Zimbra, DNS and dnsmasq Configuration Guide

Zimbra, DNS and dnsmasq Configuration Guide

:: Zimbra and DNS Challenges ::  
Zimbra, like all email servers, is highly reliant on performant DNS not only to be able to send and receive email, but also to be able to perform anti-spam tasks.  Certain components of Zimbra even use DNS to find other Zimbra components and servers in the same hosting environment.

It’s increasingly rare for Zimbra servers’ hosting environments to present public IP addresses on the Zimbra servers themselves; almost all Zimbra servers have an RFC1918 “private” IP address in the 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 spaces.  But, that means Zimbra needs DNS services that will resolve hostname lookups for internal servers in the servers’ RFC1918 address space, and other servers (like mail.yahoo.com) with their respective proper public IP addresses.  This task, which Zimbra calls “Split DNS“, typically required system administrators to configure a complex set of separate DNS servers like BIND9 just for Zimbra’s use.  Ugh.

dnsmasq To The Rescue
Zimbra’s supported operating systems all now ship dnsmasq as part of the distribution. dnsmasq is a reasonably performant cacheing DNS server, with a configuration file that “masks” listed entries.  In other words, you need only put all the A, MX, TXT and PTR lookups in dnsmasq’s configuration file that need to resolve with private IP addresses, without the need to have a comprehensive zone file for all records on the domain on which Zimbra is hosted.

Zimbra’s own Split DNS wiki page will give you further background into how, for example, Zimbra’s Postfix relies on RFC1918 address resolution.  The wiki page even provides a sample configuration file for dnsmasq.  Unfortunately, the sample is incomplete in that it doesn’t include reverse lookups, needed for some Zimbra log file entries in production environments.  The sample dnsmasq configuration file in the wiki also doesn’t increase dnsmasq’s very tiny default cache, which most Zimbra servers will churn continuously if not increased.

In Amazon Web Services environments, unless you architect your VPCs carefully with custom DHCP options, your Zimbra server will have a hostname that’s not even remotely related to the public hostname of the Zimbra server, and that creates some challenges that dnsmasq can be used to solve as well.

Be sure also to ensure that /etc/resolv.conf is updated accordingly!  You would be surprised how often this gets overlooked, and then otherwise incredibly competent and attentive system administrators wonder why they are having intermittent issues with email delivery, anti-spam etc.

Comprehensive dnsmasq Sample Config File Entries
Here’s the sample template we use on the dnsmasq instance installed on the proxy server of our Zimbra BSP (Business Service Provider) multi-tenant hosting environment.  The configs handle forward and reverse lookups of the Zimbra server itself, along with a few other items not included in the Zimbra wiki page.

Hopefully, the embedded comments below will help you create your own dnsmasq configuration file entries, and the Zimbra wiki site will help you with the installation of dnsmasq itself.

If you need help with your Zimbra environment, don’t hesitate to contact us for a Professional Services quote.

# ###################################
# BEGIN ZIMBRA SERVER DNSMASQ CONFIG
# ###################################
#
# Name Servers to use for resolution:
# IP addresses below are for Google's public DNS servers;
# you may wish instead to use your ISP's upstream servers,
# or your AD servers with the DNS Role installed.
server=8.8.8.8
server=8.8.4.4
#
# Only localhost can talk to me (Zimbra Default).
# Add this server's RFC1918 IP address if you want
# other Zimbra servers on the network to query me.
listen-address=127.0.0.1
#
# What's my Zimbra server's domain?
domain=missioncriticalemail.com
#
# DNS A Record-Equivalent(s) go here:
address=/my.missioncriticalemail.com/10.7.57.129
address=/zimbra.missioncriticalemail.com/10.7.57.128
address=/mb1.missioncriticalemail.com/10.7.57.127
address=/mb2.missioncriticalemail.com/10.7.57.126
address=/mb3.missioncriticalemail.com/10.7.57.125
address=/mb4.missioncriticalemail.com/10.7.57.124
address=/imapsync.missioncriticalemail.com/10.7.57.120
#
# DNS PTR Record-Equivalent(s) go here:
ptr-record=129.57.7.10.in-addr.arpa,my.missioncriticalemail.com
ptr-record=128.57.7.10.in-addr.arpa,zimbra.missioncriticalemail.com 
ptr-record=127.57.7.10.in-addr.arpa,mb1.missioncriticalemail.com 
ptr-record=126.57.7.10.in-addr.arpa,mb2.missioncriticalemail.com 
ptr-record=125.57.7.10.in-addr.arpa,mb3.missioncriticalemail.com 
ptr-record=124.57.7.10.in-addr.arpa,mb4.missioncriticalemail.com 
ptr-record=120.57.7.10.in-addr.arpa,imapsync.missioncriticalemail.com 
#
# If you haven't figured out how to change DHCP scope options in AWS,
# dnsmasq needs to resolve the AWS-generated hostname, e.g.:
# address=/ip-10-7-57-129/10.7.57.129
#
# DNS MX Record-Equivalnet(s) go here:
mx-host=missioncriticalemail.com,my.missioncriticalemail.com,10
#
# Where can I find out about other hosts before I ask the public nameservers?
addn-hosts=/etc/hosts
#
# Increase the number of host lookups cached from the default 150
cache-size=9500
#
# ###################################
# END ZIMBRA SERVER DNSMASQ CONFIG
# ###################################
#

Hope that helps,
L. Mark Stone
Mission Critical Email
15 March 2018

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.