DNS releated
-
@mohitsofat said in DNS releated:
my pfsense server ip is 192.168.0.1 and that of dns server is 192.168.0.2 or public ip and of client is 192.168.0.3 . If i have put DNS server address in my client is 192.168.0.1 i.e. of pfsense and in pfsense i put 192.168.0.2 as dns address the will my DNS server see that request is coming from 192.168.0.3 or client or it see that request is coming from 192.168.0.1.
Ley me get this straight :
- You client has this DNS server : 192.168.0.1 == pfSense
- The DNS of pfSense is forwarding to 192.168.0.2 : your internal DNS server.
Then it's normal that the clients sees DNS replies from 192.168.0.1 == pfSense because he was asking pfSense for DNS resolution.
You can check 1) and 2) : enable the logs, and check them on both DNS servers.
-
Thanks for your promt reply.
Sir you are perfectly right that client sees DNS of pfsense only.
But my question is there any way that my DNS 192.168.0.2 (external or my own DNS server ) see that request is coming from 192.168.0.3 not from my pfsense i.e. 192.168.0.1 is so how. i am not able to put 192.168.0.3 in my client because i have a web erp hosted locally and pf-sense is resolving query of my internal connected client on that basis if the query is from internal lan then users has access to the ERP system but if its from outside then only few people have limited access from outside world. -
@mohitsofat said in DNS releated:
Sir you are perfectly right that client sees DNS of pfsense only.
Sees ?
If you are using a static setup - or DHCP for that matter, you can set the DNS servers you want for any device. You decide. If it should be 192.168.0.2 - clients will not decide otherwise. -
@mohitsofat said in DNS releated:
But my question is there any way that my DNS 192.168.0.2 (external or my own DNS server ) see that request is coming from 192.168.0.3 not from my pfsense i.e. 192.168.0.1 if client has DNS setting 192.168.0.1 and pfsense has dns settings 192.168.0.2
-
if i put ip address of my external DNS server in the DNS settings of the Pf-sense then will pfsense send its own ip address to that external DNS server or it will forward the client ip address to that server.
-
@mohitsofat said in DNS releated:
if client has DNS setting 192.168.0.1 and pfsense has dns settings 192.168.0.2
So 192.168.0.3 (client) sends to192.168.0.1 (pfSense).
In that case :
@mohitsofat said in DNS releated:
any way that my DNS 192.168.0.2 (external or my own DNS server ) see that request is coming from 192.168.0.3 not from my pfsense
Client send to pfSense.
pfSense sends (== forwards) to your local DNS Server.
DNS Servers does not receive directly from client.Clients will ask "DN Server" 192.168.0.2 directly if they are instructed (by you) to do so.
-
@mohitsofat said in DNS releated:
resolving query of my internal connected client on that basis if the query is from internal lan then users has access to the ERP system
So let me get this right?? Your using dns view to restrict who can resolve your ERP.. And then using this as a control method.. Ie if they can not resolve it then they can not access it... But if they can resolve it then they can access it? There is not "firewall" that prevents access from unwanted IPs as source?
Dude that is borked! ;) That is not a secure solution at ALL!!
Please tell me I am wrong in my assumptions from your statement.
-
@mohitsofat said in DNS releated:
if i put ip address of my external DNS server in the DNS settings of the Pf-sense then will pfsense send its own ip address to that external DNS server or it will forward the client ip address to that server.
If you want your clients to query your special DNS @192.168.0.2 then put that address in the client's DNS field. Either statically or assigned by a DHCP server.
Apart from the ability of doing so, this is not secure in any way. But you were told so already.
Why don't you just setup rules in your firewall/router to allow or restrict access to your ERP system? That's the secure way. -
@gertjan said in DNS releated:
So 192.168.0.3 (client) sends to192.168.0.1 (pfSense).
In that case :
@mohitsofat said in DNS releated:any way that my DNS 192.168.0.2 (external or my own DNS server ) see that request is coming from 192.168.0.3 not from my pfsense
Client send to pfSense.
pfSense sends (== forwards) to your local DNS Server.
DNS Servers does not receive directly from client.
Clients will ask "DN Server" 192.168.0.2 directly if they are instructed (by you) to do so.You got it right this time
" Clients will ask "DN Server" 192.168.0.2 directly if they are instructed (by you) to do so " Can this be done by putting pfsense in middle i.e. clients are connected to pfsense and pfsense sends the DNS server query of client with client ip address so my external dns knows that following request is made by such client.
My moto behind this is that i am working on web filtering application but i also want to use the features of pfsense thats why i instructed my clients to look for dns query in pfsense -
@mohitsofat said in DNS releated:
DNS server query of client with client ip address
Where did you get the idea that any forwarder or resolver would do such a thing?
Are you wanting to use EDNS0 [RFC6891], rfc7871?
The idea behind that is not to hand the clients full IP but the subnet
ECS: EDNS Client Subnet
This can be used for for handing back correct IP normally based upon the geo location of the subnet that is asking the go between resolver.. This is not something you would use running a local resolver - what would be the point in geo location handing the upstream forwarder or NS along the path when resolving rfc1918 space..
I think opendns and googledns might support ECS? This is meant so these global anycast dns can hand out better geo located answers for resources housed in a global CDN.
So when they anwser back for say www.globaldomain.net from someone in the EU vs someone in the US based upon where the original query came from they don't hand back the EU CDN IP to the US client, etc.
This NOT something unbound in pfsense should be doing as it resolves.. Handing out is local rfc1918 client subnet to something upstream makes no sense...
Unbound can do it..
EDNS Client Subnet Module Options
The ECS module must be configured in the module-config: "subnetcache validator iterator" directive and be compiled into the daemon to be enabledBut I doubt its enabled in pfsense... Could look I guess - but I don't see how that would make sense to use in normal use case of unbound on pfsense.. And for sure NOT meant as a security control!!!
-
@johnpoz said in DNS releated:
@mohitsofat said in DNS releated:
DNS server query of client with client ip address
Where did you get the idea that any forwarder or resolver would do such a thing?
Are you wanting to use EDNS0 [RFC6891], rfc7871?
The idea behind that is not to hand the clients full IP but the subnet
ECS: EDNS Client Subnet
This can be used for for handing back correct IP normally based upon the geo location of the subnet that is asking the go between resolver.. This is not something you would use running a local resolver - what would be the point in geo location handing the upstream forwarder or NS along the path when resolving rfc1918 space..
I think opendns and googledns might support ECS? This is meant so these global anycast dns can hand out better geo located answers for resources housed in a global CDN.
So when they anwser back for say www.globaldomain.net from someone in the EU vs someone in the US based upon where the original query came from they don't hand back the EU CDN IP to the US client, etc.
This NOT something unbound in pfsense should be doing as it resolves.. Handing out is local rfc1918 client subnet to something upstream makes no sense...
Unbound can do it..
EDNS Client Subnet Module Options
The ECS module must be configured in the module-config: "subnetcache validator iterator" directive and be compiled into the daemon to be enabledBut I doubt its enabled in pfsense... Could look I guess - but I don't see how that would make sense to use in normal use case of unbound on pfsense.. And for sure NOT meant as a security control!!!
Hi Sir Thanks for your Reply.
Where did you get the idea that any forwarder or resolver would do such a thing?
As explained above i am working on and application for filtering the website.
an alternative of squid and squid guard its a DNS filtering app.
Now i have 2 option either i directly put the DNS address in my client
2. Put that DNS address in pfsense.
If i choose the 2nd option then is there and method that pfsense will transfer the ip of my client to the DNS server.
Thats how the idea came into my mind.Regarding the use of EDNS0 [RFC6891], rfc7871
No i am not going into that. as we only differentiate if the request is coming from internal lan or from external ip and that we are already doing with pf-sense.
Regards -
@mohitsofat said in DNS releated:
.... is there and method that pfsense will transfer the ip of my client to the DNS server.
The DNS server will know the IP of the client.
When the clients has to resolve something, it addresses itself to the DNS server. The DNS Server "does what he has to do", and send back the answer to the client.Why the firewall/router should send the IP of a possible LAN client ... that's totally new for me.
The local DNS servers knows when a request comes from a local network, or elsewhere. -
@mohitsofat said in DNS releated:
pfsense will transfer the ip of my client to the DNS server.
And Why would you think it would do this?? You want to write a dns filtering app - but don't know how dns works??
