Public DNS for specific IP address
-
In the center is an apache server with 3x vhosts.
- example1.gg
- example2.gg
- example3.gg
I set up a host override in the DNS resolver. All 3 domains are translated to the server's IP address. Everything works great. There is a public IPv4 address on the WAN interface. I want all 3 domains to work in the office as well.
Can I open a DNS resolver on the Internet only for a specific IP address (87.65.43.21)?
How should I do this ?
-
@gusto said in Public DNS for specific IP address:
In the center is an apache server with 3x vhosts.
example1.gg
example2.gg
example3.ggAre these public domains or private names?
In the office you have only a dumb router?
I guess, it doesn't have DNS forwarder / resolver? -
@viragomann
Domains are private
Is it possible to do it like this?
Na pfsense otvorím DNS resolver smerom do internetu.
In the office, I set the DNS address 12.34.56.78 on each PC. -
@gusto
If you have a DNS server or something like that in the office, you can add overrides there as well.If not and the ISP router provides your DNS, another option is to forward DNS requests to centers pfSense DNS resolver.
However, you will have to set up a VPN for that, since the office might not have a static public IP and it's not a good idea to open the internal DNS for public access.Or you simply put the the host names with the centers public IP into the hosts file on each PC. On pfSense you have to forward the access to the web server.
-
@viragomann
Do I understand this correctly ?
If I have pfsense in the office, will I set up the host override just like in the center?
However, do I need to change the IP address to 12.34.56.78?
If I want to use only one PC somewhere on the Internet, then I set in /etc/hosts12.34.56.78 example1.gg 12.34.56.78 example2.gg 12.34.56.78 example3.gg -
@gusto
Yes, you can set up the host overrides in the office as well, but you have to point them to the public IP and you must forward incoming http(s) traffic on WAN to the web server.The hosts file does the same thing as host overrides. If the PC wants to resolve a host name it looks in the hosts file at first. If it finds e.g. example2.gg there it takes the associated IP, if it doesn't find the host it requests the DNS server.
-
@viragomann
Thank you for your answerIs it possible to achieve this goal as well?
I Create in the center a rule to open port 53. In the office, I will set up a DHCP server to assign DNS clients 12.34.56.78
It will work ? -
@gusto
This would only work in conjunction with VPN, because the center DNS hands out private IPs for the host names, but you need the public on office devices. -
@viragomann
off topic
If I want to create a public DNS resolver, I have to use another type, e.g. bind?
Of course, the resolver would not be designed for the whole world, but for specific ip addresses. -
@gusto said in Public DNS for specific IP address:
If I want to create a public DNS resolver, I have to use another type, e.g. bind?
For public resolving, yeah, the DNS resolver is meant for internal purposes.
Of course, the resolver would not be designed for the whole world, but for specific ip addresses.
Since you office is behind an ISPs CGN, I guess, you won't have a static IP there.
And as already mentioned, the PCs in the center should get the internal IP for the host names, while all outside devices should get the public IP. So both cannot be done with the same DNS.
-
@viragomann
I also created a VPN server, but the client only reaches the IP address of the web server 192.168.1.101 (not a domain name such as example1.gg).
DNS resolver does not work for VPN clients. -
@gusto
Did you add the DNS server to the VPN configuration to push it to the clients?Also you have to configure the DNS resolver properly. Ensure that the VPN interface is selected at listening interfaces.
If still no joy add the clients tunnel network to the resolver ACLs. -
@viragomann
Here is my setup
-
@gusto
Since you have enabled DoT, did you care that the clients trust the servers certificate?What exactly happens on the client, when you try to access a remote host by its name?
Also tried nslookup or something similar? -
@viragomann
BTW what is DoT?I connected to OpenVPN via an anroid client.
Vivaldi browser writes that the site cannot be connected.
nslookup doesn't work for me on a mobile phone. -
@gusto said in Public DNS for specific IP address:
BTW what is DoT?
DNS over TLS. Your resolver is set to use TLS.
Vivaldi browser writes that the site cannot be connected.
If the browser does DNS over HTTP (DoH) you are also lost, it won't request your DNS server.
Therefor I asked for another way to check DNS resolution on the client device. -
@viragomann
Thank you very much
I canceled this option and now it works.
I hope this does not endanger safety.
Enable SSL / TLS Service appears to have been enabled by default
-
@gusto said in Public DNS for specific IP address:
Enable SSL / TLS Service appears to have been enabled by default
No that is not default. It would have to be checked.
-
@gusto said in Public DNS for specific IP address:
I hope this does not endanger safety.
As long as you allow access to the DNS Resolver only from internal devices, there shouldn't be any concerns.
-
@viragomann said in Public DNS for specific IP address:
@gusto said in Public DNS for specific IP address:
If I want to create a public DNS resolver, I have to use another type, e.g. bind?
For public resolving, yeah, the DNS resolver is meant for internal purposes.
Of course, the resolver would not be designed for the whole world, but for specific ip addresses.
Since you office is behind an ISPs CGN, I guess, you won't have a static IP there.
And as already mentioned, the PCs in the center should get the internal IP for the host names, while all outside devices should get the public IP. So both cannot be done with the same DNS.
Here you wrote that dns resolver is for internal use only.
