Configure Cisco Jabber DNS and Single Domain using Response Policy Zone (RPZ) and a single BIND9 DNS server

Cisco recommends dual DNS: public (external) and local (internal) DNS in order that Mobile and Remote Access can work more efficiently.

Pinpoint entries (a zone created for a single host only) as suggested by Cisco could be a solution, but our DNS server is authoritative for the parent domain, so this wouldn't work.

With the follwing setup and by using RPZ, jabber requests coming from the internet, are forwarded to Expressway-Edge and requests coming from the internal network are forwarded to Expressway-Core.


Public (External) Records needed:

_collab-edge._tls.example.com      SRV 10 10 8443 expe1.example.com.

Local (Internal) Records needed:

_cisco-uds._tcp.example.com        SRV    10 10 8443 cucm1.example.com
_cuplogin._tcp.example.com         SRV    10 10 8443 cup1.example.com


Cisco states that a client first searches for internal DNS records:
For example, Adam McKenzie's services domain is example.com when he starts the client. The client then issues the following query:

    _cisco-uds._tcp.example.com
    _cuplogin._tcp.example.com
    _collab-edge._tls.example.com


We will be using RPZ, so that the client gets different DNS results depending on which DNS is using for recursion (Public or Private).
Our DNS server is authoritative for all our domains and recursive allowing queries only from internal network (allow-recursion { ournets; };).

First, create the RPZ zone file to your bind9 recursor. This is where all the overrides will be placed.
I copied the file from https://deteque.com/m3aawg-bind-training/ and modified it according to our needs.

db.rpz.local

$TTL 3600

@               IN SOA  localhost. need.to.know.only. (
                       201702135 ; Serial number
                       60        ; Refresh every minute
                       60        ; Retry every minute
                       432000    ; Expire in 5 days
                       60 )      ; negative caching ttl 1 minute
                IN NS   LOCALHOST.
;_collab-edge._tls.example.com        IN CNAME *.  ; return NODATA for internal queries - Probably not needed
_cisco-uds._tcp.example.com          SRV     10 10 8443 cucm1.example.com. ;internal only
_cuplogin._tcp.example.com           SRV     10 10 8443 cup1.example.com. ;internal only


In my Debian Buster BIND configuration, I use seperate config files in named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.log";


If you use a single config file, then put the following parts in the same file, usually named.conf.
Enable logging of RPZ requests, it is a goood thing to know what's going on:

named.conf.log

        channel rpzlog {
                file "/var/log/rpz.log" versions 14 size 1m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity info;
        };
        category rpz { rpzlog; };


In your domain main zone file, among your other records, you have to add the following record.
This should be available publicly so that remote clients can access your Cisco Expressway Edge.
In my case, this zone is also transferred to our domain slaves.

example.com zone:

_collab-edge._tls       SRV     10 10 8443 expe1.example.com. ; VCS Expressway or Cisco Expressway-E server


Then, add the zone in your config file:

named.conf.local

zone "rpz.local" {
        type master;
        file "db.rpz.local";
        allow-update { none; };
        allow-transfer { none; };
};


-----------
Finally, enable the Response Policy Zone:

named.conf.options:

        response-policy {
                zone "rpz.local";
        };


Restart Bind and reload the zone

sudo /etc/init.d/bind9 restart
sudo rndc reload rpz.local


Do some tests from some clients and check the rpz.log file!
When querying locally for _cisco-uds._tcp.example.com, you should get a result and see some Local-Data rewrite for your queries.
When querying remotely for _cisco-uds._tcp.example.com, you should get no answer.

Σχόλια

Δημοσίευση σχολίου

Δημοφιλείς αναρτήσεις από αυτό το ιστολόγιο

Get Telegram notifications for APC UPS using SNMP traps in Linux

In this post I am going to explain how I used SNMP traps on a Linux Debian system in order to get some telegram notifications. I used them in order to be informed in case our company UPS systems runs on battery. First of all, you have to setup and test a Telegram Notification script. I used the one here: https://github.com/samsulmaarif/telegram-notify , it is very easy to install and use. The binary is installed in: /usr/local/bin/telegram-notify We assume that you already have a telegram bot running. The two things you 've got to find are your bot api-key and chat id or Channel id. In case you are not yet using a telegram bot, there are plenty of guides showing how to setup one and how to get your user-id. In order to get SNMP traps from your UPS Network management card, you should first enable them in the "Notifications". Just enter your Linux hostname as a trap receiver. First install snmpd and snmptrapd sudo apt install snmpd snmptrapd Edit your config files: The o...
Διαβάστε περισσότερα

Using IFTTT recipe to run a shell script

Requirements: -an IFTTT account -a Dropbpx account linked to your IFTTT account -a server running linux (mine runs Debian linux). - incrontab package, available on most linux distros. First of all, install Dropbox on your linux box. You may find instructions here: https://www.dropbox.com/install?os=lnx Run Dropbox and create a folder named IFTTT on your home Dropbox folder. mkdir ~/Dropbox/IFTTT Then, you have to create your IFTTT recipe at ifttt.com. You may use whatever "this" statement you wish. On "that" statement you chose Dropbox, and create a file. Give a name to your file, for my example I use "runme". In the content you may put whatever you want. In Dropbox folder path you use IFTTT. Create your script file on your home folder named "script.sh" and make it executable: chmod  +x script.sh. Make sure your script executes properly: ./script.sh Add the user that has both rights to run the script and to write into the Drop...
Διαβάστε περισσότερα

Setting up your openwrt adsl router for Forthnet IPv6 (Dual Stack) - Static Pilot

I am using a Ubiquiti AirRouter flashed with OpenWrt as a PPPoE client and my old linksys ADSL modem/router is configured in bridged mode and only handles the ADSL connection.  This setup applies to openwrt Attitude Adjustment 12.09 and it is updated on Nov 2014 You have to install the follwing packages: dhcp6-client radvd opkg update opkg install radvd dhcp6-client If you are using the Luci web i/f,  you should enable "Enable IPv6 negotiation on the PPP link" on the WAN advanced settings. It is more efficient though to do the changes via cli: config interface 'wan' option _orig_ifname 'eth1' option _orig_bridge 'false' option ifname 'eth1' option proto 'pppoe' option password 'somepasshere' option username 'username.ath.forthnet.gr@stv6forthnet.gr' option ipv6 '1' option keepalive '5 5' Then, edit /etc/config/dhcp6c : config in...
Διαβάστε περισσότερα