New user: Override DNS reply based on client IP



  • Hi,

    I'm just in the process of switching my home LAN from my own FreeBSD server to a dedicated pfSense machine.

    I had something set up on my previous DNS server which I'd like to replicate within pfSense, but I'd appreciate some advice on the best/cleanest way to proceed.

    I had been using PowerDNS as the authoritative server (chained with powerdns-recursor for public queries) for my home domain.  I used its python plugin to override a specific public DNS record – basically to make PlexConnect work.  It worked as so:

    • Receive DNS query from a host on the LAN

    • Is the query asking to resolve trailers.apple.com ?

    • Is the client that's asking my Apple TV device?  (determined by IP)

    • If so, respond with my Plex server's IP (192.168.50.51)

    • If not, continue and allow the query to be resolved as normal.

    It seems unbound has a similar python module, but I'm not certain if this is present in pfSense's distribution.

    Any advice welcomed!

    Thanks,
    Chris



  • No such thing in the pfSense distribution. You could hack the python module in for unbound but there's no supported way to guarantee that your hack survives updates because the WebGUI and the configuration system of pfSense do not recognize any external modules for the unbound resolver.

    There is the BIND package that supports client IP matching in its views feature but it doesn't quite let you modify the responses individually, you have to construct a complete zone with overrides.



  • Thanks for the help, kpa!

    One of my aims for moving my services to pfSense is to keep my gateway device as clean, simple and well-updated as possible.  So I won't go monkeying around with my pfSense installation.  No unsupported tinkering allowed on a gateway.

    I reckon the cleanest method will be to install unbound on my existing server and fiddle with a python script there to override the query.  Then I'll set my Apple TV's static DHCP record to hand it the server's unbound instance instead of the one on pfSense.

    Just wanted to make sure I wasn't missing something obvious!


  • LAYER 8 Global Moderator

    sounds like you want to use bind views.. So why would you not just use that?



  • Unless I'm missing something important you can't easily override individual records in BIND views like you can in for example unbound using transparent zones. Has this changed in recent versions of BIND?



  • @displaced:

    Hi,

    I'm just in the process of switching my home LAN from my own FreeBSD server to a dedicated pfSense machine.

    I had something set up on my previous DNS server which I'd like to replicate within pfSense, but I'd appreciate some advice on the best/cleanest way to proceed.

    I had been using PowerDNS as the authoritative server (chained with powerdns-recursor for public queries) for my home domain.  I used its python plugin to override a specific public DNS record – basically to make PlexConnect work.  It worked as so:

    • Receive DNS query from a host on the LAN

    • Is the query asking to resolve trailers.apple.com ?

    • Is the client that's asking my Apple TV device?  (determined by IP)

    • If so, respond with my Plex server's IP (192.168.50.51)

    • If not, continue and allow the query to be resolved as normal.

    It seems unbound has a similar python module, but I'm not certain if this is present in pfSense's distribution.

    Any advice welcomed!

    Thanks,
    Chris

    I know this is an old topic that may have been solved in the mean time, but here's the solution:

    • install a vm machine with a minimal centos 7 on your network - make sure you allocate a static IP
    • in it, install the repo and package for dnsdist ( https://repo.powerdns.com ). The installation process takes about 2 minutes.
    • configure the /etc/dnsdist/dnsdist.conf as indicated below.
    • point all of your LAN machines to the dnsdist server configured to listen on this machine

    Here's an example of configuration:

    setACL({"0.0.0.0/0", "::/0"})
    setLocal("192.168.10.18:53")
    newServer{address="192.168.10.22:53", name="ns",  pool="homelan", order=1}
    addAction({"homelan.net."}, PoolAction("homelan"))
    newServer({address="192.168.10.19:54", name="ns11", order=1})

    Basically, what it does, it acts a dispatcher: requests for internal lan (homelan.net in this example) are sent to the Powerdns authoritative server, all other requests are sent to the your resolver/forwarder of choice.

    I got fancy and built a linux cluster with Powerdns authoritative/unbound resolver/dhcp HA/dnsdist HA on 4 vm machines. Works wonders, I really like having the service up and running at all times.


  • LAYER 8 Global Moderator

    This is an old thread, this can be done with unbound ACLs now - its like views in bind.

    I posted in this thread back in march, after this thread how you could do what the OP asked.

    https://forum.pfsense.org/index.php?topic=126740.0

    Which is WAY simpler than running another VM to do this.. Why would you not just run bind package on pfsense as another solution, etc..



  • @johnpoz:

    This is an old thread, this can be done with unbound ACLs now - its like views in bind.

    I posted in this thread back in march, after this thread how you could do what the OP asked.

    https://forum.pfsense.org/index.php?topic=126740.0

    Which is WAY simpler than running another VM to do this.. Why would you not just run bind package on pfsense as another solution, etc..

    I duly noted that this is an old thread before you duly noting that this is an old thread. I posted the solution not only for the OP but for the general audience. Some people around here run on pfsense but it's not just pfsense in their network. You need not to step on toes.

    If you, for several minutes, take off that pfsense hat, and put on a more diverse one, you'll realize that dnsdist is far more qualified to handle this kind job than plain ACLs in unbound.

    Reasons not to tie everything to my pfsense vm:

    • i can filter and load balance via unbound resolver on separate machines, so I can create different pools for ads and for nonads - ya know, the shopping spree season is around the block. At least one computer in the network needs to reach some ads, for tracking and ease of shopping reasons.
    • less interruption of the DNS resolver service - unbound is load balanced between 3 vms, with and without filtering lists
    • countless possibilities to filter and redirect DNS requests with dnsdist without having to scratch my head how to achieve the equivalent just with one unbound service tied to the same pfsense firewall that acts as a gateway
    • the ability to retrieve, store in git and deploy configuration files for dnsdist and unbound with ansible, one vm at a time, without having interruption of service when one unbound server (as in service) needs to be bounced to load up new filtering lists. The dnsdist service itself is a cluster resource that has almost 0 interruption.

    I could go on and on on this one.
    I did not say my solution it's simpler, but I did imply that with a bit more effort I can achieve a lot cowbell. A bit more, not a lot more.


  • LAYER 8 Global Moderator

    So your trying to say your powerdns solution is better than bind..

    I hear you about running dns off of pfsense - don't have to sell me on the advantages of that for specific use cases.  But this OP clearly stated that he was moving away from powerdns, which the solution your suggesting.  So I don't see the value add here to be honest.



  • @johnpoz:

    So your trying to say your powerdns solution is better than bind..

    I hear you about running dns off of pfsense - don't have to sell me on the advantages of that for specific use cases.  But this OP clearly stated that he was moving away from powerdns, which the solution your suggesting.  So I don't see the value add here to be honest.

    What I am trying to say is that the OP was asking a question about rewriting/redirecting LAN DNS requests to a specific IP.  Has nothing to do with bind vs powerdns.

    The magic touch in the whole solution I was posting is DNSDIST ( see the link I posted above). dnsdist package, even in a standalone implementation, is capable of doing exactly what the OP was requesting, without complicating himself with various unbound/bind/ views, ACLs, and what not.

    The first line in the dnsdist.org presentation of the package is misleading: it says it's a load balancer.
    In fact, and as tested, it's much more capable to do then just load balancing. With few lines in a conf file is capable to reallocate DNS requests either to an authoritative DNS server, either to an unbound resolver, either to rewrite the request, or to allocate it to a pool of DNS blackhole servers.

    @johnpoz:

    […] So I don't see the value add here to be honest.

    About that pfsense hat you're wearing…

    Thanks for needlessly derailing the thread.


  • LAYER 8 Global Moderator

    "Has nothing to do with bind vs powerdns."

    Yes it does… He clearly stated he was moving away from powerdns.. And wanted to do it on pfsense..  Which he could of done via the bind package and views, or a few months later when they updated to unbound 1.6 he could do with their version of views..

    You seem to be wearing your powerdns hat ;)  And want nothing more to promote powerdns on a OLD thread that the OP was specifically move away from that.. Yet you suggest he move back to it and run it on something other than pfsense.  When he wants to run his solution on pfsense..

    Like I said - where is the value added from your comments?  Talk about a derail ;)

    On a side note the derailing of this thread is moot anyway, since the OP Only has 2 posts, and hasn't been back since May anyway.. We could talk about the price of tea in china and it would mean as much as this thread means to the OP ;)  And anyone running their own dns normally wouldn't be here looking for a solution to how the OP question was asked since they would be either running bind or powerdns, etc..... So we might as well talk about the weather or what your fav type of beer is.

    I am a huge fan of IPA's and Stouts - what about you?


Log in to reply