named and unbound are up and running on the remote using the monit summary command.
The added DNS Proxy Root Zone will be visible in the DNS Proxy Root Zones grid, with columns that are searchable and sortable.
DNS Proxy Root Zone Records
To add DNS Proxy Root Zones Resource Records, follow these steps:
Select a proxy root zone from the DNS Proxy Root Zones Resource Records grid.
The system will display the grid with available operations, including Add and Delete.
Click on the designated option to add a new resource record.
The system will prompt an Add Resource Record widget where you can input the necessary details based on the record type selected.
Complete the fields as required and click ADD.
Confirm the addition when prompted by clicking YES.
The system will display the added record in the grid.
Repeat the above steps as needed for different record types such as NS, CNAME, MX, SRV, TXT, and NAPTR.
This comprehensive process ensures the accurate setup and management of DNS Proxy Root Zones and associated resource records within the system.
Managing DNS Internet Root Hints
DNS Internet Root Hints contain crucial information about public root servers, specifically for external Cache appliances. These hints are vital for DNS services to locate authoritative servers for domains outside their immediate namespace.
Purpose of Root Hints:
Root hints serve as a preliminary list of resource records stored in a DNS appliance. They assist DNS servers in identifying other authoritative servers responsible for the root of the DNS domain namespace tree. These hints are particularly essential for servers authoritative for non-root zones, enabling them to discover and learn about authoritative appliances managing domains at higher levels or in other subtrees of the DNS domain namespace.
Example Scenario:
Suppose a DNS appliance (e.g., ServerA.corp.com) receives a query for a domain like tcpwave.com. In this case, ServerA requires assistance to locate an authoritative appliance (e.g., ServerB.tcpwave.com) for the tcpwave.com domain. To find ServerB or any other authoritative servers for the tcpwave.com domain, ServerA needs to query the root servers for the DNS namespace. The root servers can then guide ServerA to the authoritative servers for the [com] domain, which, in turn, can provide referrals to ServerB or other relevant servers.
Operations Supported:
From the DNS Internet Root Hints interface, users can perform the following operations: 1. Edit: Modify existing root hints entries as needed. 2. Sync Internet Cache Servers: Synchronize internet cache servers to ensure updated information retrieval.
Additional Functionality:
Number Dropdown: Users can select the desired number to view the corresponding records.
Common Functionalities: Users can utilize features such as Refresh, Column Visibility, Reset Preferences, and More options. These functionalities enhance user experience and streamline management tasks.
Warning: The availability of this section depends on the permissions assigned to the user’s role. Users can check their role permissions in the Administrator Roles section.
Note: This page supports Grid Search functionality, facilitating efficient navigation and information retrieval.
Editing Internet Root Hints:
To edit an Internet Root Hint, follow these steps:
Select Root Hint: Choose the Internet Root Hint you wish to edit from the grid. Once selected, the Edit icon becomes enabled.
Initiate Edit: Click on the Edit icon. This action prompts the system to display the “Update Internet Root Hints” popup, containing editable fields based on your requirements.
Update Information: Modify the relevant fields as needed within the popup.
Confirmation: After making the necessary changes, click OK. A validation message will appear, asking you to confirm the update to the Internet Root Hints.
Confirm Update: Click YES to proceed with the update. Upon successful completion, a confirmation message will be displayed, indicating that the Internet Root Hint has been updated successfully.
By following these steps, you can effectively edit Internet Root Hints to ensure accurate and up-to-date information for your DNS management needs.
DNS Log Channels
The DNS Log Channels view provides a comprehensive list of various DNS log channels defined within the IP Address Management (IPAM) system.
Accessing DNS Log Channels:
To access the DNS Log Channels section, follow these steps:
Navigate to Network Management >> DNS Management >> DNS Configuration >> DNS Log Channels. This action will bring up the DNS Log Channels interface.
- In the displayed grid, you’ll find default channels such as:
Default_syslog
Default_debug
Default_stderr
null
Available Operations:
From the DNS Log Channels interface, users can perform the following operations:
Add: Add a new DNS log channel.
Edit: Modify existing DNS log channels.
Delete: Remove unnecessary DNS log channels.
Bookmark: Bookmark important DNS log channels for quick access.
Import: Import DNS log channel configurations.
Additional Functionality:
Number Dropdown: Allows users to select the desired number of records to be displayed in the grid.
Common Functionalities: Refer to the section on common functionalities for details on refreshing, adjusting column visibility, resetting preferences, and accessing more options.
Note: Access to certain functionalities may be enabled or disabled based on the permissions assigned to the user’s role. For clarification on assigned roles, navigate to Administrator Roles.
Adding DNS Log Channel:
Navigate to Network Management >> DNS Management >> DNS Configuration >> DNS Log Channels. This action will bring up the DNS Log Channels page.
Click Add. The system will navigate to the Create Log Channel page.
3. Fill in the following Log Channel Attributes: - Channel Type: Select a channel type from the dropdown list. Fields will adjust based on the selected type.
Channel: Enter a name for the channel.
File Name: Specify the file name.
Facility: Choose the facility type from the dropdown list. This field is visible when SYSLOG is selected as the Channel Type.
Versions: Input the version number.
Size: Enter the size in bytes.
Severity: Select the severity level of the logs.
Debug Level: Specify the debug level number.
Click OK. A validation message “Are you sure you want to add the DNS log channel? Click Yes to proceed.” will appear.
5. Click YES. A confirmation message “Log Channel has been created successfully.” will be displayed. The newly added Log Channel will be visible in the DNS Log Channels grid, featuring searchable and sortable columns.
DNS Hostname Restrictions
The DNS Hostname Restrictions grid displays various Host Naming Restrictions defined in the IPAM. These restrictions help prevent offensive hostnames in Objects, Domains, Zones, Root Zones, Proxy Root Zones, and Quick Tasks screens. The Host Naming Policy functionality is effective only when “Enable Host Naming Policies” is enabled in the global options.
Accessing DNS Hostname Restrictions
Navigate to Network Management >> DNS Management >> DNS Configuration >> DNS Hostname Restrictions. This action directs you to the DNS Hostname Restrictions page.
Operations Available
Add: Allows adding new hostname restrictions.
Edit: Permits editing existing hostname restrictions.
Delete: Enables deleting hostname restrictions.
Bookmark: Option to bookmark specific entries.
Number Dropdown: Select the desired number to display records.
Additional Functionalities
Common Functionalities: Refers to features like Refresh, Column Visibility, Reset Preferences, and More options.
Warning: The availability of this section depends on the permissions assigned to your role.
Note
Ensure that the “Enable Host Naming Policies” option is enabled in the global settings for the Host Naming Policy functionality to take effect.
This page supports Grid Search functionality for easier navigation and management of hostname restrictions.
Adding Host Naming Policy
Navigate to Network Management >> DNS Management >> DNS Configuration >> DNS Hostname Restrictions. This action directs you to the DNS Hostname Restrictions page.
Click Add. The system navigates to the Create Policy page.
Under Policy Attributes, fill in the following details:
Policy Name: Provide a name for the Hostname Restriction policy.
Policy Type: Choose the type of Hostname Restriction from the dropdown.
Policy Value: Enter the specific value for the policy.
Example for Policy Type “RegEx”: Use the format %bad%.
Example for Policy Type “Contains”: Specify the forbidden word or phrase.
Description: Optionally, provide a description for the Hostname Restriction.
Click OK. A validation message appears asking, “Are you sure you want to add the Hostname policy?”.
Click YES to confirm. A confirmation message appears stating, “Hostname Policy has been created successfully.”
The newly added naming policy will be listed in the DNS Hostname Restrictions grid, where you can search and sort its columns for easy management.
Global DNS Elevated Privileges Configuration
The Elevated Privileges functionality empowers system administrators to delegate authority to specific users or groups, enabling them to execute certain commands with elevated permissions, either as root or non-root users. This feature is governed by the sudoers file, which can be configured across all DNS appliances.
Key Features
Delegation: Allows administrators to grant specific users or groups the ability to run designated commands with elevated privileges.
Granular Control: Offers fine-grained control over command execution, ensuring security and compliance with organizational policies.
Upload File: Facilitates the upload of a sudoers file containing the desired configurations.
Sudoers Settings: Enables modification of sudoers configurations, with options to edit, view, and export settings.
Usage Instructions
Upload File:
Click on the upload icon (+) to initiate the file upload process.
Choose the appropriate sudoers file containing the desired settings.
Preview the file contents to ensure accuracy.
Confirm the upload to apply the Elevated Privileges configuration to the appliance’s /etc/sudoers file.
Sudoers Settings:
Upon successful upload, configurations from the uploaded file are displayed in green within the “Configuration from the uploaded file” section.
Any syntax errors in the uploaded sudoers settings are highlighted, providing an opportunity for correction.
Click on the “Edit” button to modify the configurations as needed. The configurations become editable in the white area.
Once modifications are complete, click “Done” to save the changes.
The modified sudoers configuration is displayed in the “Modified Sudoers Configuration” section.
View and Export:
Utilize the “View” button to inspect the existing elevated privileges settings for the appliance.
Click “Export” to download the current elevated privileges configuration from the appliance into a file.
Export functionality is disabled if the displayed configuration does not match the existing settings.
Access Control
FADM Users: Can update elevated privileges on individual or all appliances simultaneously from the Appliance Defaults section.
SADM Users: Can update elevated privileges on one appliance at a time.
Other Roles: Restricted from updating elevated privileges on any appliances.
Note
It’s essential to review and verify the changes before applying them, ensuring compliance with security and organizational requirements. Additionally, permissions from the TCPWave Identity Administration module may be required to perform these operations.
Global DNS Syslog-NG Configuration
Navigate to Network Management >> DNS Management >> DNS Configuration >> Global DNS Syslog-NG Configuration.
Make the necessary changes to the Syslog-NG configuration based on your requirements.
Syslog-NG:
Syslog-NG facilitates the collection of log messages, aiding in system management, maintenance, and troubleshooting. It can classify messages into different categories based on predefined patterns, extract useful information, and standardize log data.
Sub-tabs under Syslog-NG:
Syslog-NG Options: Modify Syslog-NG behavior with options such as time-reopen(), time-reap(), flush_lines(), etc.
Syslog-NG Sources: Define sources for receiving log messages, such as internal messages, system-specific log messages, messages from text files, syslog servers, or networks.
Syslog-NG Filters: Set rules to select specific messages based on criteria like facility, priority, hostname, IP network, program, etc.
Syslog-NG Destinations: Specify where log messages matching filter rules should be sent, such as files, named pipes, local users, syslog servers, etc.
Syslog-NG Targets: Map sources, filters, and destinations to create log targets for sending messages from source to destination.
Once you’ve made the necessary edits, ensure to click Save or equivalent to apply the changes.
Note: Updating the Global DNS Syslog-NG Configuration overrides existing settings on all IPv4 and IPv6 DNS appliances. It’s crucial to review and verify the changes before saving.
This operation may require permissions from the TCPWave Identity Administration module.
Global DNS TACACS+ Configuration
Navigate to Network Management >> DNS Management >> DNS Configuration >> Global DNS TACACS+ Configuration.
Make the necessary changes to the LDAP and TACACS+ configurations based on your requirements.
Global DNS TACACS+ Configuration:
LDAP Settings: Enable LDAP Authentication on appliances by checking the corresponding checkbox.
TACACS+ Password Settings: Enable TACACS+ on Remote by checking the checkbox. Enter the TACACS+ secret key in the Pass-Key field and confirm it by reentering the key. Provide the TACACS+ Appliance IP addresses in the respective fields.
Once you’ve made the required modifications, ensure to save the changes.
Note: Updating the Global DNS TACACS+ Configuration overrides existing settings on all IPv4 and IPv6 DNS appliances. It’s essential to review and verify the changes before saving.
Permission to perform this operation may be required from the TCPWave Identity Administration module.
Active Directory GSS-TSIG Management in TCPWave IPAM
Overview
In TCPWave IPAM, integrating Active Directory (AD) for dynamic DNS updates involves utilizing the GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) mechanism. GSS-TSIG, an extension of the TSIG DNS authentication protocol, uses Kerberos to securely exchange keys, ensuring authentication, integrity, and confidentiality in communications.
Enabling AD Updates in a Zone
To enable a DNS zone for receiving dynamic updates from a Microsoft Active Directory Appliance via GSS-TSIG:
Go to the zone management section (Managed DNS Zone >> Add/Edit DNS).
Check the Enable AD Updates checkbox.
Select an existing Domain Controller from the available options.
Operations in Active Directory GSS-TSIG Management Interface
Add: - Create a new GSS-TSIG configuration. This involves specifying the necessary Kerberos and domain settings to facilitate secure communication between the TCPWave IPAM and the AD appliance.
Validate: - Ensure the correctness and functionality of the GSS-TSIG settings. This step is crucial to verify that the TCPWave IPAM can successfully authenticate and receive updates from the AD appliance.
Delete: - Remove an existing GSS-TSIG configuration. This might be necessary if the domain controller settings change or if the configuration is no longer needed.
Importance of GSS-TSIG in Active Directory Integration
Secure Key Exchange: GSS-TSIG provides a robust method for key exchange, crucial for maintaining the security of dynamic DNS updates.
Authentication and Confidentiality: By leveraging Kerberos, GSS-TSIG ensures that the communication between the DNS system and AD is authenticated and the data integrity is maintained.
Dynamic DNS Updates: Allows TCPWave IPAM to seamlessly integrate with AD for dynamic DNS updates, which is essential for networks that rely on AD for DNS record management.
Adding Active Directory User Mapping Information in TCPWave IPAM
Overview
Integrating Active Directory (AD) with TCPWave IPAM for DNS security purposes involves adding user mapping information. This process is crucial for establishing a secure connection between the DNS management system and the AD using the GSS-TSIG protocol.
Steps to Add Active Directory User Mapping
Accessing Active Directory GSS-TSIG Management: - Navigate to Network Management >> DNS Management >> DNS Security >> Active Directory GSS-TSIG Management. - Click the option to open the Active Directory User Mapping >> Create Active Directory page.
Filling in Active Directory User Profile: - Organization: Select the relevant organization from the dropdown list. - Principal Name: Choose the principal name from the dropdown list. - Service: Enter the service name (e.g., DNS service name). - Realm: Input the realm name, such as the domain name (e.g., Demo.com).
Setting Active Directory UPN Attributes: - Principal Type: Select the appropriate principal type from the dropdown. - Encryption Type: Choose a specific encryption type or select ‘ALL’ to include all types. - Domain Controller: Choose the domain controller from the available options. A corresponding Domain Controller Object must exist in IPAM for this step.
Generating and Uploading Kerberos Keytab File: - Click Generate to create a ktpass command based on the selected information. Execute this command on the Active Directory Appliance to generate the keytab file. Example command format:
`bash ktpass -out <Out File name> -princ <Service name>/<Principal name>@<Realm name> -mapuser <Principal name> -pass <Password> -crypto <Encryption type selected> -ptype <Principal type selected> `Upload File: Upload the generated Kerberos keytab file from the Active Directory Appliance.
Finalizing the Setup: - Click OK. A confirmation message will display: “Active Directory has been created successfully.”
Importance
Secure Authentication: By linking AD with DNS via GSS-TSIG, the system ensures secure and authenticated communication.
Efficient Management: Simplifies the management of DNS security in environments using Active Directory.
Flexibility: Provides options to select specific encryption types and domain controllers, offering tailored security settings.
DNS Access Control List (ACL) Management in TCPWave IPAM
Overview
In TCPWave IPAM, Access Control Lists (ACLs) play a crucial role in defining and managing access permissions for various network hosts in relation to DNS services. These ACLs are incorporated into the named.conf file of BIND (Berkeley Internet Name Domain), the most widely used DNS software on the Internet.
Special ACL-Name Values
BIND has built-in special acl-name values that are recognized by default:
“none”: Matches no hosts, essentially denying access.
“any”: Matches all hosts, granting universal access.
“localhost”: Matches all IP addresses of the server where BIND is running, typically used for local administration.
“localnets”: Matches all IP addresses and subnet masks of the server where BIND is running, allowing access to hosts within the local networks.
Operations in the DNS ACL Interface
Add: - Create a new ACL template. This is used to specify a group of hosts (by IP address, range, or other criteria) and define access permissions for them.
Clone: - Duplicate an existing ACL template. Useful for creating similar ACLs with minor variations.
Edit: - Modify the details of an existing ACL. This could involve changing the IP addresses or access levels.
Delete: - Remove an ACL template from the system. This operation should be used with caution as it could affect DNS access for the defined hosts.
Bookmark: - Save ACL templates for quick access. Ideal for frequently used or important ACLs.
Import: - Bring in ACL templates from external sources. This is helpful for deploying standardized ACLs across different systems.
Importance of ACLs in DNS Management
Security: ACLs provide a fundamental layer of security by controlling which hosts can query or update DNS records.
Customization: They offer flexibility to tailor DNS access according to organizational needs and network architecture.
Efficiency: Through the template mechanism, ACLs can be easily replicated and deployed, saving time and reducing the likelihood of errors.
Adding an ACL in TCPWave IPAM
Overview
Access Control Lists (ACLs) are crucial in TCPWave IPAM for managing and regulating access to DNS services. They define rules that specify which hosts (identified by IP addresses, networks, or TSIG keys) are permitted or denied access to DNS services.
Steps to Add an ACL
Navigation: - Go to Network Management >> DNS Management >> DNS Security >> DNS Access Control Lists. This opens the DNS Access Control Lists page.
Initiating ACL Creation: - Click the button to start the ACL creation process. This action opens the ACL’s >> Create ACL page with two main tabs: Details and References.
Filling in Details: - Under ACL Attributes, input the following:
ACL Name: Provide a unique name for the ACL. Avoid using “TITAN” to prevent confusion with the autoblock feature.
ACL Description: Describe the purpose or characteristics of the ACL.
Under Add ACL Attributes, complete the following: - Type: Choose the ACL type (IPv4/ACL/TSIG Key). - Depending on the type chosen:
ACL Name: If ACL type, select an existing ACL name.
TSIG Key Name: If TSIG Key type, select a TSIG key.
IPv4 Address: If IPv4 type, input comma-separated IPv4 addresses with valid mask lengths.
Exclude: Optionally, check to exclude the ACL.
ACL Data Grid: - Once you click OK, the ACL data attributes are displayed in the ACL Data grid.
Managing References: - This tab shows DNS Option Templates, DNS Zone Templates, and DNS Zones utilizing this ACL. - Clicking on a record navigates to the respective section for more details.
Finalizing the ACL: - Click OK to receive a validation message. - Confirm by clicking YES. A confirmation message “ACL has been created successfully” is displayed.
Reviewing the ACL: - The newly added ACL appears in the DNS Access Control Lists grid, complete with searchable and sortable columns for easy management.
Importance of ACLs in DNS Management
Enhanced Security: By defining who can access DNS services, ACLs bolster network security.
Customized Access Control: ACLs allow for tailored access control based on network requirements.
Clarity and Organization: Descriptive names and details provide clear understanding and efficient management of ACLs.
DNS Threat Management in TCPWave IPAM
Overview
DNS Threat Management in TCPWave IPAM is a crucial aspect of network security, focusing on mitigating potential DNS-related threats. This management interface allows administrators to set up and configure various security templates and policies to protect the network against malicious activities.
Accessing DNS Threat Management
Navigation: - To access the DNS Threat Management section, go to Network Management >> DNS Security >> DNS Threat Management. - Upon navigation, the DNS Threat Management page is displayed, comprising several critical tabs.
Key Tabs in DNS Threat Management
Firewall Templates: - This tab involves setting up templates for firewall rules specifically tailored for DNS traffic. These templates can define which traffic is allowed or blocked based on criteria like source IP, destination IP, protocol, etc.
RPZ Templates (Response Policy Zone Templates): - RPZs are used in DNS to implement policy actions for specified DNS names or IP addresses. RPZ templates in TCPWave IPAM allow administrators to create predefined policies that can be applied to various zones or DNS queries, helping to block or redirect harmful or unwanted requests.
RPZ Policy Files: - This section involves managing actual policy files associated with RPZs. Administrators can define specific rules and actions in these files, which are then implemented according to the RPZ templates.
NSM Templates (Name Server Management Templates): - NSM templates are related to the management and operation of DNS name servers. These templates can include configurations for rate limiting, logging, query response settings, and more, contributing to overall DNS security and efficiency.
Further References
The documentation also refers to additional sections for detailed configuration and management instructions. Administrators should refer to these sections for comprehensive guidance on setting up and managing DNS threat management tools and policies effectively.
Importance of DNS Threat Management
Network Security: Robust DNS threat management is critical for protecting the network against DNS-based attacks, such as DNS spoofing, cache poisoning, and DDoS attacks.
Policy Enforcement: With RPZs and firewall templates, administrators can enforce network policies at the DNS level, controlling access and redirecting traffic as needed.
Operational Efficiency: Efficient management of name servers through NSM templates ensures that DNS queries are handled optimally, maintaining network performance.
Intended for network and DNS administrators, this guide outlines the key aspects of DNS Threat Management within TCPWave IPAM. Effective use of these tools and templates is essential for maintaining a secure, reliable, and efficient DNS environment.
Overview
DNS Firewall Templates in TCPWave IPAM play a pivotal role in network security by managing DNS traffic to prevent malware attacks and block interactions with known malicious domains or IP addresses. Utilizing iptables in the Linux kernel, these templates allow for intricate configuration of packet filtering rules to safeguard connected devices.
Understanding `iptables`
iptables is a robust tool in Linux for configuring the packet filtering rules.
It manages tables containing chains of rules for packet processing.
Tables house built-in and user-defined chains.
Each chain consists of rules to match packet sets, dictating specific actions (targets) for matched packets, including redirection or blocking.
Key Operations in Firewall Templates
Add: - Create new firewall templates. This involves specifying detailed rules for how DNS queries are processed and controlled, particularly for potentially harmful traffic.
Edit: - Modify existing firewall templates. This is crucial for updating rules in response to emerging threats or changing network policies.
Delete: - Remove unwanted or outdated firewall templates. Care should be taken with this operation as it affects how DNS traffic is managed.
Bookmark: - Mark frequently used or important templates for quick access, enhancing efficiency in network management.
Application of DNS Firewall Templates
Malware Prevention: By redirecting or blocking queries to known malicious sites, the DNS firewall protects the network from various online threats.
Device Compromise Identification: The system can detect and pinpoint compromised devices, facilitating quick containment and resolution of security incidents.
Customization: Administrators can tailor the DNS firewall rules to meet specific security needs and policies of the organization.
Traffic Management: Beyond security, these templates also help in managing the overall flow of DNS traffic, ensuring optimal network performance.
Adding and Assigning a Firewall Template in TCPWave IPAM
Adding a Firewall Template
Navigation: - Go to Network Management >> DNS Management >> DNS Security >> DNS Threat Management. - The DNS Threat Management page will be displayed.
Initiating Template Creation: - Click the designated option to access the Firewall Template creation interface.
Filling in Template Details: - Name: Enter the template’s name. - Organization: Choose from the dropdown menu. - Description: Provide a brief description of the template.
Configuring Rules: - Add rules to the template. These rules dictate packet filtering on DNS Appliances. - Specify Rule Name, Action, Chain, Protocol, Source/Destination IP, Interface, MAC Address, Fragment, Match String, and Extension. - Click ADD to include each rule in the template.
Rule Management: - The Rules grid will display all added rules. You can delete or reorder rules as needed.
Finalizing Template: - Click OK to create the template. A confirmation message will appear upon successful creation.
Assigning Firewall Template to DNS Appliance
Appliance Selection: - Navigate to Network Management >> DNS Management >> DNS Appliances. - Choose the specific DNS Appliance for the template application.
Template Application: - Edit the DNS Appliance settings. - Select the created firewall template from the dropdown menu. - Click OK to apply. The rules in the template are now active on the selected DNS Appliance.
Conclusion
Creating and applying a firewall template in TCPWave IPAM involves a systematic process of configuring rules tailored to specific security needs. These templates, once assigned to DNS Appliances, enforce robust security measures, safeguarding the network from various threats and ensuring efficient traffic management.
Overview
Response Policy Zones (RPZ) are a powerful DNS security feature supported by TCPWave IPAM. They enable administrators to implement customized DNS response policies to enhance network security. These policies can be created locally or sourced from external, reputable providers.
Key Features of RPZ Templates
Template-Based Management: RPZs in TCPWave IPAM are managed through templates. Each template contains specific RPZ information necessary to control DNS responses.
Local and External RPZ Policies: The system supports both locally created policies and external RPZ feeds. External feeds are typically updated through DNS zone transfers from reputable data appliances.
Location of RPZ Files: For locally managed RPZ policies, the policy files are stored in the directory /opt/tcpwave/tims/IPAM/rpzFiles on the IPAM appliance.
Application to DNS Cache Appliances: Once defined, RPZ templates can be applied to DNS Cache Appliances within the network. These appliances then use the RPZ information to modify DNS responses based on the defined policies.
Operations in RPZ Templates Interface
Adding an RPZ Template: - Access the RPZ Templates section in the TCPWave IPAM interface. - Initiate the process to define a new RPZ template. - Specify necessary RPZ details, including policy rules and actions (e.g., blocking or redirecting certain DNS requests). - Choose between creating a local policy or integrating an external RPZ feed. - Save the template for deployment.
Editing an RPZ Template: - Select a template from the list of existing RPZ templates. - Make desired changes, such as updating rules, actions, or data feed sources. - Save the modifications to the template.
Deleting an RPZ Template: - From the list of templates, select the one you wish to delete. - Confirm the deletion to remove the template permanently from the system.
Bookmarking a Template: - For quick access, bookmark essential or frequently used RPZ templates. - This feature provides convenient navigation to specific templates.
Conclusion
RPZ templates in TCPWave IPAM offer a versatile tool for DNS security management. Whether leveraging local policies or external data feeds, these templates provide a dynamic means to secure DNS queries and responses, thereby enhancing the network’s overall security posture.
Steps to Add an RPZ Template
Accessing the RPZ Template Section: - Go to Network Management > DNS Management > DNS Security > DNS Threat Management on the TCPWave IPAM platform. This will display the DNS Threat Management page.
Initiating the Creation of a New RPZ Template: - Click on the option to create a new RPZ Template. This action will open the RPZ Template Creation page.
Filling in RPZ Template Details: - External Feed: Indicate whether the RPZ template will use an external feed. - Organization: Choose an organization from the dropdown menu. - Name: Provide a unique name for the RPZ template. - Zone Name: Enter the domain (e.g., example.com) for which the RPZ policy is being created. - RPZ Policy File: Select from available local RPZ policy files, applicable when not using an external feed. - RPZ Feed Provider: Choose the provider for external RPZ feeds (e.g., Threatstop, Deteque, etc.). - Master Server: Input the master server IP or name for external feeds. - Communication Key Name/Value: Provide necessary authentication details for zone transfers (for external feeds). - QName Wait Recurse: Decide whether to enable or disable this option based on RPZ requirements. - Description: Add a description for clarity and future reference.
Completing the Template Creation: - After filling in all required fields, click OK to proceed. - A validation message will appear, prompting confirmation. Click YES to confirm and finalize the creation of the RPZ template.
Confirmation and Review: - Upon successful creation, a confirmation message is displayed. - The new RPZ Template will now be listed in the RPZ Templates grid, complete with searchable and sortable options for easy management.
Applying the RPZ Template
Once created, the RPZ template can be applied to DNS Cache Appliances to enforce the defined policies. This ensures the desired response policy is active for DNS queries relevant to the specified zone or domain.
Conclusion
Creating an RPZ template in TCPWave IPAM is a structured process that allows for detailed customization of DNS response policies. Whether using local policies or integrating external feeds, this feature enhances DNS security by managing how DNS queries are handled for specific domains.
Overview
Response Policy Zones (RPZ) are a critical feature in TCPWave IPAM, used for enhancing DNS security. They can be configured either by using locally created policies or by integrating feeds from external sources. These policies are applied to DNS Cache Appliances to manage DNS query responses effectively.
Location of RPZ Files
For locally created RPZ policies, the files are stored in the following directory on the IPAM Appliance:
/opt/tcpwave/tims/IPAM/rpzFiles
Key Operations
Adding RPZ Files: - To introduce new RPZ policies, navigate to the appropriate section in the IPAM interface. - Here, you can create a new RPZ file by specifying necessary details and policy rules.
Editing RPZ Files: - For modifications to existing RPZ files, you can select the file from the list and make necessary changes. - This option allows you to update or refine your RPZ policies as needed.
Deleting RPZ Files: - If an RPZ file is no longer needed or requires replacement, you can remove it from the system. - This ensures that only current and relevant RPZ policies are applied.
Bookmarking: - For quick access to frequently used or important RPZ files, you can bookmark them. - This feature facilitates easier management and navigation within the IPAM interface.
Applying RPZ Templates
After defining RPZ policies in the files, you’ll need to apply these via RPZ templates to the DNS Cache Appliances. This ensures the enforcement of these policies across your DNS infrastructure.
Conclusion
The RPZ functionality in TCPWave IPAM offers a robust mechanism for DNS security management. Whether using local policies or external feeds, it provides an effective way to control and monitor DNS query responses, thereby enhancing the overall security posture of your network infrastructure.
Overview
Response Policy Zones (RPZ) are essential for DNS security in TCPWave IPAM, allowing administrators to implement rules that dictate how DNS queries are handled. Adding an RPZ file involves specifying triggers and rules that define these behaviors.
Steps to Add an RPZ File
Navigate to the DNS Threat Management Section: - Go to Network Management >> DNS Management >> DNS Security >> DNS Threat Management. This opens the DNS Threat Management page.
Accessing the RPZ Files Tab: - On the DNS Threat Management page, locate and click on the RPZ Files tab.
Creating a New RPZ File: - Click on the ‘Add New’ (represented by a ‘+’) icon to create a new RPZ file. - You will be directed to the ‘RPZ Files >> New’ page.
Filling in RPZ File Details: - RPZ File Policy Name: Enter a unique and descriptive name for the Policy File. - RPZ Policy Rule: This section requires detailed input for the rule:
Policy Trigger: Define the trigger for the RPZ policy. This could be a domain, IP, or other DNS query aspects.
Policy RR Type: Choose the Resource Record Type from the drop-down menu. This specifies the type of DNS record the rule applies to (e.g., A, AAAA, CNAME, etc.).
Policy RH Value: Input the RPZ Policy Rule’s Right Hand (RH) Value, which details the action or response for the trigger (e.g., NXDOMAIN, NODATA, etc.).
Adding the Rule: - After entering the details, click ‘Add’ to include the policy rule in the Rules list.
Saving the RPZ File: - Click ‘OK’ to save the new RPZ file. A confirmation message “The RPZ Policy File has been created successfully” will appear, indicating successful creation.
Viewing the RPZ File: - The newly created RPZ file will now be listed in the RPZ files grid, complete with searchable and sortable columns for easy management.
Conclusion
Adding RPZ files in TCPWave IPAM is a structured process that enhances DNS security by enabling administrators to set specific rules for DNS query handling. By following these steps, you can effectively manage and enforce DNS policies tailored to your network’s security needs.
Overview
NSM templates in TCPWave DDI are crucial for creating configurations that enhance network security. These templates enable DNS remote appliances to detect and prevent attacks, ensuring the network’s integrity and safety.
Key Operations
Add NSM Template: - This function allows you to create a new Network Security Monitoring template. You’ll specify the parameters and settings that define how the system monitors network security.
Edit NSM Template: - This option is used to modify existing NSM templates. It’s essential for updating or fine-tuning your network security monitoring configurations as network demands and threats evolve.
Delete NSM Template: - Use this to remove an NSM template from the system. This might be necessary when a template is no longer relevant or needs to be replaced with a more updated configuration.
Bookmark NSM Template: - This feature lets you mark specific NSM templates for easy access. It’s useful for quickly navigating to templates that are frequently used or need regular monitoring.
Additional Functionalities
Alert Generation: Upon detecting an attack, the system automatically generates an alert. This feature is pivotal for immediate response to potential security breaches.
Fault Management Integration: Alerts generated by NSM templates are logged in the Fault Management section, providing a centralized view of network security incidents.
DNS Reports Access: Detailed information about alerts and network security events can be accessed in the DNS Reports section. This allows for in-depth analysis and informed decision-making regarding network security.
Conclusion
NSM templates in TCPWave DDI are a fundamental tool for maintaining robust network security. They provide a systematic approach to monitoring, detecting, and responding to potential network threats. With options to add, edit, delete, and bookmark, these templates offer flexibility and control in managing network security protocols.
Steps to Add an NSM Template
Accessing NSM Template Section: - Go to Network Management >> DNS Management >> DNS Security >> DNS Threat Management. This opens the DNS Threat Management page.
Starting the Template Creation: - Click on the New button under the NSM Templates tab to initiate creating a new NSM template.
Configuring the NSM Template: - Organization Selection: Choose the relevant organization from the dropdown menu. - Template Name: Provide a unique name for the template. - Network Interface: Specify the network interface associated with the remote appliance, like eth0 to eth9 or bond0 to bond9. - Enable Anomaly Detection: If checked, it enables the detection of anomalous DNS traffic using Machine Learning models. Specify the Entropy Value and decide whether to enable DoH (DNS over HTTPS). - Associate NSM Template: Apply the template to the appropriate DNS appliances, such as BIND Authoritative, BIND Cache, or Unbound Cache appliances. - Enable Intrusion Detection & Prevention: If enabled, configure the number of workers and details for Intrusion Prevention System (IPS) rules and variables.
Creating Rule Variables and IPS Rules: - Rule Variables: Add, edit, or delete rule variables like address or port groups. - IPS Rules: Create rules to detect and prevent attacks, specifying action, protocol, IPs, ports, signature ID, classtype, and message.
Whitelisting and Blacklisting Domains: - Manage domains that are trusted (whitelisted) or suspicious (blacklisted). Domains can be added, edited, deleted, or imported from a CSV file.
Finalizing the Template: - Add any descriptive notes for the NSM template. - Click OK and confirm the creation of the template.
Confirmation and Review: - After confirmation, a message displays the successful creation of the NSM template. The new template will be listed in the NSM Templates grid.
Key Features
Anomaly Detection: Utilizes advanced ML models to detect unusual DNS traffic patterns.
Intrusion Detection & Prevention: Monitors and blocks malicious traffic with configurable rules.
Whitelist/Blacklist Management: Provides control over domain access based on trustworthiness.
Customizable Rules and Variables: Allows fine-tuning of security parameters to fit specific network needs.
Integration with DNS Appliances: Template can be applied across various DNS appliance types within the organization.
Conclusion
Creating an NSM template in TCPWave DDI involves configuring various security parameters and rules to enhance network monitoring and threat detection. This feature is integral for maintaining a robust and secure DNS infrastructure.
Export Compliance Management
Overview
The OFAC Prohibited Countries list is a critical aspect of export compliance management, identifying countries that are subject to trade sanctions and embargoes by the United States. These sanctions are imposed due to various reasons, including involvement in terrorism, narcotics, and other activities considered threats to national security and foreign policy.
Operations in the OFAC Interface
Adding to the OFAC Prohibited Countries List
Access OFAC Interface: Navigate to the section where OFAC Prohibited Countries are managed.
Add Country: Enter the details of the country to be added to the list, ensuring compliance with current U.S. Treasury sanctions.
Validation: Confirm that the country being added is currently under sanction as per the latest OFAC regulations.
Submit: Review the information and submit to add the country to the OFAC Prohibited Countries list.
Deleting from the OFAC Prohibited Countries List
Select Country: In the OFAC interface, select the country you wish to remove from the list.
Reason for Deletion: Ensure there is a valid reason for the removal, such as a change in the U.S. Treasury’s sanctions policy.
Confirm Deletion: Review and confirm the deletion to update the list accordingly.
Importance of OFAC Compliance
Legal Requirement: Compliance with OFAC regulations is mandatory for businesses operating within the United States, and failure to comply can result in severe legal consequences.
National Security: By adhering to these regulations, businesses contribute to the national security efforts of the U.S. government.
Reputation Management: Compliance ensures that a business maintains a good standing and avoids associations with disreputable activities.
Best Practices for OFAC Compliance
Regular Updates: Keep the OFAC list updated in accordance with the latest changes published by the U.S. Treasury.
Staff Training: Ensure that staff members are trained and aware of OFAC regulations and their implications on business operations.
Integration with Business Processes: Incorporate OFAC compliance checks into standard business procedures, especially in areas like client onboarding and financial transactions.
Legal Consultation: Regularly consult with legal experts specializing in international trade and compliance to stay informed about the evolving sanctions landscape.
Conclusion
Managing the OFAC Prohibited Countries list is a crucial aspect of export compliance, requiring businesses to stay vigilant and proactive in aligning with U.S. Treasury sanctions. Regular updates, staff training, and integration of these checks into business processes are essential for maintaining compliance and supporting national security objectives.
DNS TSIG Keys Management
Overview of TSIG Keys in DNS Management
TSIG (Transaction Signature) keys are utilized in Domain Name System (DNS) to provide secure authentication of DNS updates and transactions. They play a vital role in ensuring the integrity and security of DNS data. IPAM (IP Address Management) systems often include functionalities for creating, maintaining, and managing these TSIG keys.
Operations Available in TSIG Keys Interface
Add
Purpose: Introduce a new TSIG key into the system.
Process: Typically involves specifying the key name, algorithm (like HMAC-MD5), and the key material (secret key).
Application: Used when setting up new secure DNS zones or updating mechanisms that require authenticated transactions.
Clone
Purpose: Create a duplicate of an existing TSIG key.
Usage: Useful when similar security settings are to be applied across multiple zones or servers, saving the effort of re-entering key details.
Edit
Purpose: Modify the details of an existing TSIG key.
Scenarios: Necessary when updating the key material for security reasons or correcting initial configuration errors.
Delete
Purpose: Remove an existing TSIG key from the system.
Consideration: Should be done with caution as it may impact zones or transactions relying on that specific key for authentication.
Bookmark
Purpose: Mark specific TSIG keys for quick access.
Benefit: Streamlines management by allowing quick navigation to frequently used keys.
Import
Purpose: Bulk add TSIG keys from an external source or file.
Efficiency: Significantly reduces the time and effort in scenarios where multiple keys need to be added to the system.
Key Considerations in TSIG Key Management
Security: Regularly update and rotate TSIG keys to maintain high security.
Documentation: Keep accurate records of all TSIG keys for audit and troubleshooting purposes.
Consistency: Ensure that key names and algorithms are consistently used across related DNS zones and services.
Testing: After adding or modifying TSIG keys, test the configuration to ensure that DNS transactions are functioning as expected.
Backup: Maintain backups of the TSIG key configurations to prevent disruptions in case of system failures.
Conclusion
Efficient management of TSIG keys is crucial for the security and integrity of DNS transactions. The ability to add, clone, edit, delete, bookmark, and import keys via an IPAM interface streamlines this process, making it more efficient and less prone to errors. As with any security-related feature, careful planning, consistent management practices, and regular reviews are essential to ensure the effectiveness of TSIG keys in DNS security.
Adding a TSIG Key in DNS Management
Steps to Add a TSIG Key
Accessing TSIG Keys Section:
Navigate to Network Management >> DNS Management >> DNS Security >> DNS TSIG Keys.
This action will display the DNS TSIG keys page.
Initiating TSIG Key Creation:
Click the designated button (often represented by a “+” or “New” icon) to start the process.
This opens the Create TSIG Key page with various tabs for detailed configuration.
Completing Details in TSIG Key Attributes:
TSIG Key Name: Input a unique name for the TSIG key.
TSIG Key Algorithm: Choose an appropriate algorithm for the key from the dropdown menu (e.g., HMAC-MD5, HMAC-SHA256).
Auto Generate TSIG Key: Optionally, select this checkbox to automatically generate the secret key using the selected algorithm. When selected, manual input for the TSIG Secret Key is not required.
TSIG Secret Key: If auto-generation is not selected, manually input a secret key.
ACL Description: Provide a brief description of the TSIG key for reference.
Finalizing and Creating the TSIG Key:
After filling in the necessary details, click OK.
A validation message appears, asking for confirmation: “Are you sure you want to add the TSIG key? Click Yes to proceed.”
Click YES to confirm and create the TSIG key.
A confirmation message will display, indicating the successful creation of the TSIG key: “TSIG key has been created successfully.”
Reviewing the Added TSIG Key:
The newly added TSIG key will be listed in the DNS TSIG Keys grid, which includes searchable and sortable columns for easy management.
References Section:
This section lists DNS Access Control Lists (ACLs) utilizing the TSIG key.
Clicking on any record in this section will navigate you to the respective ACLs for further details or modifications.
Important Considerations
Security: Ensure that the chosen algorithm and secret key are robust and align with your organization’s security policies.
Unique Naming: The TSIG key name should be unique to avoid conflicts and ensure easy identification.
Auto-Generation vs. Manual Keying: Decide between auto-generating the TSIG key for convenience or manually entering it for specific security requirements.
Documentation: Keep records of the TSIG keys, their purposes, and associated ACLs for auditing and management purposes.
Conclusion
The addition of a TSIG key in the DNS management system is a crucial step in securing DNS transactions and updates. By following these steps and considering security best practices, you can effectively manage and utilize TSIG keys within your network infrastructure.
DNS Appliance Template Management
Overview of DNS Appliance Template Management
DNS Appliance Templates are crucial for effectively managing and configuring DNS appliances. These templates are instrumental in setting up various DNS functionalities such as logging, dynamic updates, forwarders, DNS external root hints, and DNSTAP. They are particularly applicable to BIND AUTH+Cache and Cache appliances.
Operations for DNS Appliance Template Management:
Add a DNS Appliance Template:
This function allows you to create a new template for DNS appliances.
Ideal for establishing a standardized configuration that can be applied to multiple DNS appliances.
Edit a DNS Appliance Template:
Use this to modify the settings of an existing template.
Helpful for updating configurations to align with changing network requirements or security policies.
Clone a DNS Appliance Template:
This option lets you duplicate an existing template.
It’s useful when you need a new template similar to an existing one, with minor differences.
Delete a DNS Appliance Template:
Use this to remove an obsolete or unnecessary template.
Important for maintaining an organized and efficient template library, preventing clutter.
Utilizing DNS Appliance Templates:
Standardization: Templates ensure uniformity in DNS configurations across multiple appliances, which is essential for consistency and easier management.
Efficiency: They save time and effort by allowing mass application of configurations rather than configuring each appliance individually.
Customization and Flexibility: Templates can be tailored to meet specific network requirements while maintaining the ability to quickly adapt to changes.
Key Aspects to Consider:
Configuration Details: Determine logging levels, update mechanisms, and other DNS functionalities based on network needs and security protocols.
Template Naming: Use clear and descriptive names for easy identification and management.
Documentation: Maintain records of the templates, their specific configurations, and the appliances they are applied to for auditing and troubleshooting purposes.
Review and Testing: Before applying a new or modified template to production DNS appliances, review the configurations for accuracy and test in a controlled environment.
Conclusion:
Managing DNS Appliance Templates is a strategic approach to DNS management, providing a streamlined and standardized method for configuring and maintaining DNS appliances. By utilizing these templates, network administrators can ensure effective, consistent DNS operations, adapt quickly to changes, and maintain high security and performance standards.
Adding a DNS Appliance Template involves several steps to configure various aspects of the DNS appliance, including dynamic updates, DNSTAP logs, and specific forwarding settings. Here’s a breakdown of the process for clarity:
Navigate to the DNS Appliance Templates Page:
Go to Network Management >> DNS Management >> DNS Templates >> DNS Appliance Templates.
This will display the DNS Appliance Templates page.
Initiate Template Creation:
Click the designated button to create a new template.
The system will display the “Create Appliance Template” page with multiple tabs.
Complete Appliance Template Configuration:
DNS Appliance Type: Select the appropriate type from a dropdown list.
Template Name: Input a name for the template.
Enable Dynamic Updates: Opt to enable or disable dynamic updates.
Enable DNSTAP Logs: Toggle this for BIND AUTH and BIND CACHE appliances.
Resolvers for DMZ Cache Forwarding: Configure settings for resolving internal zones managed by TCPWave IPAM.
Description: Provide a description of the DNS appliance template.
Configure TSIG Algorithm (For BIND Authoritative and DNS Proxy Appliances):
Add TSIG algorithms by specifying the algorithm and bit size.
Set Up Loggers (Applicable to Certain Appliance Types):
Add loggers by choosing a category and a log channel.
DNS Forwarders (For Internal Cache and Bind AUTH+Cache Appliances):
Manage DNS forwarders, which are essential for resolving external zones.
DNS External Root Hints (For Overriding Default Root Hints in Internal Cache Appliances):
Provide external root hints information if required.
Finalize and Create the Template:
Click OK to proceed.
Confirm the creation of the DNS appliance template.
Verification:
The system will confirm the successful creation of the DNS Appliance Template.
The new template will be listed in the DNS Appliance Templates grid with searchable and sortable columns.
Key Points to Remember:
DNS Appliance Type: Ensure you select the correct appliance type as it determines the applicable settings.
Dynamic Updates and DNSTAP Logs: These settings are crucial for the security and logging capabilities of the DNS appliance.
DMZ Cache Forwarding: This setting is important for resolving internal zones, especially in external DNS appliances.
TSIG and Loggers: Proper configuration is essential for secure communication and effective logging.
DNS Forwarders and External Root Hints: These are vital for resolving external zones and customizing root hints.
By following these steps, you can efficiently create a DNS Appliance Template tailored to your network’s specific requirements.
DNS Option Templates
DNS Option Templates are essential for defining the behavior of DNS Appliances in a network. These templates contain various settings and parameters that dictate how the DNS Appliance will operate. Here’s a detailed explanation of the DNS Option Templates interface and the operations you can perform:
Accessing DNS Option Templates:
Navigate to the DNS Option Templates Page:
Go to Network Management >> DNS Management >> DNS Templates >> DNS Option Templates.
This opens the DNS Option Templates page.
Understanding Default Templates:
The system displays a list of default templates, each tailored for different types of DNS Appliances:
BIND AUTH Default Template: For BIND Authoritative servers.
BIND CACHE Default Template: For BIND Caching servers.
DNS PROXY Default Template: For DNS Proxy servers.
NSD AUTH Default Template: For NSD Authoritative servers.
UNBOUND Default Template: For Unbound servers.
These templates serve as a starting point and can be customized based on specific network requirements.
Operations on DNS Option Templates:
You can perform various operations on the DNS Option Templates page:
Add a New Template:
Use this option to create a new DNS Option Template. You will need to specify various DNS parameters and settings in the template.
Clone an Existing Template:
This option allows you to make a copy of an existing template. It’s useful when you want to create a new template that is similar to an existing one, with minor changes.
Edit a Template:
Choose this to modify the settings of an existing DNS Option Template. This is useful for updating or fine-tuning the parameters of a template.
Delete a Template:
Use this to remove an unwanted or obsolete DNS Option Template from the system.
Bookmark a Template:
This feature allows you to bookmark templates for quick access. It’s handy when you frequently need to refer to specific templates.
Import a Template:
This option is used to import DNS Option Templates, perhaps from another environment or a previous configuration backup.
Key Considerations:
Template Selection: When creating or editing a DNS Appliance, ensure to associate the correct DNS Option Template to achieve the desired behavior.
Template Customization: While the default templates provide a good starting point, customization may be necessary to meet specific network requirements.
Template Management: Regularly review and update the DNS Option Templates to ensure they align with the evolving needs of your network infrastructure.
By using DNS Option Templates effectively, you can streamline the configuration of DNS Appliances, ensuring they operate efficiently and in accordance with your network policies.
To add a DNS Option Template in TCPWave IPAM, follow these steps:
Access DNS Option Templates:
Navigate to Network Management >> DNS Management >> DNS Templates >> DNS Option Templates.
The DNS Option Templates page will be displayed.
Begin Template Creation:
Click the appropriate button (probably labeled ‘Add’ or ‘New’) to start creating a new DNS Option Template.
Fill in Template Details:
For BIND Authoritative/BIND Cache/DNS Proxy:
Organization: Select the relevant organization.
Template Name: Provide a unique name for the template.
Template Description: Write a brief description.
Configure Directory, ACLs, DNSSEC, Listen On v6, etc.: Fill in these fields as per your network configuration needs.
Check SRV CNAME, MX CNAME, MX, and Names: Configure these settings as required.
Forward and Forwarders: If applicable, set these for query forwarding.
Recursive Client: Enter the value as needed.
Configure Rate Limit Settings:
Fill in details like Responses Per Second, Referrals-Per-Second, Nodata-Per-Second, Nxdomains-Per-Second, and other related parameters. Adjust these settings based on the desired rate-limiting behavior for your DNS environment.
Complete Additional Configurations:
Include necessary settings for NSD Authoritative and UNBOUND appliance types, if applicable. This includes settings like Server Count, IP Transparent, RRL Size, Extended Statistics, Interface settings, TCP configurations, and more.
Review and Submit:
After filling in all the necessary fields, review the information for accuracy.
Click ‘OK’ to proceed. A validation message will pop up for confirmation.
Confirm Creation:
Click ‘YES’ to confirm. A confirmation message stating “Option Template has been created successfully” will be displayed.
Verify New Template:
The newly created DNS Option Template should now appear in the DNS Option Templates grid, which allows for easy management through search and sorting capabilities.
It’s important to configure these templates carefully as they play a crucial role in the behavior of your DNS appliances. Ensure that all settings align with your specific network requirements and policies.
DNS Zone Templates
DNS Zone Templates in TCPWave IPAM offer a structured and standardized way to manage various DNS zone configurations. These templates serve as pre-defined sets of settings and rules that govern the behavior of DNS zones. By utilizing these templates, administrators can ensure uniformity and consistency in DNS configurations, significantly reducing the likelihood of errors and streamlining the management process.
Key aspects of DNS Zone Templates in TCPWave IPAM:
Purpose and Functionality:
DNS Zone Templates act as blueprints for DNS zones, encompassing a variety of settings including DNS key-value pairs, Access Control Lists (ACLs), Start of Authority (SOA) parameters, and master-slave server configurations.
When a new DNS zone is created using a template, it inherits all the predefined settings from the template, ensuring a consistent and controlled configuration.
Operations Available in DNS Zone Template Interface:
Add: Create a new template with customized settings suitable for specific requirements.
Clone: Duplicate an existing template to create a new one, allowing for modifications while retaining the base configuration.
Edit: Modify the settings of an existing template to update or refine its configuration.
Delete: Remove templates that are no longer needed or relevant.
Bookmark: Mark frequently used or important templates for quick access.
Import: Bring in templates from external sources, streamlining the process of integrating pre-existing configurations into the TCPWave environment.
Integration with Microsoft DNS:
TCPWave IPAM allows specifying a single Microsoft DNS appliance as the primary (master) server in the configuration. This integration facilitates seamless management and interoperability between TCPWave and Microsoft DNS environments.
Advantages:
Efficiency: Templates accelerate the process of setting up new DNS zones by applying pre-configured settings instantly.
Consistency: Ensures that all DNS zones adhere to a standard set of rules and configurations, reducing the risk of misconfigurations.
Customization: Allows for the creation of diverse templates to cater to different needs and scenarios in DNS management.
Scalability: Facilitates easier scaling of DNS infrastructure, as new zones can be rapidly configured with the necessary parameters.
In summary, DNS Zone Templates in TCPWave IPAM are essential tools for administrators to manage DNS zone configurations effectively. They offer a balance of standardization and flexibility, ensuring that DNS infrastructures are robust, consistent, and adaptable to varying requirements.
Adding a DNS Zone Template in TCPWave IPAM involves a series of steps to configure and apply a set of predefined settings to DNS zones. Here’s a breakdown of the process:
Navigation:
Go to Network Management >> DNS Management >> DNS Templates >> DNS Zone Templates.
The DNS Zone Templates page will be displayed.
Initiating Template Creation:
Click on the designated button to begin creating a new zone template.
A new window will appear with various tabs for different settings.
Filling in Basic Zone Information:
Under the “Zone Template Attributes” section, select the relevant organization from a dropdown list and provide a name for the new zone template.
Specify the Default Time-To-Live (TTL) for the DNS records in the zone.
Configuring SOA Record Attributes:
Fill in the Master Name (MNAME), which identifies the primary authoritative DNS appliance for the zone.
Provide an administrative contact email address.
Set values for the SOA record attributes like Refresh Time, Retry Time, Expire Time, and Negative Cache Time.
Setting Address Match List Attributes:
Define attributes such as ‘Allow Notify’, ‘Allow Transfer’, ‘Allow Query’, along with custom settings for transfers and notifications.
Enable or disable external updates and specify any custom Allow Update ACLs if necessary.
Optionally, enable the generation of empty forwarders for zones using this template.
Adding Notes:
Enter any descriptive notes or comments about the zone template.
Selecting DNS Appliances:
Choose TCPWave Master and Slave DNS Appliances that will be associated with this template.
If using Microsoft DNS Master Appliances, select the appropriate appliance.
For Cloud DNS Providers, the interface displays grids for Master and Slave Cloud Providers. Choose accordingly.
Finalizing the Template:
After completing all fields, click OK.
A validation message will appear asking for confirmation to proceed. Click YES to confirm.
A confirmation message will display indicating successful creation of the zone template.
Viewing the Template:
The newly created DNS Zone Template will be listed in the DNS Zone Templates grid, complete with searchable and sortable columns for easy management.
This process allows for the creation of a DNS Zone Template that can be applied to various DNS zones, ensuring consistency and streamlined management of DNS settings across the network infrastructure.
DNS Over HTTP (DoH) Templates
DNS Over HTTP (DoH) Templates in TCPWave IPAM are configurations that define how DNS queries and responses are handled over HTTP and HTTPS protocols. These templates are crucial for enhancing the security and efficiency of DNS communication. Here’s a clearer explanation:
Accessing DNS Over HTTP Templates:
To view the DNS Over HTTP Templates, navigate through the following path in the TCPWave IPAM interface: Network Management >> DNS Management >> DNS Templates >> DNS Over HTTP Templates.
Upon accessing this section, the system displays a list of available DNS Over HTTP Templates.
Default Templates Available:
The system comes with pre-configured default templates tailored to different DNS appliance types:
BIND AUTH Default Template: Configured for authoritative BIND DNS servers, handling domain-to-IP mappings.
BIND CACHE Default Template: Designed for BIND caching DNS servers, which store and retrieve DNS query results.
DNS PROXY Default Template: Suited for DNS proxy setups, where DNS queries are relayed between clients and servers.
Operations You Can Perform:
Within the DNS Over HTTP Templates interface, you have the flexibility to manage the templates through various operations:
Add: Create new DNS Over HTTP Templates as per specific requirements.
Clone: Make copies of existing templates, allowing for quick replication with slight modifications.
Edit: Modify the settings of existing templates to fine-tune DNS configurations.
Delete: Remove templates that are no longer needed.
Bookmark: Mark templates for quick access and reference.
Each template contains key-value pairs that define specific settings for handling DNS queries over HTTP and HTTPS. This includes configuring aspects like TLS (Transport Layer Security) settings, specifying certificate files for secure connections, and setting parameters for HTTP and HTTPS protocols.
By associating these templates with DNS appliances, administrators can ensure consistent and secure DNS query handling across their network infrastructure. This setup not only streamlines the management of DNS services but also bolsters security by leveraging HTTP/HTTPS for DNS communications.
To add a DNS Over HTTP (DoH) template in TCPWave’s IPAM, follow these steps:
Access the DNS Over HTTP Templates Page:
Navigate to Network Management >> DNS Management >> DNS Templates >> DNS Over HTTP Templates.
The system will display the DNS Over HTTP Templates page.
Initiate the Creation of a New Template:
Click the button to create a new DNS Over HTTP Template.
The system will display the interface for creating a new DNS Over HTTP Template.
Select Appliance Type:
From the dropdown menu, select the appropriate appliance type for which the template is being created.
Specify the Organization:
Choose the organization associated with the DNS appliance from the dropdown list.
Template Name:
Enter a unique name for the DoH template. This name will be used to identify and apply the template to DNS appliances.
Configure DNS Over TLS Settings:
Enable TLS: Check this box to activate TLS, providing a secure communication channel.
Name: The default name is local-tls. Modify if necessary.
Certificate File: Enter the path to the TLS certificate file. The default is /etc/ssl/fullchain.pem.
Private Key File: Specify the path to the TLS private key file, defaulting to /etc/ssl/privkey.pem.
Set DNS Over HTTP Settings:
Enable HTTP: Check to enable HTTP communication.
Enable HTTPS: Ensure this is checked to activate HTTPS, encrypting data sent between client and server.
Name: Default is local-http-server. Modify as needed.
Concurrent HTTP Clients: Specify the number of simultaneous requests the system can process.
Concurrent HTTPS Streams Per Connections: Set the number of concurrent streams per HTTPS connection, with a range from 1 to 1000.
Endpoint Configuration:
Define the HTTP query paths for listening, with the default being /dns-query.
Add Description:
Provide a brief description or purpose of the DoH template.
Validate and Save:
Click OK to validate. A message prompts, “Are you sure you want to add the dns over htttp template?”
Click YES to confirm and proceed.
Confirmation:
The system will display the newly added DoH template in the grid, confirming its creation.
By following these steps, you can effectively create and configure a DNS Over HTTP template in TCPWave’s IPAM, enhancing the security and efficiency of DNS queries through encrypted HTTPS communication.
DNS64 Templates
DNS64 templates in TCPWave IPAM are used to facilitate the transition from IPv4 to IPv6 by allowing IPv6-only clients to access IPv4 services. These templates configure how the DNS64 service synthesizes AAAA records from existing A records. Here’s an overview of the operations you can perform with DNS64 templates:
- 1. Adding a DNS64 Template:
Navigate to the appropriate section in TCPWave IPAM where DNS64 templates are managed.
Begin the process of creating a new DNS64 template.
Input necessary details such as the IPv6 prefix used for representing IPv4 addresses and any additional parameters required for the DNS64 service.
Specify other configuration options that tailor how the DNS64 service operates, like handling DNS queries and generating synthetic AAAA records.
Save the template to make it available for use.
- 2. Editing a DNS64 Template:
Locate the specific DNS64 template you wish to modify.
Open the template for editing.
Make the desired changes to the template’s settings, such as adjusting the IPv6 prefix or modifying other operational parameters.
Save the changes to update the template.
- 3. Deleting a DNS64 Template:
Identify the DNS64 template that is no longer needed.
Use the delete option to remove the template from the system.
Confirm the deletion to ensure that the template is permanently removed.
By using DNS64 templates, network administrators can effectively manage how IPv6 clients interact with IPv4 services, ensuring seamless connectivity and access as networks transition towards IPv6.
Adding a DNS64 Prefix in TCPWave involves configuring a template for synthesizing AAAA Resource Records from A Resource Records, allowing IPv6 clients to communicate with IPv4 servers. Here’s how to do it:
- 1. Navigate to DNS64 Templates:
Go to Network Management >> DNS Management >> DNS Templates >> DNS64 Templates.
This opens the DNS64 Prefix page.
- 2. Initiate Adding a DNS64 Prefix:
Click the designated button to create a new DNS64 Prefix.
A new page for DNS64 Prefix creation will open.
- 3. Configure DNS64 Prefix Attributes:
Select your organization from the dropdown menu.
Enter a name for the DNS64 template.
Specify the Prefix (e.g., 5000:0002::), which is a key component for IPv6 representation of IPv4 addresses.
Choose the mask length from the dropdown menu.
Add a Suffix if required (e.g., ::5000).
Decide whether the template should be ‘Recursive Only’ (Yes/No).
Choose whether to ‘Break DNSSEC’ (Yes/No). This is important for maintaining DNS security.
Provide a description for easy identification of the DNS64 template.
- 4. Set Address Match Attributes:
When clicking on ‘clients’, ‘mapped’, or ‘exclude’ fields, a popup for General Address Match List will appear.
Select the type (IPv4/ACL/IPv6) and input the appropriate values or select an ACL name.
Use the ‘Exclude’ option to omit certain addresses or ACLs.
Add values to the Clients, Mapped, and Exclude fields as needed.
Confirm the entries and they will be displayed in their respective fields on the main page.
- 5. Finalize the DNS64 Prefix Addition:
After completing the configuration, click OK.
A validation message will appear asking for confirmation. Click YES to proceed.
Upon confirmation, the new DNS64 Prefix will be added and displayed in the DNS64 Prefix grid, complete with searchable and sortable columns for management.
This DNS64 Prefix setup is crucial for ensuring seamless communication between IPv6 and IPv4 networks, enhancing compatibility and network efficiency.