Best Practice? How to set up DNS for roving admin laptop between subnets

The Party of Hell No

@MrPete
Good clarification. The problem is not the DHCP IP assignments - that works, but the DNS side assignment.

I still need clarification - the DNS server when queried always returns the first IP listed in etc/hosts which is AdminA? So no mater the location - moving around the organization on different sub-nets it assigns the DNS host AdminA? Which you want is for it to be assigned, maybe AdinmB when you move to a second location?

As for the DNS reload - you may know this already - there are two choices, one is: Register DHCP leases in the DNS Resolver and the other: Register DHCP static mappings in the DNS Resolver. The first reloads the DNS server every time a new inquiry is requested and the second only reloads with each additions of a DHCP static mapping. Learned this myself recently.

MrPete

@The-Party-of-Hell-No
Consider a single admin laptop. I've assigned static IP's on each subnet for that one laptop, so it gets the appropriate IP address when connected to that subnet.

Here's what ends up in /etc/hosts as a result:

192.168.11.10    AdminA.dom.ain AdminA
192.168.220.10    AdminA.dom.ain AdminA
10.8.0.10   AdminA.dom.ain AdminA
172.16.99.10    AdminA.dom.ain AdminA

...and the DNS Resolver simply pulls the first entry it sees (192.168.11.10) and returns THAT, no matter what actual IP address was assigned by DHCP.

A painful mess!

• DHCP works. Whatever subnet AdminA is connected to, the correct static IP is assigned and returned.
• DNS resolver fails. Whatever subnet AdminA is connected to, DNS returns 192.168.11.10

That makes no sense to me. I assume I'm doing something wrong, but maybe this is just a bug.

MrPete

@JKnott the advantage of using non-default servers on guest Wifi is that you're hiding the internal endpoints. That's fine.
But even internal endpoints need access to outside DNS, so it's necessary to have a single DNS address that resolves both.

The extreme case is our email server:

• Up to 20 incoming email attempts per second at the extreme, most of which are blocked by RBL lists (accessed through DNS, and with a big cache to keep it efficient.)
• AND it must recognize internal names of course ;)
• This is why I don't want to reload Unbound on every registration.

Yes, good that static IP's don't cause a reload. Yet we have DHCP for a reason ;) ...

I suppose it's quite logical to rethink that part of the situation as follows:

1. Endpoints we actually care about ought to receive static IP's. This will not harm Unbound.
2. Guest endpoints don't need to be registered anyway. They need a (DHCP) IP address, that's all.

Assuming this simple logic is correct, a best practice is to simply disable DHCP registration of new endpoints in DNS and not worry about it ;)

That DOES sit well with me. THANKS!

All I have left to resolve then is the multi-subnet-static-IP strangeness.

The Party of Hell No

@MrPete
I would agree, very strange behavior. From my perspective it almost appears as a host override in the DNS resolver.
MAC address restriction somewhere else?

MrPete

@The-Party-of-Hell-No no address restrictions not that i know of...

particularly since dhcp is not confused at all :)

Patch

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

My situation seems semi-"normal" to me yet the solution evades me.

CONTEXT

Multi-subnet LAN with subnets for secure internal, server, guest, IoT and more. Four WiFi SSID's mapped into some subnets.
At least one admin laptop can rove between subnets via WiFi or hardwired ports, making use of reserved IP's.

My understanding is best practice is to configure the network to not allow access on un-trusted networks such as WAN, Guest, IOT. And if greater security is desired an admin lan/vlan is created for administrator tasks.

Allowing admin access from a particular IP address allows any bad player to do the same just by listening to traffic on the network, then manually setting their IP.

Gertjan

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

192.168.11.10 AdminA.dom.ain AdminA
192.168.220.10 AdminA.dom.ain AdminA
10.8.0.10 AdminA.dom.ain AdminA
172.16.99.10 AdminA.dom.ain AdminA

The same device can be present in multiple net works.
Does this device has a server role ? Is it used by other devices in the network where it is connected to ? Is it exposing services ?
Why do you need to have an identical network DNS name known in every network ?

Why not :
192.168.11.10 AdminA-1.dom.ain AdminA-1
192.168.220.10 AdminA-2.dom.ain AdminA-2
10.8.0.10 AdminA-3.dom.ain AdminA-3
172.16.99.10 AdminA-4.dom.ain AdminA-4

So, if any device in network 192.168.11.0/24 needs the services of AdminA-1, it will always has the IP 192.168.11.10 (until it isn't there, as it is visiting other networks ...)
Etc

Dobby_

Could it be that VLAN´s here will be do the trick?

VLAN1 = Admin laptop
VLAN2 = WiFi
VLAN3 =LAN
VLAN4 =Servers

Over the switch

• Your admin laptop is only in VLAN1 and all devices too!
  Switch ACL´s are regulating then "what is allowed for whom"

Over pfSense

• Your admin laptop is a member of all VLANs
  Fireweall rules will regulating "who is allowed to do what"

JKnott

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

the advantage of using non-default servers on guest Wifi is that you're hiding the internal endpoints. That's fine.
But even internal endpoints need access to outside DNS, so it's necessary to have a single DNS address that resolves both.

I still use external DNS. I run a resolver for that, but I still configure local addresses on my DNS server. On my main LAN, I specify the local DNS addresses in DHCP, along with Google's DNS, just in case my own DNS server isn't working. My guest WiFi gets only the external servers. You can still specify the pfSense DNS, even though that would be the default.

MrPete

@JKnott said in Best Practice? How to set up DNS for roving admin laptop between subnets:

I still use external DNS. I run a resolver for that, but I still configure local addresses on my DNS server. On my main LAN, I specify the local DNS addresses in DHCP, along with Google's DNS, just in case my own DNS server isn't working. My guest WiFi gets only the external servers. You can still specify the pfSense DNS, even though that would be the default.

Thanks for this. I'm not sure I am clear about all you are saying.

What (I think) is clear:

• "Guest WiFi gets only the external servers" -- so, you don't even point to pfSense DNS resolver, but to outside DNS such as Google or OpenDNS or whatever.

• "On my main LAN, I specify the local DNS addresses in DHCP, along with Google's DNS, just in case my own DNS server isn't working"

  • I've never had to worry about internal DNS stopping, in many years... but OK.
  • (We like to manage DNS access, to avoid various security issues... so we only provide access to outside DNS under specific conditions rather than as an always-available alternative...)

What feels a bit muddy:

• "I still use external DNS. I run a resolver for that, but I still configure local addresses on my DNS server." ... combined with
• "I specify the local DNS addresses in DHCP."

So...

• Do you use any static IP's? If so, are they in your DHCP, your DNS server, or both?
• What DNS server are you running?
• What do you mean when you say "I run a resolver for [external DNS]?" Are you simply saying that you use pfSense DNS Resolver, either with or without DNS Forwarding enabled?

MrPete

@Dobby_ said in Best Practice? How to set up DNS for roving admin laptop between subnets:

Could it be that VLAN´s here will be do the trick?

Nope. This is a SysAdmin laptop, used for problem resolution etc on any / all VLANs. It needs to be able to migrate to any VLAN at any time.

@Gertjan said in Best Practice? How to set up DNS for roving admin laptop between subnets:

The same device can be present in multiple net works.
Does this device has a server role ? Is it used by other devices in the network where it is connected to ? Is it exposing services ?
Why do you need to have an identical network DNS name known in every network ?

NOT a server. A sysadmin tool.
Why identical name in every subnet? Because various system security and backup and other tools need to know that it is the AdminA endpoint. Yes, COULD make it look like four different devices on four subnets, but there's a hassle and cost to that.
(Just for example, our backup system is able to back it up no matter how it is connected... and it is always recognized.)

DNSmasq easily handles this use case. I'm just surprised and saddened that pfSense DNS appears to not handle it properly. :(

The Party of Hell No

@MrPete
I do the same thing... use the same host name and MAC address on three different LAN segments.

Patch

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

NOT a server. A sysadmin tool.

I believe you will find there is no "Best Practice" for what you are doing because what you are doing is not best practice or even supported practice.

JKnott

@MrPete

OK, let's see if I can make things clearer. I run the resolver that's included with pfSense.
Guests are not allowed to access anything on my network, including DNS. The only thing they can do is ping the VLAN interface.
I used static mapped IPv4 addresses for everything that lives here, other than my desktop computer and, of course, pfSense. I use SLAAC for IPv6.
Local DNS has an entry for all those devices for both IPv4 and IPv6 addresses.
Since I run a resolver, there's no forwarding involved.