Using a free Cloudflare DNS account for private DNS
-
Cloudflare allows me to create A records for my domain 'example.net' that point to private ip address space.
For example:
vpn-server-1.example.net 10.10.10.1 ('A' record)
vpn-client-1.example.net 10.10.10.101 ('A' record)
vpn-client-2.example.net 10.10.10.102 ('A' record)The resolve quite nicely from my various colocations but not from my home lab that runs pfSense as my router, firewall and dns resolver that uses '1.1.1.1'.
I am running 22.05-RELEASE(amd64).
Can't figure out what extra security pfSense is enforcing.
-
@mark_lab_user said in Using a free Cloudflare DNS account for private DNS:
my domain 'example.net' that point to private ip address space.
While they might let you actually do that - it sure isn't a good idea.. There was a thread around here recently where posted the rfcs that specifically say not to do such a thing.
Out of the box no those would not resolve because they would be considered a rebind. You could either set that domain as a private domain, or just completely turn off rebind protection.
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
But I would rethink what your doing if your solution is putting rfc1918 addresses into public dns.
Here is the post where I quoted the rfc
https://forum.netgate.com/post/1055526 -
Thanks for the very quick response on that. I had a feeling that it had to do with re-binding attacks but could not figure it out. I do plan on delegating a subdomain in cloudflare to some self hosted dns servers running dnsmasq. Bind9 is way above my pay grade. Maybe I will use a FreeBSD too.
-
@mark_lab_user what is the use case here?
Anything that is on your network, be it physically on your network or vpn into your network would/should leverage your internal dns - which would resolve all your internal IPs.
You can for sure resolve say something.example.com to a public IP when your out and about on the internet.
But if the client is on your network or vpn'd into the network resolve that same something.example.com to whatever its local network rfc1918 address is.
This to be honest can just be done with unbound on pfsense, with a simple host override for something.example.com
The only real sort of use case I could see for wanting to have public dns resolve a rfc1918 address would be you had some device that had hard coded public dns, which forwhatever reason you couldn't just intercept via redirect. And you needed this server to resolve something.example.com to the IP of the server local on your network 192.168.whatever IP etc..
But another way to solve that sort of problem could be nat reflection, not as smooth as just a split dns setup, but it too can come in handy with dealing with something that is forced to use public dns.
-
@johnpoz My use case was basically to reorganise my vpn and a customers' vpn's so that I did not have to have client machines knowing the peer ip addresses but rather have names and corresponding ip addresses that can be controlled in one place. This all came about as I started adopting Wireguard which has been such an advancement over OpenVPN from a configuration standpoint.
-
@mark_lab_user but when would some vpn client out on the internet ever need to resolve something to private - sure once its on the vpn, but when its on the vpn it should use your internal dns.
-
@johnpoz Yeah. Your right. I overthought this. Thanks for the second pair of eyes !
