Confused about DNS forwarding and local domains

johnpoz

@Jeremy11one said in Confused about DNS forwarding and local domains:

everyone recommends using a subdomain of a real domain that we own

This is HORRIBLE advice - just horrible!!! If you want to use a domain that you own fine - just make sure nothing is served up public on it.

Pretty sure MS even retracted that advice, or clarified how to do it, etc... There is just zero reason to use the same domain internally - none! Back what like 25 years ? Wow!!! time goes fast! ;) Even back then when young and stupid and moving to AD in company I worked for then... We used domain.net internally for our AD domain, while all or public stuff was domain.com..

While you can for sure do, it just takes more work - its just easier to use different internally than you use externally so you don't run into such issues. Its also easier when you don't have users accessing your public stuff hosted in the same location they are accessing stuff from... Via a port forward or something... You shouldn't host stuff to the public from the network your users are on, nor even the same public IP they go out on, etc.. Mom and Pop shops have problems with this sort of stuff.. For an enterprise is not that big of deal.. Because they normally have their own public space, and their IT staff knows what they are doing, etc. etc..

Lets be clear on something... Its great that you own the domain your going to use internally.. Doesn't mean you should serve stuff to the public on the same domain.. This way your pretty clear that if you merge with another company you don't have to worry about same domain names, etc.

Also keep in mind that AD dns will be authoritative for that domain... So it would never forward something that doesn't exist in its name space. This is way different than what pfsense default setting is.. That is where the problem is - things change when you control the authoritative NS for the domain.. So even if you use the same domain locally, since your clients would all be pointing to your AD ns, you would never have to worry about them forwarding to public space and finding something that is not local - unless you specifically put in the record for that..

To be honest - the default for unbound should prob be static vs transparent.. But netgate would know better their normal users typical use cases. I personally don't get why it defaults to transparent - But I have not thought out all the possible use cases.. To be honest I would think most of their users just end up with the default localdomain as their tld ;) And anyone knowing what they should setup for a domain, should really already understand the implications if they are changing it.. But that is me with 30+ years experience in the field.. And a personal passion for DNS in general ;)

Mine has always been static, like fist thing changed ;) And I don't even use anything that could ever be public - I use local.lan for my internal domain. There is just no reason for unbound to try and resolve something that I only use internally - it would just be noise going out to the public net..

I own multiple public domains, but I just don't see a valid reason to try and use one of those locally.. I host multiple things using different domains, just none of it host here... Now I do have a domain I use that points to my public IP, I use this to access my public IP for different things. But its not the local name for anything - its just the public facing domain.. And I don't host the authoritative NS locally.. Its hosted publicly either at the registrar, domain service I have, and even my own vpses that I use to play with dnssec and bind in general that is public facing, etc.

I could talk about dns all day ;) So if you have dns questions - I will more than likely chime in ;) hehehe

Jeremy11one

@johnpoz said in Confused about DNS forwarding and local domains:

I could talk about dns all day ;) So if you have dns questions - I will more than likely chime in

It's fantastic that knowledgeable people like you are willing to share advice with everyone, especially so quickly. Thank you again.

This is HORRIBLE advice - just horrible!!!

Here's a 2018 Microsoft page I found with contrary advice: link. I'm interested in your opinion to see if there's something that article hasn't taken into consideration.

To summarize the article:
||*Microsoft used to advise everyone use a domain like "mycompany.local" or "mycompany.lan" (and NetGate seems to still recommend using .lan or .mylocal in their documentation and default values).

But about 10 years ago, MS changed their recommendation. Now they recommend against those domains because those domains are not officially reserved, so some day people might be able to buy domains with those TLDs or use them for other things, exactly like Apple did by registering .local to use for their mDNS feature. Everyone who previously used .local got burned when that happened, and there's nothing to guarantee that the same won't happen with .lan or .internal.

So now Microsoft recommends specifically using a subdomain of a domain we own. A less recommended option is what you mentioned, using .net for internal and .com for public, so that's ok too.*||

Here's the list of IANA "special use" domains: link. .lan and .internal are not on that list (yet)

Here are some more sites that agree that it's best to use an owned subdomain: spiceworks, serverfault, random blog, stack overflow, random blog, random blog, random forum, reddit

Using pfSense "Virtual IPs" and Reverse NAT, one can set the lan hosts to use IP#1 and the DMZ servers to use IP#2, avoiding the problem of an infected lan host getting an email server blacklisted.

I'd guess the reason "Transparent" is the default is to avoid breaking DNS for people and leaving them in total panic and confusion. People wouldn't expect pfSense to take over their DNS domain by default since it's "just a firewall". I like the idea of Transparent being the default but there should be a big message below it explaining the purpose of "Static" instead of the current mention (not even a link) to a webpage that isn't easy to understand.

Fun!

johnpoz

@Jeremy11one said in Confused about DNS forwarding and local domains:

exactly like Apple did by registering .local to use for their mDNS feature.

This is not an official TLD... Where do you think they registered it at? It is part of https://tools.ietf.org/html/rfc6762 its not a "apple" thing per-say... its a mdns thing.. You don't have to be an apple product to use mdns.

Sure there could be some change in direction and .lan or .internal could be used.. Then you switch to something else.. But doubt .lan would ever be used as public tld.. Nor internal since they make no sense in that context..

Sure someone could prepose use of .whatever -- it will be either accepted or rejected by the community... Which is the whole point of the RFC process.

Using the same exact domain you use internally as publicly to access stuff is bad idea... Nowhere in their documents do they spell out that you should host shit on that domain as well as use it internally... They just state you should own it.. Which sure is fine... But don't try and host shit on it to the public as the same time as using it internally..

People just read that into it... Where do they say you should host your site on www.domain.com, and then use site.domain.com for your AD? Its just that small ma and pa shops or users think own I own domain.com I will use that as my AD... Not good idea!!

Subdomains are used all the time for any location of a domain, or as way to differentiate.... I use dmz.local.lan, wlan.local.lan for example..

Sure you could do internal.domain.com for your internal stuff if you wanted.. You just have to understand how dns works, and what your client could be doing as it adds suffix, etc. etc. Again its not a problem when your running an authoritative NS.... But it still is just easier and less likely to cause new users problems if they just use something different for their internal domain, that has no possible way to resolve publicly...

bb77

Hello folks

I think Split-DNS is quiet common for homelabs or personal use and I even saw big corporations doing it. In my homelab I use "local.mydomain.tld" for all internal services and "mydomain.tld" for some public facing services. All with one dynamic public IPv4 Address. Internally I use separate networks/subnets for PC/Laptops, Servers, IOT, DMZ etc. For professional use however, I would recommend at least two public IP Addresses. One for hosting the external facing stuff and one for your regular internet access. If you wanna selfhost e-mail, a dedicated static IP is mandatory.

On the pfsense side I did the following steps to set this up:

• Disable NAT-Reflection

• enter "local.mydomain.tld" to System->General Setup

• enter your preferred upstream DNS-Servers in System->General Setup

• "DNS Server Override" and "Disable DNS Forwarder" are both unchecked

• Enable "DNS Query Forwarding" in Services->DNS Resolver->General Setup

• Set "System Domain Local Zone Type" to "Static" in Services->DNS Resolver->General Setup

• Enter A-Records for all Services in the Custom Options:

  server:
  local-zone: "local-only-service1.local.mydomain.tld" redirect
  local-data: "local-only-service1.local.mydomain.tld 3600 IN A 192.168.10.10"
  server:
  local-zone: "local-only-service2.local.mydomain.tld" redirect
  local-data: "local-only-service2.local.mydomain.tld 3600 IN A 192.168.10.10"
  server:
  local-zone: "public-service1.mydomain.tld" redirect
  local-data: "public-service1.mydomain.tld 3600 IN A 10.0.10.10"

  etc...

• For the internal networks you can now block all DNS Traffic to other DNS-Servers than the Firewall it self:

  Allow Source: * * -> Destination: "LAN address" 53
  Block: Source: * * -> Destination: * 53

Everything seems to be working fine and i think for home use or even really small businesses this setup should be ok.

@the experts:
Please correct me if I did anything wrong or overlooked/missed something.

Cheers

foofighter77

johnpoz

You understand that host overrides can just be done in the gui right...

And why are you forwarding - why not just resolve... I fail to understand the fascination of users to hand over all their dns queries to a specific company... But then scream my dns is leaking... Yeah your freaking leaking everything you do to company X ;) hehehehe on purpose!!

Jeremy11one

@johnpoz said in Confused about DNS forwarding and local domains:

And why are you forwarding - why not just resolve... I fail to understand the fascination of users to hand over all their dns queries to a specific company...

It's a neat situation of pros and cons. If we resolve, it's done in plaintext so ISP and bad guys can see the queries. If we forward, it hands all our lookups to a 3rd party, but at least those are encrypted and we can choose which 3rd party to trust. So neither option can provide all the benefits. I'd say either option is reasonable depending on the situation.

johnpoz

Yeah - my dns resolving is too fast... Let me slow it up!!! and put in a tcp tunnel... Cuz you know that ISP I pay for internet, and handles all my traffic and sees every IP I go too... Sure and the F wouldn't want them know I did a query for google.com..

If your concerned with your isp spying on you - then tunnel all your traffic through them... Forwarding dns to some specific company is not solving anything other than slowing up your dns and handing them everything you do on a silver freaking platter.

But sure have fun with that!

bb77

@johnpoz:

when I first tried to set this up it didn't work as expected with the host-overrides in the GUI. But it's quiet possible that other things were wrong configured at that time ;-)

I send my DNS lookups to https://dns.digitale-gesellschaft.ch/ via DOT. I did not mention this before for the sake of simplicity. Sure you have to trust that they keep word with their Privacy Notice. But I trust them way more than I trust my ISP or any other commercial companies like Google, Cloudflare, Quad9 etc...

ahking19

@foofighter77
"any other commercial companies like Google, Cloudflare, Quad9 etc..."

If you are resolving these companies are not part of the equation. You are directly querying the root servers.

If you don't trust your ISP using DOT doesn't completely solve your problem due to SNI. Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. So unless you have encrypted SNI or tunnel all your traffic thru your ISP you don't have privacy.

bb77

@ahking19 You're right I mixed things up a bit. Google, Cloudlare etc. are not relevant in this case. Except you explicitly use them as your DNS Provider. What they literally do in every other YouTube Tutorial ;-)

Total privacy an is not my goal here. And like you said there are always pros and cons in every situation. For me the most important thing is to keep the internet as decentralized as possible and as private as possible, and DoT with a thrust worthy DNS-provider seems like a reasonable compromise to me. For sure better than browsers with DoH via Cloudflare or Google enabled by default. ;-)

But thanks anyway for your correction and your addition about SNI. I was not fully aware about that little detail :-)

ahking19

@foofighter77
Encrypted SNI is still being drafted but hopefully we will have it soon in all web browsers, although you can use it in Firefox - https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

Good article from Cloudflare on Encrypted SNI if you are interested - https://blog.cloudflare.com/encrypted-sni/

bb77

@ahking19 Thank you. Sounds interesting, especially the Encrypted SNI together with DOT. The Problem with DoH is, that it uses Port 443. And obviously you cannot block Port 443 at Firewall level. Therfore any device or software with hardcoded DNS over HTTPS settings can bypass your DNS Resolver/Forwarder.