Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using a free Cloudflare DNS account for private DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mark_lab_user
      last edited by

      Cloudflare allows me to create A records for my domain 'example.net' that point to private ip address space.
      For example:
      vpn-server-1.example.net 10.10.10.1 ('A' record)
      vpn-client-1.example.net 10.10.10.101 ('A' record)
      vpn-client-2.example.net 10.10.10.102 ('A' record)

      The resolve quite nicely from my various colocations but not from my home lab that runs pfSense as my router, firewall and dns resolver that uses '1.1.1.1'.

      I am running 22.05-RELEASE(amd64).

      Can't figure out what extra security pfSense is enforcing.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @mark_lab_user
        last edited by johnpoz

        @mark_lab_user said in Using a free Cloudflare DNS account for private DNS:

        my domain 'example.net' that point to private ip address space.

        While they might let you actually do that - it sure isn't a good idea.. There was a thread around here recently where posted the rfcs that specifically say not to do such a thing.

        Out of the box no those would not resolve because they would be considered a rebind. You could either set that domain as a private domain, or just completely turn off rebind protection.

        https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

        But I would rethink what your doing if your solution is putting rfc1918 addresses into public dns.

        Here is the post where I quoted the rfc
        https://forum.netgate.com/post/1055526

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 1
        • M
          mark_lab_user @johnpoz
          last edited by

          @johnpoz

          Thanks for the very quick response on that. I had a feeling that it had to do with re-binding attacks but could not figure it out. I do plan on delegating a subdomain in cloudflare to some self hosted dns servers running dnsmasq. Bind9 is way above my pay grade. Maybe I will use a FreeBSD too.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @mark_lab_user
            last edited by johnpoz

            @mark_lab_user what is the use case here?

            Anything that is on your network, be it physically on your network or vpn into your network would/should leverage your internal dns - which would resolve all your internal IPs.

            You can for sure resolve say something.example.com to a public IP when your out and about on the internet.

            But if the client is on your network or vpn'd into the network resolve that same something.example.com to whatever its local network rfc1918 address is.

            This to be honest can just be done with unbound on pfsense, with a simple host override for something.example.com

            The only real sort of use case I could see for wanting to have public dns resolve a rfc1918 address would be you had some device that had hard coded public dns, which forwhatever reason you couldn't just intercept via redirect. And you needed this server to resolve something.example.com to the IP of the server local on your network 192.168.whatever IP etc..

            But another way to solve that sort of problem could be nat reflection, not as smooth as just a split dns setup, but it too can come in handy with dealing with something that is forced to use public dns.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 1
            • M
              mark_lab_user @johnpoz
              last edited by

              @johnpoz My use case was basically to reorganise my vpn and a customers' vpn's so that I did not have to have client machines knowing the peer ip addresses but rather have names and corresponding ip addresses that can be controlled in one place. This all came about as I started adopting Wireguard which has been such an advancement over OpenVPN from a configuration standpoint.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @mark_lab_user
                last edited by johnpoz

                @mark_lab_user but when would some vpn client out on the internet ever need to resolve something to private - sure once its on the vpn, but when its on the vpn it should use your internal dns.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                M 1 Reply Last reply Reply Quote 1
                • M
                  mark_lab_user @johnpoz
                  last edited by

                  @johnpoz Yeah. Your right. I overthought this. Thanks for the second pair of eyes !

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.