Split DNS and wildcard issue - some are local some are remote

Draghmar

Hi.
I have setup where domain (lets call it abc.com) is configured on the remote service (where I bought it) in a way that:

• abc.com points to the remote server,
• mail.abc.com also points to the remote server (MX record),
• ftp.abc.com also points to the remote server,
• *.abc.com points to the webserver in a network where pfSense sits (local).

In order for all the subdomains from wildcard to work in a local network I did the Split DNS thing:

local-zone: "abc.com" redirect
local-data: "abc.com 86400 IN A 192.168.X.X"

But this prevented three first points from the list to work properly because everything points to local address. How should I approach that issue in order to make this setup work again? Do mind that I'm quite noob here. ;) If I should guess I would say I'd have to add MX record to the unbound settings. Am I right here?

Bonus question: How it is that normal/home routers doesn't have this issue? Do they use NAT Reflection by default?

Draghmar

This post is deleted!

Draghmar

Something came up that I not sure how to manage...I can't get proper response on my PC from any subdomain. I did ipconfig /flushdns and checked local cache before trying to ping but I'm constantly getting external IP instead of internal one which results in getting info about bad cert in the browser because it's actually pfSense that's responding instead of webserver. And yet other machines gets internal IP properly...

johnpoz

If you have 3 addresses that need to respond via public IPs, and then everything else would be local.. You would need to setup those 3 records to have the public IPs in them locally.

I don't see how you could do what your asking with a wildcard.. So you either put in the 3 and use a wildcard, or put in whatever you want to resolve locally.. And let anything else resolve via public.

Draghmar

@johnpoz I was "afraid" I'm going to get response like that ;) What I described was somehow simplified version because actually I have few domains configured this way where at least two needs those adjustments. Based on what you wrote I'd have to do something like this?

local-zone: "abc.com" redirect
local-data: "ftp.abc.com 86400 IN A remoteAddr"
local-data: "www.abc.com 86400 IN A remoteAddr"
local-data: "mail.abc.com 86400 IN CNAME remoteDNS"
local-data: "abc.com 86400 IN A 192.168.X.X"

I wonder though - what about abc.com? I mean without subdomain which should be resolved with remote address? Will it even work?

And from another perspective...By default abc.com resolves to my external IP. When typing it locally in the browser it gives me pfSense admin panel. Is there a way to force it to use specific address from local network instead? Without changing ports?

And still - how does home routers mitigate this issue? I had quite a few of them and never encountered something like this.

johnpoz

Home routers normally have nat reflection running out of the box.. You could do that if wanted, now everything would resolve the public, and your internal stuff would get sent back in via nat reflection to your services your hosting internally.

Nat reflection is an abomination to all things holy about networking btw ;)

Draghmar

@johnpoz Yeah, I've read your posts about NAT Reflection when I was looking for the solution and I've seen the documentation. That's why I tried to get this to work through split DNS. To have it "the better way". ;) Tell me: Is it possible to achieve what I want with split DNS? I can fight with configuration a little bit if I'd know it's even possible.

And what about external IP? Wouldn't configuration that would point external IP to the internal webserver resolve the issue I have?

johnpoz

@Draghmar said in Split DNS and wildcard issue - some are local some are remote:

Wouldn't configuration that would point external IP to the internal webserver

You mean public dns that resolves rfc1918 - yeah that would be horrible idea, and you would have to make sure rebinding was turned off for any domains you wanted to do that with.

I already gave you the solutions.. You either host your stuff locally for your local devices that point to outside IPs for your domain (not your public IP) and then you can setup a wildcard for anything that you want to point to some specific IP internally.

Or you setup all your internal fqdn to point to internally, and let your public resolve external.

But setting up a redirect is going point everything to what your pointing it too.. Unless you setup the exceptions.

If it was me, I would host everything locally.. with specific records for hostA and boxB.domain.tld vs wildcard anything.. Even if you had 100 of them, you do know you can load up a text file that has all your entries in them right? Or just paste them into the custom option box, you don't have to go through the gui for each one.. Which yeah would be painful if you had 100 of them or something.

Draghmar

@johnpoz said in Split DNS and wildcard issue - some are local some are remote:

You mean public dns that resolves rfc1918 - yeah that would be horrible idea, and you would have to make sure rebinding was turned off for any domains you wanted to do that with.

Hm...Sorry for yet another reference to all the home routers but I came from them so it's easier for me describe this way and also I'm used to the way they behave. :P
When I had one of those and typed my external IP into the browser being in LAN, I've got my webserver's default vhost responding. Adding some path to the IP gave me what was at that path.
With pfSense what I'm getting is admin panel. I'm guessing pfSense listens for :80 and :443 connections and by default intercept them when are made from local. It's not desired for me - I'd rather like to access panel just through LAN IP and leave external for webserver. Setting custom port for panel access still doesn't make accessing through external IP possible - I'm simply getting timeout here. And that is only when going from LAN because using external IP from external place work as it should - I'm getting default vhost reponse.
You could ask "why I need to access my webserver through external IP when I can do it with internal IP?". It's quite simple - convenience. I'm webdeveloper and I have to often copy and paste addresses to the clients so it's just easier to copy&paste vs copy, change the address and paste. ;)

And as for the wildcard - thanks for your suggestions. I do get your idea of having done this the way you have described. The thing is I used wildcard on the initial DNS setup so I don't have to change DNS entries whenever I need to use subdomain on my domains. And like with the IP, described above, it's also to make it simpler for me to manage - now I just add another vhost and it just works. No need to wait for domain propagation and no need to remember to add something, somewhere. ;)
From what I understand I need to read a little and make some experimentation on how to make proper entries. :P

johnpoz

Your not going to get to anywhere even with nat reflection if you have pfsense listening on the ports your trying to nat reflect in.

If you want to use 80 or 443, then yeah make sure pfsense isn't using those.. And setup your nat relfection. When you change pfsense to use ssl it still has teh 80 redirect in there. So turn that off and setup something like 8443 for your web gui. This is what I do.. Since i use 443 for openvpn and also for port forward to ombi behind pfsense via ha proxy.

That is another way you can get it work without using nat reflection.. Just setup haproxy as reverse proxy for all your stuff your hosting behind pfsense. This also has the added advantage of being able to send to different internal IPs based on host headers or sni, etc.

Draghmar

@johnpoz Thanks for your help! I ended up with the devil-in-the-box solution ;) named NAT Reflection. I'll get back to the split DNS when I have more time to tinker with settings and right now I need everything to just work.

johnpoz

Yeah lazy almost always wins ;)

What takes the least amount of effort to get the result I want.. Doesn't matter how shitty of process or solution it is ;)

Lets see few minutes of time to setup proper dns resolution, or just hairpin every packet I move off my router interface..

Just saying..

Draghmar

@johnpoz It's easy for you to say because of your experience. :P For me it would require much more effort because I'm not familiar with all the DNS settings not to mention unbound configuration. I've already tried this a little bit and ended up with partially working solution. So yup, laziness won this fight but the war still is far from over. ;)

johnpoz

Its a dns record.. You clearly know how to set those up...

All you need to setup is your local records.. If not local they would get looked up public..

So you need..

local-data: "name.abc.com 86400 IN A 192.168.X.X"
local-data: "other.abc.com 86400 IN A 192.168.X.X"
local-data: "something.abc.com 86400 IN A 192.168.X.X"

Seems pretty simple to me, just too lazy to edit the name there and paste it into the option box.. Your IP is all the same, your ttl could be the same.. the domain is the same.. all your doing is editing the host name.

This is why its confusing - maybe you think its complicated while trying to do wildcards, which horrible idea in the dns world.. Again lazy mans shortcut.. Lets say you had 100 different fqdn being served off your local server.. What would that take to type out, 3 minutes?

Clearly you know the names your serving up locally, your doing the website for it.. clearly you know the server IP - that is the server your putting the page on.. So it comes down to too lazy to make a dns entry.. does it not???

Its the same be it you have 1 domain, or even a 100 of those.. All your doing it putting in the fqdn of the local resource..

Draghmar

A little time passed and finally I tried to force myself into getting whole list of local domains ready but I stumbled upon some weird issue. I created file with all the domains that needs to resolve to local address and used server:include: to load it into DNS Resolver. Then I turned off NAT Reflection and checked if everything works as it should...and it doesn't in Windows 10 at least.
Other devices are responding properly on ping with local address but Windows for some reason gives me my remote IP instead and website can't load.

Investigation showed that the reason for that is active VPN connection. I often use one when working from home and in this times it's almost always. We have split tunneling set up so traffic that is not related to company goes through my network - at least IT says that ;) This was achieved at client side by unchecking Use default gateway in remote network (or however it is translated in English) in TCP/IPv4->Properties->Advanced.
I tried tracert to check how connection jumps and in case of local domain there's only one hop resolving immediately to remote IP.

Is there a way to make it work without relying on NAT Reflection in pfSense? Unfortunately I don't understand how exactly all this works and why I'm getting remote IP instead of local but what I know is that this is really inconvenient. :(

Edit: Geez...forum showed my that it it's been two months since initial discussion. I'm so lazy...:D

johnpoz

If your windows 10 box is using a vpn - what is it using for dns? Something down the vpn, etc.

VPNs can cause an issue with dns resolution - because do you ask dns via vpn, or do you ask local. If you ask local - how do you resolve whats down the vpn..

That is a completely different problem..

If it sending traffic down the vpn, then it wouldn't be using nat reflection - it would be going down the vpn, across the internet and then hitting your wan IP from outside.

Draghmar

I'm not sure I get what you're trying to explain here. As far I understand, split tunneling is exactly for the situations where someone connected with VPN can access resources that are outside of VPN network through it's own connection, instead of going through the VPN tunnel. So if I type domain accessible only through VPN I will get proper response and when I want domain that is on WWW then it will be served through mine internet connection. How does it know that? I have no idea. At least wiki describes it this way.
In my case my VPN connection is set to dynamically obtaining addresses which gives DNS from my company. My net connection is set to static with DNS pointing to pfSense.

I did tests with tracert to check what path is needed to reach google.com, company's internal domain and one of my local domains both with split tunneling enabled and disabled. Each time I flushed DNS cache.

Split tunneling enabled:

• google.com goes through pfSense, my net provider and then into the wild.
• Company's internal domain goes directly through VPN hitting internal addresses.
• My local domain has only one hop that resolves to my remote IP.

Split tunneling disabled:

• google.com goes through the VPN.
• The same is with Company's internal domain.
• My local domain goes through VPN with quite many hops and gets into my server.

With split tunneling disabled my domains are working but that's only because my PC is treated like remote machine. Which is best visible on any site that shows you your IP: split tunneling enabled => my remote IP, split tunneling disabled => company's IP.

With VPN disabled my local domain resolves directly to local IP.

And the thing is, with NAT Reflection it works with split tunneling enabled for some reason that I don't understand. So I wonder is there a way to setup everything to work properly.
If that topic deserves a new thread then just split this one.

kiokoman

so when you have the VPN connection active on windows 10, you are sending DNS request inside the VPN instead of pfsense, it does not matter if your gateway is pfsense, the answer from the VPN dns are the external IP
one solution would be to modify C:\Windows\System32\Drivers\etc\hosts

johnpoz

@Draghmar said in Split DNS and wildcard issue - some are local some are remote:

As far I understand, split tunneling is exactly for the situations where someone connected with VPN can access resources that are outside of VPN network

Agreed but just because you tell the vpn client that 192.168.X is local network and not send it down the vpn, doesn't have anything to do where dns is gotten from.. Or that your wan IP/Network is local and not use the vpn to access those.. Then your nat reflection would work.

As mentioned by @kiokoman one solution to this is when the vpn client uses a vpn supplied dns that can not resolve your local resources is to put those entries into the machines host file - this will preempt dns lookup and resolve host.domain.tld say to your local IP on 192.168.X which the vpn knows to just use local..

Keep in mind that dns is just a protocol that runs on the network.. Be you say to the vpn 192.168.x/24 shouldn't go down the vpn has nothing to do with what ns the OS is using.. If your vpn hands out dns, it normally will use that before it uses something local.

You need to understand where the client is pulling dns from..

If this is work vpn - for sure they are going to hand you the work dns, how else would you resolve work resources, etc.. Problem is work dns is not going to resolve your local stuff. And if you ask for something that you are port forwarding to get to, that would resolve how ever the work dns would resolve it, etc. Or not at all.. Why not just on the vpn client check to what it shows using for dns. What does it resolve whatever fqdn your trying to access to.. dig, host, nslookup, etc.

edit: on my work laptop - simple nslookup shows me its using the NS in the work network, via the vpn to IP 10.199.135.102, that sure is not going to resolve me local resources, nor be able to use any host overrides I might of set up in my local dns, etc. etc..

Draghmar

Thanks for explanation.
I think I understand. Anytime I'm trying to get response for some domain (for example google.com) VPN Client checks with remote server what IP does this domain belongs to. If it's company's network then it goes through encryption and if it's not it's goes by normal means.
I did nslookup and it did go through company's DNS, exactly like you said.

What's still eludes me is why there's a difference in how google.com is treated vs domain pointing to my server when seen with tracert. For reminder:

• local domain has only one hop with remote IP and <1ms response time,
• remote domain (google.com for example) goes through the pfSense.

Why local domain doesn't go at pfSense? Is this because VPN Client knows my remote IP and if response for domain matches that, it simply decides that there's no need?
And if that's the case is there any solution for this? That doesn't involve going through hosts file that is.