Best Practice? How to set up DNS for roving admin laptop between subnets

MrPete

My situation seems semi-"normal" to me yet the solution evades me.

CONTEXT

• Multi-subnet LAN with subnets for secure internal, server, guest, IoT and more. Four WiFi SSID's mapped into some subnets.
• At least one admin laptop can rove between subnets via WiFi or hardwired ports, making use of reserved IP's.

My previous architecture had all DNS and DHCP handled in a slow-but-functional high end WiFi box running DNSmasq. Everything worked reasonably well (if slow ;) )

QUESTIONS

I've run into the following challenges and questions with pfSense:

1. Local Device registration. UnBound really doesn't like local devices registering themselves. Is there a suggested template for a front end DNS used for local devices, that then hands off to Unbound for offsite DNS lookup and caching?

2. Roving internal device DNS. I just discovered that all static IP's are saved in /etc/hosts... and that's a Big Problem:

• DHCP operates perfectly in a multi-subnet context. The correct static IP for the current subnet is always assigned and returned.
• But the DNS resolver does NOT work correctly. The DNS resolver simply returns whichever IP is first in the hosts list for a given host name. Doesn't matter what subnet I'm on?!

I assume I either have something misconfigured, or misunderstood.

Any ideas?

The Party of Hell No

@MrPete Can you clarify what you mean - "UnBound really doesn't like local devices registering themselves"

The second question about front end for local and then offsite... starts with general setup - DNS server settings, My understanding by choosing the DNS servers you would like to use "offsite" and then choosing the default behavior "DNS Resolution Behavior." The DNS Resolver it will access 127.0.0.1 and resolve till it can't and then goes out. Which I believe most internal LAN segments and local host IP''s will be done internally. It also requires choosing in the DNS resolver the "Outgoing Network Interfaces"

The Party of Hell No

@MrPete Are you using static ARP's?

Are you hooking up via a wireless AP, or are you using wired connections through switches?

MrPete

@The-Party-of-Hell-No
THANKS for the questions! My apologies for delays... lots of life here...

When I say "Unbound really doesn't like local devices registering themselves" I'm referring to the fact that:

• The Unbound design only adds a device to its database when loading the database
• Thus, if device self-registration is enabled, Unbound must reload
• On a busy system (eg we have a mailserver that must filter a LOT of email attempts), any Unbound reload is a significant hit.

Your final question: connections are via BOTH wireless AP and wired. All DHCP is handled by pfSense, so it really doesn't matter if wired or wifi. (Which IP is used depends on the subnet being accessed, which is determined by either wired port or wireless SSID.)

I'm not concerned about how to accomplish the combination of internal+external. As you note, it's pretty simple. This network has been running for some time.

My questions are specific to the two situations listed:

1. What's a good solution for local device registration
   and
2. What's a good solution for handling roving internal device DNS. YES -- known devices with static IP's assigned on each subnet.

Just to make it clear, an example:

Laptop AdminA has preassigned static IP's:

• 192.168.11.10
• 192.168.220.10
• 10.8.0.10
• 172.16.99.10

...on each of four subnets (public, server, secure internal, etc)

Unfortunately, while pfSense DHCP properly assigns the correct IP address every time, on the DNS side, any internal DNS query is handed whichever IP is listed first in /etc/hosts for AdminA. :(

That's the problem I'm asking about in #2.

JKnott

@MrPete

I have my main LAN and guest WiFi here. I also use static mapped IPv4 addresses on the main LAN. When I connect my notebook computer to either network I get the correct address range, in both Linux and Windows, with the mapped address on the main LAN. The only time I ever had an issue was when I was using a TP-Link access point, which allowed multicasts from my main LAN to the guest LAN. This made it impossible to use IPv6 on the guest WiFi.

JKnott

@JKnott

What do you have configured for DNS in the DHCP? If you don't specify the DNS servers, it will use the default. I specify mine, using pfSense on the main LAN and public servers on the guest Wifi.

The Party of Hell No

@MrPete
Good clarification. The problem is not the DHCP IP assignments - that works, but the DNS side assignment.

I still need clarification - the DNS server when queried always returns the first IP listed in etc/hosts which is AdminA? So no mater the location - moving around the organization on different sub-nets it assigns the DNS host AdminA? Which you want is for it to be assigned, maybe AdinmB when you move to a second location?

As for the DNS reload - you may know this already - there are two choices, one is: Register DHCP leases in the DNS Resolver and the other: Register DHCP static mappings in the DNS Resolver. The first reloads the DNS server every time a new inquiry is requested and the second only reloads with each additions of a DHCP static mapping. Learned this myself recently.

MrPete

@The-Party-of-Hell-No
Consider a single admin laptop. I've assigned static IP's on each subnet for that one laptop, so it gets the appropriate IP address when connected to that subnet.

Here's what ends up in /etc/hosts as a result:

192.168.11.10    AdminA.dom.ain AdminA
192.168.220.10    AdminA.dom.ain AdminA
10.8.0.10   AdminA.dom.ain AdminA
172.16.99.10    AdminA.dom.ain AdminA

...and the DNS Resolver simply pulls the first entry it sees (192.168.11.10) and returns THAT, no matter what actual IP address was assigned by DHCP.

A painful mess!

• DHCP works. Whatever subnet AdminA is connected to, the correct static IP is assigned and returned.
• DNS resolver fails. Whatever subnet AdminA is connected to, DNS returns 192.168.11.10

That makes no sense to me. I assume I'm doing something wrong, but maybe this is just a bug.

MrPete

@JKnott the advantage of using non-default servers on guest Wifi is that you're hiding the internal endpoints. That's fine.
But even internal endpoints need access to outside DNS, so it's necessary to have a single DNS address that resolves both.

The extreme case is our email server:

• Up to 20 incoming email attempts per second at the extreme, most of which are blocked by RBL lists (accessed through DNS, and with a big cache to keep it efficient.)
• AND it must recognize internal names of course ;)
• This is why I don't want to reload Unbound on every registration.

Yes, good that static IP's don't cause a reload. Yet we have DHCP for a reason ;) ...

I suppose it's quite logical to rethink that part of the situation as follows:

1. Endpoints we actually care about ought to receive static IP's. This will not harm Unbound.
2. Guest endpoints don't need to be registered anyway. They need a (DHCP) IP address, that's all.

Assuming this simple logic is correct, a best practice is to simply disable DHCP registration of new endpoints in DNS and not worry about it ;)

That DOES sit well with me. THANKS!

All I have left to resolve then is the multi-subnet-static-IP strangeness.

The Party of Hell No

@MrPete
I would agree, very strange behavior. From my perspective it almost appears as a host override in the DNS resolver.
MAC address restriction somewhere else?

MrPete

@The-Party-of-Hell-No no address restrictions not that i know of...

particularly since dhcp is not confused at all :)

Patch

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

My situation seems semi-"normal" to me yet the solution evades me.

CONTEXT

Multi-subnet LAN with subnets for secure internal, server, guest, IoT and more. Four WiFi SSID's mapped into some subnets.
At least one admin laptop can rove between subnets via WiFi or hardwired ports, making use of reserved IP's.

My understanding is best practice is to configure the network to not allow access on un-trusted networks such as WAN, Guest, IOT. And if greater security is desired an admin lan/vlan is created for administrator tasks.

Allowing admin access from a particular IP address allows any bad player to do the same just by listening to traffic on the network, then manually setting their IP.

Gertjan

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

192.168.11.10 AdminA.dom.ain AdminA
192.168.220.10 AdminA.dom.ain AdminA
10.8.0.10 AdminA.dom.ain AdminA
172.16.99.10 AdminA.dom.ain AdminA

The same device can be present in multiple net works.
Does this device has a server role ? Is it used by other devices in the network where it is connected to ? Is it exposing services ?
Why do you need to have an identical network DNS name known in every network ?

Why not :
192.168.11.10 AdminA-1.dom.ain AdminA-1
192.168.220.10 AdminA-2.dom.ain AdminA-2
10.8.0.10 AdminA-3.dom.ain AdminA-3
172.16.99.10 AdminA-4.dom.ain AdminA-4

So, if any device in network 192.168.11.0/24 needs the services of AdminA-1, it will always has the IP 192.168.11.10 (until it isn't there, as it is visiting other networks ...)
Etc

Dobby_

Could it be that VLAN´s here will be do the trick?

VLAN1 = Admin laptop
VLAN2 = WiFi
VLAN3 =LAN
VLAN4 =Servers

Over the switch

• Your admin laptop is only in VLAN1 and all devices too!
  Switch ACL´s are regulating then "what is allowed for whom"

Over pfSense

• Your admin laptop is a member of all VLANs
  Fireweall rules will regulating "who is allowed to do what"

JKnott

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

the advantage of using non-default servers on guest Wifi is that you're hiding the internal endpoints. That's fine.
But even internal endpoints need access to outside DNS, so it's necessary to have a single DNS address that resolves both.

I still use external DNS. I run a resolver for that, but I still configure local addresses on my DNS server. On my main LAN, I specify the local DNS addresses in DHCP, along with Google's DNS, just in case my own DNS server isn't working. My guest WiFi gets only the external servers. You can still specify the pfSense DNS, even though that would be the default.

MrPete

@JKnott said in Best Practice? How to set up DNS for roving admin laptop between subnets:

I still use external DNS. I run a resolver for that, but I still configure local addresses on my DNS server. On my main LAN, I specify the local DNS addresses in DHCP, along with Google's DNS, just in case my own DNS server isn't working. My guest WiFi gets only the external servers. You can still specify the pfSense DNS, even though that would be the default.

Thanks for this. I'm not sure I am clear about all you are saying.

What (I think) is clear:

• "Guest WiFi gets only the external servers" -- so, you don't even point to pfSense DNS resolver, but to outside DNS such as Google or OpenDNS or whatever.

• "On my main LAN, I specify the local DNS addresses in DHCP, along with Google's DNS, just in case my own DNS server isn't working"

  • I've never had to worry about internal DNS stopping, in many years... but OK.
  • (We like to manage DNS access, to avoid various security issues... so we only provide access to outside DNS under specific conditions rather than as an always-available alternative...)

What feels a bit muddy:

• "I still use external DNS. I run a resolver for that, but I still configure local addresses on my DNS server." ... combined with
• "I specify the local DNS addresses in DHCP."

So...

• Do you use any static IP's? If so, are they in your DHCP, your DNS server, or both?
• What DNS server are you running?
• What do you mean when you say "I run a resolver for [external DNS]?" Are you simply saying that you use pfSense DNS Resolver, either with or without DNS Forwarding enabled?

MrPete

@Dobby_ said in Best Practice? How to set up DNS for roving admin laptop between subnets:

Could it be that VLAN´s here will be do the trick?

Nope. This is a SysAdmin laptop, used for problem resolution etc on any / all VLANs. It needs to be able to migrate to any VLAN at any time.

@Gertjan said in Best Practice? How to set up DNS for roving admin laptop between subnets:

The same device can be present in multiple net works.
Does this device has a server role ? Is it used by other devices in the network where it is connected to ? Is it exposing services ?
Why do you need to have an identical network DNS name known in every network ?

NOT a server. A sysadmin tool.
Why identical name in every subnet? Because various system security and backup and other tools need to know that it is the AdminA endpoint. Yes, COULD make it look like four different devices on four subnets, but there's a hassle and cost to that.
(Just for example, our backup system is able to back it up no matter how it is connected... and it is always recognized.)

DNSmasq easily handles this use case. I'm just surprised and saddened that pfSense DNS appears to not handle it properly. :(

The Party of Hell No

@MrPete
I do the same thing... use the same host name and MAC address on three different LAN segments.

Patch

@MrPete said in Best Practice? How to set up DNS for roving admin laptop between subnets:

NOT a server. A sysadmin tool.

I believe you will find there is no "Best Practice" for what you are doing because what you are doing is not best practice or even supported practice.

JKnott

@MrPete

OK, let's see if I can make things clearer. I run the resolver that's included with pfSense.
Guests are not allowed to access anything on my network, including DNS. The only thing they can do is ping the VLAN interface.
I used static mapped IPv4 addresses for everything that lives here, other than my desktop computer and, of course, pfSense. I use SLAAC for IPv6.
Local DNS has an entry for all those devices for both IPv4 and IPv6 addresses.
Since I run a resolver, there's no forwarding involved.