DNS Doctoring in pfsense
-
I know this is really old, but I am having trouble finding any more recent discussion. dnsmasq has a feature called
alias
which allows replacing the IP addresses for returned results. It would be cool if this could pull automatically from the 1:1 NAT settings. I don't think unbound has a similar option.-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
Modify IPv4 addresses returned from upstream nameservers; old-ip is replaced by new-ip. If the optional mask is given then any address which matches the masked old-ip will be re-written. So, for instance --alias=1.2.3.0,6.7.8.0,255.255.255.0 will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what Cisco PIX routers call "DNS doctoring". If the old IP is given as range, then only addresses in the range, rather than a whole subnet, are re-written. So --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
-
@yakatz at the bottom of dns resolver settings is host and domain overrides :)
-
@sparkyMcpenguin That is different. Let's say my public IP address is x.y.z.10 and that has a 1:1 NAT mapping to 192.168.100.10. The alias feature would allow me to change any returned A record that contains x.y.z.10 to 192.168.100.10 without knowing about it in advance.
One example use case where this would be extremely useful: We have a cPanel server using 1:1 NAT, and our customers can add new subdomains or hosts as they please, so we can't specify them all in advance as host overrides. This feature allows split DNS to work transparently with this use case because the IP addresses are replaced on the fly.
-
This post is deleted! -
@yakatz
virtual IPs under firewall? -
@sparkyMcpenguin Any of those options assume that you are working with specific hostnames. I am talking about having it work based on the IP address returned in the record. dnsmasq has built-in support for this, so I am suggesting the config be automatically built from the NAT configuration. (It looks like unbound might be able to use a python filter, but that is probably a lot more complicated.)
-
Live configuration from one site:
-
@yakatz
under system > advanced> network address translation -would NAT reflection options be useful for this?
-
@sparkyMcpenguin We have tried it, but we could never get it to work reliably, possibly because of our multi-WAN, multi-LAN and VPN configuration.
-
@yakatz
out of curiousity how many different DNS resolvers (for system use, not what is given to clients) are set up? also is there a dynamic dns configuration? -
@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.
-
@yakatz only unbound (and assuming the Root servers)?
so in general settings there's no added dns, what about 'allow override on wan' allowing the ISP to override the dns (i personally didn't want this option - in order for me to get my cell phone carrier MMS and wifi calling to work, i had to add extra dns. i started with just unbound and cloudflare. no go on picture messages etc. added google, and those features started working. added quad9 for a third cause i like redundancy
getting to the rest of my thought, when was the last time a reboot, or states reset? pfblockerng packet counter clear (if applicable - this affected me on certain things)
-
@yakatz said in DNS Doctoring in pfsense:
@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.
my logic with redundancy in my dns resolver choices is "i dont trust just one source". if that source gets corrupted or altered (lol sorta like what youre trying to do, but you're doing it for a legitimate thing) then im sure there's billions more ip addresses out there to tell everyone else that your IP result is incorrect(?)
when i added more than one DNS i also changed my ASN check settings to 1 hour (just cause i want it to update faster - i assume the default 24 hours would cause ... 24 hours wait time for the change to take effect, for verifying the cache in unbound)
-
@sparkyMcpenguin Currently 31 days uptime, was about 600 days until a recent reboot. Never had any problems with DNS using unbound in resolver mode.
-
@yakatz said in DNS Doctoring in pfsense:
@sparkyMcpenguin Currently 31 days uptime, was about 600 days until a recent reboot. Never had any problems with DNS using unbound in resolver mode.
31 days, is that when the problems started?
-
@yakatz said in DNS Doctoring in pfsense:
@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.
my bad i misread this. when i said dynamic dns i meant an external dyn dns service to resolve your isp given ip address, not dhcp from pfsense
-
@sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or
alias
as dnsmasq calls it) allows Split DNS to work with no additional configuration. -
@yakatz
are you using the forwarder on the wan? or am i mixing the functionality of that up -
@sparkyMcpenguin said in DNS Doctoring in pfsense:
@yakatz said in DNS Doctoring in pfsense:
@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.
my logic with redundancy in my dns resolver choices is "i dont trust just one source". if that source gets corrupted or altered (lol sorta like what youre trying to do, but you're doing it for a legitimate thing) then im sure there's billions more ip addresses out there to tell everyone else that your IP result is incorrect(?)
when i added more than one DNS i also changed my ASN check settings to 1 hour (just cause i want it to update faster - i assume the default 24 hours would cause ... 24 hours wait time for the change to take effect, for verifying the cache in unbound)
in regards to my 'redundancy' comment, the further logic being maybe helping to prevent ARP poisoning? just two cents
-
@yakatz said in DNS Doctoring in pfsense:
@sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or
alias
as dnsmasq calls it) allows Split DNS to work with no additional configuration.what about a 'Proxy ARP' VIP under firewall for east host? wikipedia page for reference Proxy ARP
this and (maybe needed not quite sure - but u did say 'dnsmasq') having the forwarder (i see it say dnsmasq a lot on there i just dont use it) on the wan