Translate network address for responses
-
Is there a way to configure unbound (or something else in pfS) to translate the network address of a dns response for a specific domain ?
We are looking to use NAT to connect two networks together. -
@coreybrett Unbound has host overrides.
One can use a NAT forward on any interface…? Not clear on what you’re trying to do.
-
Site A is 192.168.1.0/24 with an internal zone of abc.local.
"A" records in the abc.local zone naturally point to addresses in the 192.168.1.0/24 network.Site B (a vendor perhaps) is connected to site A via an IPsec tunnel with NAT configured.
Therefore Site A is 192.168.2.0/24 from B's side.Any DNS lookups from site B using a DNS server at site A for the abc.local zone will get back a response with a 192.168.1.0/24 address which needs to be translated to the 192.168.2.0/24 network.
-
@coreybrett hmmm interesting question. So do these resources change very often?
In the b site it would be easy to just create records for abc.domain.tld to resolve the 192.168.2.x vs the 192.168.1.x
I hope the .local was just an example - not good practice to actually use .local, that is really reserved for mdns.
Also how hard would it be to just change the site network to say that 192.168.2.0/24 this would be a cleaner solution to the problem.
-
Yes, the .local was just an example
The real scenario is connecting two networks with existing AD infrastructures and overlaying subnets. There are hundreds of dynamically registered DNS records, so settings up a traditional split-brain is not practical.
-
@coreybrett off the top of my head I am not aware of a way to do what your asking. If 2 entities need to work together in such a way that is not just a few one offs that need to be gotten to, but dynamic clients with changing IPs that need to be accessed the best way would be for one side to bite the bullet and change their IP space..
If the 192.168.1.0/24 is not just another example - then they deserve the problem ;) Using the most common network on the planet prob going to come to bite in the ass at some point..
Or just live with do the dns query, and the human knows that hey use 192.168.X vs 192.168.Y
If its a bunch a dhcp clients - its not really a big deal to change to new range.
-
@coreybrett said in Translate network address for responses:
connecting two networks with existing AD infrastructures and overlaying subnets. There are hundreds of dynamically registered DNS records
If you change one of the subnet ranges then it becomes easy in this scenario...set up a domain override for each AD domain, pointing to the AD DNS server(s).
Firewall rules control access and pfSense routes the traffic.
-
unfortunately, changing the subnets is not an option at the moment
using IPsec with NAT will work, just looking for a way to translate the DNS as well
-
@coreybrett said in Translate network address for responses:
just looking for a way to translate the DNS as well
I try and keep up with all the latest tricks with dns, etc. and while you can do some pretty slick things with response zones in unbound.. I am not aware of such a transformation..
While it might be painful - to be honest changing one of the networks to a new range is prob the best solution. If your clients are dhcp - its really clicky clicky sort of thing.. Its not as hard as people think it is.. Now if you had 254 static settings where you had to go and touch 250 devices by hand - well yeah pita for sure. But if the most of the scope is dynamic - its a click and they reboot. Or even simpler just run a both networks for a bit, setting up a vip on the pfsense IP and just let clients move over as they update their lease..
Sure it takes a little planning.. But it is best solution to such a problem.
