Split DNS and wildcard issue - some are local some are remote

Draghmar

@johnpoz said in Split DNS and wildcard issue - some are local some are remote:

You mean public dns that resolves rfc1918 - yeah that would be horrible idea, and you would have to make sure rebinding was turned off for any domains you wanted to do that with.

Hm...Sorry for yet another reference to all the home routers but I came from them so it's easier for me describe this way and also I'm used to the way they behave. :P
When I had one of those and typed my external IP into the browser being in LAN, I've got my webserver's default vhost responding. Adding some path to the IP gave me what was at that path.
With pfSense what I'm getting is admin panel. I'm guessing pfSense listens for :80 and :443 connections and by default intercept them when are made from local. It's not desired for me - I'd rather like to access panel just through LAN IP and leave external for webserver. Setting custom port for panel access still doesn't make accessing through external IP possible - I'm simply getting timeout here. And that is only when going from LAN because using external IP from external place work as it should - I'm getting default vhost reponse.
You could ask "why I need to access my webserver through external IP when I can do it with internal IP?". It's quite simple - convenience. I'm webdeveloper and I have to often copy and paste addresses to the clients so it's just easier to copy&paste vs copy, change the address and paste. ;)

And as for the wildcard - thanks for your suggestions. I do get your idea of having done this the way you have described. The thing is I used wildcard on the initial DNS setup so I don't have to change DNS entries whenever I need to use subdomain on my domains. And like with the IP, described above, it's also to make it simpler for me to manage - now I just add another vhost and it just works. No need to wait for domain propagation and no need to remember to add something, somewhere. ;)
From what I understand I need to read a little and make some experimentation on how to make proper entries. :P

johnpoz

Your not going to get to anywhere even with nat reflection if you have pfsense listening on the ports your trying to nat reflect in.

If you want to use 80 or 443, then yeah make sure pfsense isn't using those.. And setup your nat relfection. When you change pfsense to use ssl it still has teh 80 redirect in there. So turn that off and setup something like 8443 for your web gui. This is what I do.. Since i use 443 for openvpn and also for port forward to ombi behind pfsense via ha proxy.

That is another way you can get it work without using nat reflection.. Just setup haproxy as reverse proxy for all your stuff your hosting behind pfsense. This also has the added advantage of being able to send to different internal IPs based on host headers or sni, etc.

Draghmar

@johnpoz Thanks for your help! I ended up with the devil-in-the-box solution ;) named NAT Reflection. I'll get back to the split DNS when I have more time to tinker with settings and right now I need everything to just work.

johnpoz

Yeah lazy almost always wins ;)

What takes the least amount of effort to get the result I want.. Doesn't matter how shitty of process or solution it is ;)

Lets see few minutes of time to setup proper dns resolution, or just hairpin every packet I move off my router interface..

Just saying..

Draghmar

@johnpoz It's easy for you to say because of your experience. :P For me it would require much more effort because I'm not familiar with all the DNS settings not to mention unbound configuration. I've already tried this a little bit and ended up with partially working solution. So yup, laziness won this fight but the war still is far from over. ;)

johnpoz

Its a dns record.. You clearly know how to set those up...

All you need to setup is your local records.. If not local they would get looked up public..

So you need..

local-data: "name.abc.com 86400 IN A 192.168.X.X"
local-data: "other.abc.com 86400 IN A 192.168.X.X"
local-data: "something.abc.com 86400 IN A 192.168.X.X"

Seems pretty simple to me, just too lazy to edit the name there and paste it into the option box.. Your IP is all the same, your ttl could be the same.. the domain is the same.. all your doing is editing the host name.

This is why its confusing - maybe you think its complicated while trying to do wildcards, which horrible idea in the dns world.. Again lazy mans shortcut.. Lets say you had 100 different fqdn being served off your local server.. What would that take to type out, 3 minutes?

Clearly you know the names your serving up locally, your doing the website for it.. clearly you know the server IP - that is the server your putting the page on.. So it comes down to too lazy to make a dns entry.. does it not???

Its the same be it you have 1 domain, or even a 100 of those.. All your doing it putting in the fqdn of the local resource..

Draghmar

A little time passed and finally I tried to force myself into getting whole list of local domains ready but I stumbled upon some weird issue. I created file with all the domains that needs to resolve to local address and used server:include: to load it into DNS Resolver. Then I turned off NAT Reflection and checked if everything works as it should...and it doesn't in Windows 10 at least.
Other devices are responding properly on ping with local address but Windows for some reason gives me my remote IP instead and website can't load.

Investigation showed that the reason for that is active VPN connection. I often use one when working from home and in this times it's almost always. We have split tunneling set up so traffic that is not related to company goes through my network - at least IT says that ;) This was achieved at client side by unchecking Use default gateway in remote network (or however it is translated in English) in TCP/IPv4->Properties->Advanced.
I tried tracert to check how connection jumps and in case of local domain there's only one hop resolving immediately to remote IP.

Is there a way to make it work without relying on NAT Reflection in pfSense? Unfortunately I don't understand how exactly all this works and why I'm getting remote IP instead of local but what I know is that this is really inconvenient. :(

Edit: Geez...forum showed my that it it's been two months since initial discussion. I'm so lazy...:D

johnpoz

If your windows 10 box is using a vpn - what is it using for dns? Something down the vpn, etc.

VPNs can cause an issue with dns resolution - because do you ask dns via vpn, or do you ask local. If you ask local - how do you resolve whats down the vpn..

That is a completely different problem..

If it sending traffic down the vpn, then it wouldn't be using nat reflection - it would be going down the vpn, across the internet and then hitting your wan IP from outside.

Draghmar

I'm not sure I get what you're trying to explain here. As far I understand, split tunneling is exactly for the situations where someone connected with VPN can access resources that are outside of VPN network through it's own connection, instead of going through the VPN tunnel. So if I type domain accessible only through VPN I will get proper response and when I want domain that is on WWW then it will be served through mine internet connection. How does it know that? I have no idea. At least wiki describes it this way.
In my case my VPN connection is set to dynamically obtaining addresses which gives DNS from my company. My net connection is set to static with DNS pointing to pfSense.

I did tests with tracert to check what path is needed to reach google.com, company's internal domain and one of my local domains both with split tunneling enabled and disabled. Each time I flushed DNS cache.

Split tunneling enabled:

• google.com goes through pfSense, my net provider and then into the wild.
• Company's internal domain goes directly through VPN hitting internal addresses.
• My local domain has only one hop that resolves to my remote IP.

Split tunneling disabled:

• google.com goes through the VPN.
• The same is with Company's internal domain.
• My local domain goes through VPN with quite many hops and gets into my server.

With split tunneling disabled my domains are working but that's only because my PC is treated like remote machine. Which is best visible on any site that shows you your IP: split tunneling enabled => my remote IP, split tunneling disabled => company's IP.

With VPN disabled my local domain resolves directly to local IP.

And the thing is, with NAT Reflection it works with split tunneling enabled for some reason that I don't understand. So I wonder is there a way to setup everything to work properly.
If that topic deserves a new thread then just split this one.

kiokoman

so when you have the VPN connection active on windows 10, you are sending DNS request inside the VPN instead of pfsense, it does not matter if your gateway is pfsense, the answer from the VPN dns are the external IP
one solution would be to modify C:\Windows\System32\Drivers\etc\hosts

johnpoz

@Draghmar said in Split DNS and wildcard issue - some are local some are remote:

As far I understand, split tunneling is exactly for the situations where someone connected with VPN can access resources that are outside of VPN network

Agreed but just because you tell the vpn client that 192.168.X is local network and not send it down the vpn, doesn't have anything to do where dns is gotten from.. Or that your wan IP/Network is local and not use the vpn to access those.. Then your nat reflection would work.

As mentioned by @kiokoman one solution to this is when the vpn client uses a vpn supplied dns that can not resolve your local resources is to put those entries into the machines host file - this will preempt dns lookup and resolve host.domain.tld say to your local IP on 192.168.X which the vpn knows to just use local..

Keep in mind that dns is just a protocol that runs on the network.. Be you say to the vpn 192.168.x/24 shouldn't go down the vpn has nothing to do with what ns the OS is using.. If your vpn hands out dns, it normally will use that before it uses something local.

You need to understand where the client is pulling dns from..

If this is work vpn - for sure they are going to hand you the work dns, how else would you resolve work resources, etc.. Problem is work dns is not going to resolve your local stuff. And if you ask for something that you are port forwarding to get to, that would resolve how ever the work dns would resolve it, etc. Or not at all.. Why not just on the vpn client check to what it shows using for dns. What does it resolve whatever fqdn your trying to access to.. dig, host, nslookup, etc.

edit: on my work laptop - simple nslookup shows me its using the NS in the work network, via the vpn to IP 10.199.135.102, that sure is not going to resolve me local resources, nor be able to use any host overrides I might of set up in my local dns, etc. etc..

Draghmar

Thanks for explanation.
I think I understand. Anytime I'm trying to get response for some domain (for example google.com) VPN Client checks with remote server what IP does this domain belongs to. If it's company's network then it goes through encryption and if it's not it's goes by normal means.
I did nslookup and it did go through company's DNS, exactly like you said.

What's still eludes me is why there's a difference in how google.com is treated vs domain pointing to my server when seen with tracert. For reminder:

• local domain has only one hop with remote IP and <1ms response time,
• remote domain (google.com for example) goes through the pfSense.

Why local domain doesn't go at pfSense? Is this because VPN Client knows my remote IP and if response for domain matches that, it simply decides that there's no need?
And if that's the case is there any solution for this? That doesn't involve going through hosts file that is.

johnpoz

Without some exact ips, what is being used on your network, what your vpn settings are, I have no idea what is set to go through vpn and what not.

Maybe they only route their work networks through the vpn - that is very common practice.. And your local IP is stepping on your work network or tunnel network?

What does this machines routing table look like - simple route print from cmd line will show you that..

Draghmar

I talked with my IT and it's like you said: each time domain is needed it goes to company DNS and then if the IP is internal it goes through VPN and if not it doesn't. As for why my local domain behave like this...well...just because. And that's it. Simply it's how it works so unfortunately I still need NAT Reflection for my setup...

johnpoz

@Draghmar said in Split DNS and wildcard issue - some are local some are remote:

Simply it's how it works so unfortunately I still need NAT Reflection for my setup...

Split dns doesn't work if your not using your own dns.. To resolve the local -

Have to wonder why you would need to access your own local webserver while your "working" ;)

Just access it via IP if you do.. no dns involved. Or just create a host entry on the machine - so it knows fqdn points to local IP, and doesn't even need to ask work dns for it..

Other solution would be to run a conditional forwarder on your machine, say dnsmasq and not point your client to work dns, but the your conditional forwrder that only asks your work dns for work related domains.

Or depending on your work dns - you could setup pfsense to be the vpn client, and do policy routing with conditional forwarding for dns.

There are always many ways to skin the cat, in your case the simple solution would be yeah to use nat reflection. For this specific client.