Prevent DNS Host Overrides from being visible on other VLAN?

Nuggets 0

Long time creeper, first time poster. Been digging through a lot of information (forums, Reddit, Google searches, etc), but I haven't been able to find an answer.

I currently have multiple VLANs and I'm using the DNS Resolver in pfSense. I want all VLANs to be able to use the DNS resolver (for pfBlockerNG), but I don't want 2 of the VLANs to see the Host Overrides from the other VLANs. I have a firewall rule that blocks the traffic between the VLANs, but I can still see the host override when I use dig. Example below.

In this example, I'm coming from the VLAN I DON'T want to see the host overrides for devices in other VLANs, but as you can see, they still come up even though they can't get traffic to them.

$ dig donot.access.lan

; <<>> DiG 9.11.3-1ubuntu1.16-Ubuntu <<>> donot.access.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16488
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;donot.access.lan.		IN	A

;; ANSWER SECTION:
donot.access.lan.	1854	IN	A	192.168.33.52

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Feb 08 13:15:34 EST 2022
;; MSG SIZE  rcvd: 62

Is it possible to prevent the specific VLANs from being able to see the host overrides from other VLANs without creating another DNS server? I saw some options about using the Unbound Custom Options with ACL views, but from my understanding, that's per host and could get tedious.

johnpoz

@nuggets-0 said in Prevent DNS Host Overrides from being visible on other VLAN?:

Is it possible to prevent the specific VLANs from being able to see the host overrides from other VLANs without creating another DNS server?

Yes this can be done with views.. Lets me see if I can dig up one of the previous examples I had done.. If not will walk through it again. Its not going to be clicky clicky in the gui.. But you can create these records in the custom option box..

edit: here you go - from 2017 ;)

https://forum.netgate.com/post/684870

So you could just create your host records there and only let the vlans you want to see those in your view.

Nuggets 0

@johnpoz Oh man, an answer from the legend!

I've read a lot of your posts/comments for various topics pertaining to pfsense configurations. In fact, the "views" I mentioned were from the same post you referenced. The problem being that I missed one line that you mentioned where it says you can use the whole subnet:
@johnpoz said in Different DNS host overrides based on IP addr or interface of client?:

You can create the control view to either be a single IP with /32 or any cidr to include the IPs you want.  You then just need to create the entries under that view name.

I'll give this a go and see if that fills my needs, which it seems it should. Thank you for your time!

johnpoz

@nuggets-0 No problem - let me know how you get along.. If not with some more details sure get you up and running..

Nuggets 0

@johnpoz
So I put in the following configuration but I think I made things worse:

server:
access-control-view: 192.168.102.0/24 noninternal
local-zone: "noninternal.lan" static
view:
name: "noninternal"
local-zone: "noninternal.lan" static

While I was getting NXDOMAIN on the host overrides I wasn't able to get responses on the test Host Override I created in the same domain of noninternal.lan. The local zone type of "static" should reply if the local data is found, and give an NXDOMAIN for anything not found in the local tree. I was testing the rules as to only allow noninternal.lan clients access to the noninternal.lan Host Overrides.

However, thinking about it, I'm going about it the wrong way with the config above. I'm trying to prevent the domain from trying to see other addresses. I should instead be allowing only the domains I want so the rest is essentially "deny all" in the event someone spoofs their address/domain.

I'll admit, I'm reading the documentation and am in the situation of "knows enough to be dangerous" when it comes to this. I'm currently bouncing between these two pages trying to understand this all but it just isn't clicking.
https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#view-options

Here are some details below on what I'm trying to do (obfuscated data). I also obfuscated the data in my first post, so the first post data can be disregarded (such as the dig):
VLAN 60 192.168.100.0/24 Servers servers.lan
VLAN 61 192.168.101.0/24 Internal internal.lan
VLAN 62 192.168.102.0/24 Private private.lan
VLAN 63 192.168.103.0/24 Non-internal noninternal.lan

I want clients from the Servers, Internal, and Private networks to able to see host overrides for all domains. Pretty much want them unrestricted. However, I do not want Non-internal to be able to see the host overrides of the Servers, Internal, and Private domains. If possible, I do not want to add local-data as that would mean manually managing each and every host override manually in the custom options of Unbound.

I feel like this is possible, but again, something just isn't clicking on the configuration options for me. I tried the following configuration (after rereading my post and yours a few times), and it had the opposite effect of what I wanted similar to the above. It allowed the Non-internal access to the other domains, but didn't allow the Servers, Internal, Private domains access to their own entries or the Non-internal domain. It didn't even allow it to the made up DNS entry to a made up domain.

server:
access-control-view: 192.168.100.0/24 Allow_Safe
access-control-view: 192.168.101.0/24 Allow_Safe
access-control-view: 192.168.102.0/24 Allow_Safe

view:
name: "Allow_Safe"
local-zone: servers.lan static
local-zone: internal.lan static
local-zone: private.lan static
local-zone: noninternal.lan static

Any help would be appreciated and I apologize if something doesn't make sense. Goes back to that "knows enough to be dangerous" situation I'm in.

netblues

@nuggets-0 Definitely, views can do it

Administering such a thing long term is also an issue.

How about a second pfbblockerng instance, just for the vlans requested?
pf can sync its settings automatically, without replicating the unbound host overrides.

johnpoz

@nuggets-0 said in Prevent DNS Host Overrides from being visible on other VLAN?:

I do not want to add local-data as that would mean manually managing each and every host override manually in the custom options of Unbound.

Yeah - not sure how you think you could do it otherwise. I told you not clicky clicky sort of setup. Views allow you to list what specific IPs or networks can view.. This would all have to be done manually..

You could prevent hosts from viewing entries in a zone by not adding anything in that zone once you created a view..

edit: example my local domain is local.lan and have lots of records in it.

If I didn't want say my 192.168.3.0/24 network from viewing any of those.

server:
access-control-view: 192.168.3.0/24 Block

view:
name: "Block"
local-zone: "local.lan" static

See there is no records in local.lan, just an empty zone.. So if I query from 192.168.9 box..

C:\>dig @192.168.9.253 i9-win.local.lan +short
192.168.9.100

C:\>dig @192.168.9.253 sg4860.local.lan +short
192.168.9.253

C:\>dig @192.168.9.253 nas.local.lan +short
192.168.9.10

Those all resolve.. But if do it from 192.168.3 box I get..

pi@ntp:~ $ dig @192.168.3.253 i9-win.local.lan

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> @192.168.3.253 i9-win.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24481
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;i9-win.local.lan.              IN      A

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Thu Feb 10 03:14:15 CST 2022
;; MSG SIZE  rcvd: 45

pi@ntp:~ $ dig @192.168.3.253 sg4860.local.lan

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> @192.168.3.253 sg4860.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24266
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sg4860.local.lan.              IN      A

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Thu Feb 10 03:14:42 CST 2022
;; MSG SIZE  rcvd: 45

pi@ntp:~ $ dig @192.168.3.253 nas.local.lan

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> @192.168.3.253 nas.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25717
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nas.local.lan.                 IN      A

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Thu Feb 10 03:14:48 CST 2022
;; MSG SIZE  rcvd: 42

But I can resolve say google.com

pi@ntp:~ $ dig @192.168.3.253 www.google.com

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> @192.168.3.253 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13874
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         3600    IN      A       172.217.4.196

;; Query time: 63 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Thu Feb 10 03:15:49 CST 2022
;; MSG SIZE  rcvd: 59

But once you create the view, you would need to put stuff you want them to resolve in that view that is local.

You can do stuff with view first and tags maybe, etc.. here is some further reading
https://medium.com/nlnetlabs/client-based-filtering-in-unbound-d7da3f1ef639

But since views are not part of the gui, and you can not just select say what host overrides are in what views, etc. or multiple views. This isn't going to be a clicky clicky setup.

Maybe you could look into using bind.. They have had views for way longer than unbound, and it might be better suited for what your wanting to do? Also views have gui control in the bind package.

Another option? If you just want to prevent some devices or network from resolving local stuff, you could just set ACL in unbound to deny local, etc.

Nuggets 0

@nuggets-0 I didn't think you could do that on a single pfsense box, but I think I'm getting a better understanding of views and how I can use it to fit my scenario.

@johnpoz So I'm almost there. I have the empty view and it can't hit the other host overrides. However, I also can't hit the DNS records that I put within the same domain. It comes back with nxdomain. Here is my example:

server:
access-control-view: 192.168.103.0/24 Block

view:
name: "Block"
local-zone: "noninternal.lan" static

So what I'm understanding is that the view overrides the entire scope of the block and each view for that block needs to have manual entries? For example, if I wanted "test.noninternal.lan" to be reachable in the iot.lan view, I would need to add a local-data value in the view for it and NOT in the GUI for the host overrides. Such as below:

server:
access-control-view: 192.168.103.0/24 Block

view:
name: "Block"
local-zone: "noninternal.lan" static
local-data: "test.noninternal.lan. 90 IN A 192.168.103.50"

Is that correct? I tested in my environment and that seems to be the case, but I'm just making sure.

If so, then that checks most of my boxes as I won't be hosting anything in the noninternal side and anything on that side won't have access to see the other host overrides. Which means I won't need to manage manual entries. This view should still allow pfblocker to do it's job on those VLANs since they're still resolving through pfblocker (I have a NAT rule to redirect DNS to pfsense).

I was also concerned about someone using a different IP. I forgot that the firewall rules have a "deny all" for the interfaces at the bottom. Therefore any IP not in the range will be denied which will lock them to this view.

Please correct me if I'm wrong in any sense. I've already learned a lot and appreciate all your time!

johnpoz

@nuggets-0 Yeah that is how it works.. It is some a manual process to be sure. But you can load files with your configurations in the custom option box as well. So I could be possible to manipulate your desired records in a maybe more easy to manage file via the custom option box in the gui.