Confused about DNS forwarding and local domains
-
@Jeremy11one said in Confused about DNS forwarding and local domains:
exactly like Apple did by registering .local to use for their mDNS feature.
This is not an official TLD... Where do you think they registered it at? It is part of https://tools.ietf.org/html/rfc6762 its not a "apple" thing per-say... its a mdns thing.. You don't have to be an apple product to use mdns.
Sure there could be some change in direction and .lan or .internal could be used.. Then you switch to something else.. But doubt .lan would ever be used as public tld.. Nor internal since they make no sense in that context..
Sure someone could prepose use of .whatever -- it will be either accepted or rejected by the community... Which is the whole point of the RFC process.
Using the same exact domain you use internally as publicly to access stuff is bad idea... Nowhere in their documents do they spell out that you should host shit on that domain as well as use it internally... They just state you should own it.. Which sure is fine... But don't try and host shit on it to the public as the same time as using it internally..
People just read that into it... Where do they say you should host your site on www.domain.com, and then use site.domain.com for your AD? Its just that small ma and pa shops or users think own I own domain.com I will use that as my AD... Not good idea!!
Subdomains are used all the time for any location of a domain, or as way to differentiate.... I use dmz.local.lan, wlan.local.lan for example..
Sure you could do internal.domain.com for your internal stuff if you wanted.. You just have to understand how dns works, and what your client could be doing as it adds suffix, etc. etc. Again its not a problem when your running an authoritative NS.... But it still is just easier and less likely to cause new users problems if they just use something different for their internal domain, that has no possible way to resolve publicly...
-
Hello folks
I think Split-DNS is quiet common for homelabs or personal use and I even saw big corporations doing it. In my homelab I use "local.mydomain.tld" for all internal services and "mydomain.tld" for some public facing services. All with one dynamic public IPv4 Address. Internally I use separate networks/subnets for PC/Laptops, Servers, IOT, DMZ etc. For professional use however, I would recommend at least two public IP Addresses. One for hosting the external facing stuff and one for your regular internet access. If you wanna selfhost e-mail, a dedicated static IP is mandatory.
On the pfsense side I did the following steps to set this up:
-
Disable NAT-Reflection
-
enter "local.mydomain.tld" to System->General Setup
-
enter your preferred upstream DNS-Servers in System->General Setup
-
"DNS Server Override" and "Disable DNS Forwarder" are both unchecked
-
Enable "DNS Query Forwarding" in Services->DNS Resolver->General Setup
-
Set "System Domain Local Zone Type" to "Static" in Services->DNS Resolver->General Setup
-
Enter A-Records for all Services in the Custom Options:
server:
local-zone: "local-only-service1.local.mydomain.tld" redirect
local-data: "local-only-service1.local.mydomain.tld 3600 IN A 192.168.10.10"
server:
local-zone: "local-only-service2.local.mydomain.tld" redirect
local-data: "local-only-service2.local.mydomain.tld 3600 IN A 192.168.10.10"
server:
local-zone: "public-service1.mydomain.tld" redirect
local-data: "public-service1.mydomain.tld 3600 IN A 10.0.10.10"etc...
-
For the internal networks you can now block all DNS Traffic to other DNS-Servers than the Firewall it self:
Allow Source: * * -> Destination: "LAN address" 53
Block: Source: * * -> Destination: * 53
Everything seems to be working fine and i think for home use or even really small businesses this setup should be ok.
@the experts:
Please correct me if I did anything wrong or overlooked/missed something.Cheers
foofighter77
-
-
You understand that host overrides can just be done in the gui right...
And why are you forwarding - why not just resolve... I fail to understand the fascination of users to hand over all their dns queries to a specific company... But then scream my dns is leaking... Yeah your freaking leaking everything you do to company X ;) hehehehe on purpose!!
-
@johnpoz said in Confused about DNS forwarding and local domains:
And why are you forwarding - why not just resolve... I fail to understand the fascination of users to hand over all their dns queries to a specific company...
It's a neat situation of pros and cons. If we resolve, it's done in plaintext so ISP and bad guys can see the queries. If we forward, it hands all our lookups to a 3rd party, but at least those are encrypted and we can choose which 3rd party to trust. So neither option can provide all the benefits. I'd say either option is reasonable depending on the situation.
-
Yeah - my dns resolving is too fast... Let me slow it up!!! and put in a tcp tunnel... Cuz you know that ISP I pay for internet, and handles all my traffic and sees every IP I go too... Sure and the F wouldn't want them know I did a query for google.com..
If your concerned with your isp spying on you - then tunnel all your traffic through them... Forwarding dns to some specific company is not solving anything other than slowing up your dns and handing them everything you do on a silver freaking platter.
But sure have fun with that!
-
when I first tried to set this up it didn't work as expected with the host-overrides in the GUI. But it's quiet possible that other things were wrong configured at that time ;-)
I send my DNS lookups to https://dns.digitale-gesellschaft.ch/ via DOT. I did not mention this before for the sake of simplicity. Sure you have to trust that they keep word with their Privacy Notice. But I trust them way more than I trust my ISP or any other commercial companies like Google, Cloudflare, Quad9 etc...
-
@foofighter77
"any other commercial companies like Google, Cloudflare, Quad9 etc..."If you are resolving these companies are not part of the equation. You are directly querying the root servers.
If you don't trust your ISP using DOT doesn't completely solve your problem due to SNI. Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. So unless you have encrypted SNI or tunnel all your traffic thru your ISP you don't have privacy.
-
@ahking19 You're right I mixed things up a bit. Google, Cloudlare etc. are not relevant in this case. Except you explicitly use them as your DNS Provider. What they literally do in every other YouTube Tutorial ;-)
Total privacy an is not my goal here. And like you said there are always pros and cons in every situation. For me the most important thing is to keep the internet as decentralized as possible and as private as possible, and DoT with a thrust worthy DNS-provider seems like a reasonable compromise to me. For sure better than browsers with DoH via Cloudflare or Google enabled by default. ;-)
But thanks anyway for your correction and your addition about SNI. I was not fully aware about that little detail :-)
-
@foofighter77
Encrypted SNI is still being drafted but hopefully we will have it soon in all web browsers, although you can use it in Firefox - https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/Good article from Cloudflare on Encrypted SNI if you are interested - https://blog.cloudflare.com/encrypted-sni/
-
@ahking19 Thank you. Sounds interesting, especially the Encrypted SNI together with DOT. The Problem with DoH is, that it uses Port 443. And obviously you cannot block Port 443 at Firewall level. Therfore any device or software with hardcoded DNS over HTTPS settings can bypass your DNS Resolver/Forwarder.