Pfsense box linked to domain name : use of that domain name for local machines ?



  • hello,

    behind a pfsense box, I installed a couple of machines to do php stuffs and other machines to do mysql replication/load balancing
    and during install , when debian asked for a domain name, well I though, I'll put the same domain name as the WAN of pfsense

    then I noticed that, php pages were using the domain name but it is of course the same name as my WAN ip
    so I ended up having connections from my WAN ip to my local mysql servers wich is weird since I neverd created any 3306 rules to pass through

    also , as I set in the hosts files of all machines (except pfsense) ip like

    ip1 host1.domain host
    ip2 host2.domain host
    ip3 host3.domain host

    it seems that php too was replacing web client ip's by their full domain name, leading to acces denied errors

    so in the end, although all these machines are behind my firewall, I think it was not a good idea to set the same domain name

    any advice ?

    thanks



  • anyone ?


  • Rebel Alliance Global Moderator

    Are you asking if bad idea to use same domain you use publicly as you do locally?  If so then yeah I think that is bad idea to be sure.  Can you work around it, yeah.  But what domain you use on a local network really has nothing to do with what domain you might use on public domain.  Using the same name just leads to confusion.

    Be it the name is registered or valid tld doesn't really matter either.  But if you were using say domain.net locally and domain.com publicly, and there was nothing setup for domain.net you would be ok.  But if someone registered that and starting putting records out there that could cause you issues depending on how you resolve stuff.

    so I would advice if you like the name domain, register all the tld's in that domain that you might use be it public or local.  Or just use a non public tld locally, I use .lan for example.  So don't really care if someone has local.com public.  It makes no matter to me since that is not my domain, etc.

    There are specific tlds I would say away from locally like .local has been ruined by apple.  I wouldn't use something that might be public soon.  Now that you can get your own public tld with $$ who knows what will be next.  I would think .lan would be bad choice so don't think that will be an issue too soon.

    But yes using the same domain public and local can be problematic if you don't have a full handle what is being resolved from where and sure that your split dns is working correctly, etc.



  • well ok so what do people usualy do ? just no domain on their local machine ?

    it's quiet silly since they are part of that domain, unless "domain" is only WAN related

    I'll have to change all my machines now ha ha

    thanks anyway,

    it's clearer for me now :-)



  • I would just use "mylan" as the domain name on LAN hosts if the LAN is behind NAT and uses RFC1918 addresses, whatever you put there is not visible to the outside world (with few exceptions like sending email). Domain name is not exactly related to any network interface or network, DNS is an external service that answers only FQDN -> IP address queries (yes there are other type of records than A or AAAA but they are still variations of the same basic scheme). Setting a domain name on a single host doesn't do much, it only tells the local resolver that it should tag on the configured domain name on names without any dots for queries sent to the DNS resolver, i.e. www -> www.mydomain.tld, that's all that the domain does.


  • Rebel Alliance Global Moderator

    As kpa discussed it comes down to how you want to resolve your machines.. Yes its good habit/practice to use fqdn be it just local or not.  DNS does not really support a hostname or netbios name.  Sure you can broadcast for hostname, but if you want to use dns then it should be fully qualified.

    I am not a fan of singlelabel domains, ie host.domain, to me this looks like a domain.tld - a fully qualified name is going to be host.domain.tld - for your local networks pick a tld (top level domain) that is not used public.  I like .lan but you could use .mylocaltld or .whatever as your tld, but put something in front of it so that if you want to use different ones that are all common to your tld youc can so domain.whatever and otherdomain.whatever, etc.  To distinguish your naming convention for different things if you want locally.

    Or use a sub, so for example I use subs on my different segments.. so for example you can have host.dmz.local.lan or host.wlan.local.lan - they are all on my local.lan but are in different segments that I distinguish with the sub..

    So for example, if I do a ptr on an IP, the name that comes back tells me what network segment its in.

    user@ubuntu:~$ dig -x 192.168.3.253

    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 192.168.3.253
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44771
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;253.3.168.192.in-addr.arpa.    IN      PTR

    ;; ANSWER SECTION:
    253.3.168.192.in-addr.arpa. 3600 IN    PTR    pfsense.dmz.local.lan.

    ;; Query time: 3 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu Jun 02 09:23:33 CDT 2016
    ;; MSG SIZE  rcvd: 90

    user@ubuntu:~$

    So for example that tells me that 192.168.3.253 is pfsense interface in the dmz network.

    Setting up proper name resolution is always sign of a good organized network if you ask me. All your machines should have a fqdn that tells what network its in, and you should be able to do a ptr on that IP and get the FQDN back, etc..

    But what you use for a domain locally just comes down to a naming label of your own design is all.  Machine in general will attach their domain to a dns query that you forget the domain on, and sure you can setup a search list of suffixes that will be queried and attached to what you query for if you do not specifically end the query with the root . on the end of it.  The behavior will depend on what is exactly is doing the query and what OS its on, etc.  so for example a query with nslookup on windows doesn't work the same as say you browser might ask for something, or how dig would ask for something.  When you do a query you can always be specific and use the fqdn. where you even put in the . root at the end so no other suffixes are added to that query.



  • I got started using .home for my RFC 1918 LAN many years ago when this RFC was still active:

    https://tools.ietf.org/html/draft-chapin-rfc2606bis-00

    Network Working Group          - L. Chapin
    Internet-Draft                                          - Interisle Consulting Group
    Intended status: Standards Track      - M. McFadden
    Expires: December 2, 2011                  - ICC
    May 31, 2011

    Reserved Top Level Domain Names
    draft-chapin-rfc2606bis-00.txt

    That suggested this list:

    .local
    .localdomain
    .domain
    .lan
    .home
    .host
    .corp

    As mentioned above .local has issues with Apple gear today.

    My pfSense box and anything I put into my DMZ gets a DDNS name, set by a program on that system from Afraid as they are a minimal aggravation compared by some others.

    https://freedns.afraid.org/menu/