Split DNS and wildcard issue - some are local some are remote
-
Its a dns record.. You clearly know how to set those up...
All you need to setup is your local records.. If not local they would get looked up public..
So you need..
local-data: "name.abc.com 86400 IN A 192.168.X.X"
local-data: "other.abc.com 86400 IN A 192.168.X.X"
local-data: "something.abc.com 86400 IN A 192.168.X.X"Seems pretty simple to me, just too lazy to edit the name there and paste it into the option box.. Your IP is all the same, your ttl could be the same.. the domain is the same.. all your doing is editing the host name.
This is why its confusing - maybe you think its complicated while trying to do wildcards, which horrible idea in the dns world.. Again lazy mans shortcut.. Lets say you had 100 different fqdn being served off your local server.. What would that take to type out, 3 minutes?
Clearly you know the names your serving up locally, your doing the website for it.. clearly you know the server IP - that is the server your putting the page on.. So it comes down to too lazy to make a dns entry.. does it not???
Its the same be it you have 1 domain, or even a 100 of those.. All your doing it putting in the fqdn of the local resource..
-
A little time passed and finally I tried to force myself into getting whole list of local domains ready but I stumbled upon some weird issue. I created file with all the domains that needs to resolve to local address and used
server:include:to load it into DNS Resolver. Then I turned off NAT Reflection and checked if everything works as it should...and it doesn't in Windows 10 at least.
Other devices are responding properly on ping with local address but Windows for some reason gives me my remote IP instead and website can't load.Investigation showed that the reason for that is active VPN connection. I often use one when working from home and in this times it's almost always. We have split tunneling set up so traffic that is not related to company goes through my network - at least IT says that ;) This was achieved at client side by unchecking
Use default gateway in remote network(or however it is translated in English) inTCP/IPv4->Properties->Advanced.
I triedtracertto check how connection jumps and in case of local domain there's only one hop resolving immediately to remote IP.Is there a way to make it work without relying on NAT Reflection in pfSense? Unfortunately I don't understand how exactly all this works and why I'm getting remote IP instead of local but what I know is that this is really inconvenient. :(
Edit: Geez...forum showed my that it it's been two months since initial discussion. I'm so lazy...:D
-
If your windows 10 box is using a vpn - what is it using for dns? Something down the vpn, etc.
VPNs can cause an issue with dns resolution - because do you ask dns via vpn, or do you ask local. If you ask local - how do you resolve whats down the vpn..
That is a completely different problem..
If it sending traffic down the vpn, then it wouldn't be using nat reflection - it would be going down the vpn, across the internet and then hitting your wan IP from outside.
-
I'm not sure I get what you're trying to explain here. As far I understand, split tunneling is exactly for the situations where someone connected with VPN can access resources that are outside of VPN network through it's own connection, instead of going through the VPN tunnel. So if I type domain accessible only through VPN I will get proper response and when I want domain that is on WWW then it will be served through mine internet connection. How does it know that? I have no idea. At least wiki describes it this way.
In my case my VPN connection is set to dynamically obtaining addresses which gives DNS from my company. My net connection is set to static with DNS pointing to pfSense.I did tests with
tracertto check what path is needed to reach google.com, company's internal domain and one of my local domains both with split tunneling enabled and disabled. Each time I flushed DNS cache.Split tunneling enabled:
- google.com goes through pfSense, my net provider and then into the wild.
- Company's internal domain goes directly through VPN hitting internal addresses.
- My local domain has only one hop that resolves to my remote IP.
Split tunneling disabled:
- google.com goes through the VPN.
- The same is with Company's internal domain.
- My local domain goes through VPN with quite many hops and gets into my server.
With split tunneling disabled my domains are working but that's only because my PC is treated like remote machine. Which is best visible on any site that shows you your IP: split tunneling enabled => my remote IP, split tunneling disabled => company's IP.
With VPN disabled my local domain resolves directly to local IP.
And the thing is, with NAT Reflection it works with split tunneling enabled for some reason that I don't understand. So I wonder is there a way to setup everything to work properly.
If that topic deserves a new thread then just split this one. -
so when you have the VPN connection active on windows 10, you are sending DNS request inside the VPN instead of pfsense, it does not matter if your gateway is pfsense, the answer from the VPN dns are the external IP
one solution would be to modify C:\Windows\System32\Drivers\etc\hosts -
@Draghmar said in Split DNS and wildcard issue - some are local some are remote:
As far I understand, split tunneling is exactly for the situations where someone connected with VPN can access resources that are outside of VPN network
Agreed but just because you tell the vpn client that 192.168.X is local network and not send it down the vpn, doesn't have anything to do where dns is gotten from.. Or that your wan IP/Network is local and not use the vpn to access those.. Then your nat reflection would work.
As mentioned by @kiokoman one solution to this is when the vpn client uses a vpn supplied dns that can not resolve your local resources is to put those entries into the machines host file - this will preempt dns lookup and resolve host.domain.tld say to your local IP on 192.168.X which the vpn knows to just use local..
Keep in mind that dns is just a protocol that runs on the network.. Be you say to the vpn 192.168.x/24 shouldn't go down the vpn has nothing to do with what ns the OS is using.. If your vpn hands out dns, it normally will use that before it uses something local.
You need to understand where the client is pulling dns from..
If this is work vpn - for sure they are going to hand you the work dns, how else would you resolve work resources, etc.. Problem is work dns is not going to resolve your local stuff. And if you ask for something that you are port forwarding to get to, that would resolve how ever the work dns would resolve it, etc. Or not at all.. Why not just on the vpn client check to what it shows using for dns. What does it resolve whatever fqdn your trying to access to.. dig, host, nslookup, etc.
edit: on my work laptop - simple nslookup shows me its using the NS in the work network, via the vpn to IP 10.199.135.102, that sure is not going to resolve me local resources, nor be able to use any host overrides I might of set up in my local dns, etc. etc..
-
Thanks for explanation.
I think I understand. Anytime I'm trying to get response for some domain (for example google.com) VPN Client checks with remote server what IP does this domain belongs to. If it's company's network then it goes through encryption and if it's not it's goes by normal means.
I did nslookup and it did go through company's DNS, exactly like you said.What's still eludes me is why there's a difference in how google.com is treated vs domain pointing to my server when seen with tracert. For reminder:
- local domain has only one hop with remote IP and <1ms response time,
- remote domain (google.com for example) goes through the pfSense.
Why local domain doesn't go at pfSense? Is this because VPN Client knows my remote IP and if response for domain matches that, it simply decides that there's no need?
And if that's the case is there any solution for this? That doesn't involve going through hosts file that is. -
Without some exact ips, what is being used on your network, what your vpn settings are, I have no idea what is set to go through vpn and what not.
Maybe they only route their work networks through the vpn - that is very common practice.. And your local IP is stepping on your work network or tunnel network?
What does this machines routing table look like - simple route print from cmd line will show you that..
-
I talked with my IT and it's like you said: each time domain is needed it goes to company DNS and then if the IP is internal it goes through VPN and if not it doesn't. As for why my local domain behave like this...well...just because. And that's it. Simply it's how it works so unfortunately I still need NAT Reflection for my setup...
-
@Draghmar said in Split DNS and wildcard issue - some are local some are remote:
Simply it's how it works so unfortunately I still need NAT Reflection for my setup...
Split dns doesn't work if your not using your own dns.. To resolve the local -
Have to wonder why you would need to access your own local webserver while your "working" ;)
Just access it via IP if you do.. no dns involved. Or just create a host entry on the machine - so it knows fqdn points to local IP, and doesn't even need to ask work dns for it..
Other solution would be to run a conditional forwarder on your machine, say dnsmasq and not point your client to work dns, but the your conditional forwrder that only asks your work dns for work related domains.
Or depending on your work dns - you could setup pfsense to be the vpn client, and do policy routing with conditional forwarding for dns.
There are always many ways to skin the cat, in your case the simple solution would be yeah to use nat reflection. For this specific client.
