Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unbound domain overrides for local DNS across site-to-site VPNs

    2.2 Snapshot Feedback and Problems - RETIRED
    2
    2
    4942
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil.davis last edited by

      The example use case is an internal private company network of VPNs interconnecting multiple offices. Some far-flung office has (possibly multiple) VPN hops to reach a DNS server that provides name resolution for the internal company names. The private OpenVPN tunnel network subnets are not known to the routing tables of some remote router/s in the internal network. So if a DNS query is received from "far-flung-office-OpenVPN-tunnel-endpoint", the reply cannot be routed back.
      In dnsmasq there was a box to put "Source IP address for queries to the DNS server for the override domain." In that we would normally put the LAN IP of "far-flung-office". The internal DNS server at main office would know how to route back to that (the whole of main office knows how to route to "far-flung-office-LAN").

      Now there is no such box in DNS Resolver (unbound) GUI. And actually I can't see how to do this in an unbound.conf file anyway - does not seem to support that.

      The ways around this seem to be:

      1. Make sure that all routers in the company intranet know how to route correctly to all intranet subnets across whatever VPN links there are, including how to route to the OpenVPN tunnel networks themselves.
        or;
      2. Select LAN in Outgoing Network Interfaces on DNS Resolver. That makes all outgoing queries come from the LAN IP. It works for resolving intranet names (that is expected, LAN IP is an internal private IP in the intranet). It also seems to work for public name resolution - I guess the source IP being LAN IP, it is NATed on the way out WAN(s) to the public DNS, so actually the public DNS sees source IP as WAN IP.

      (1) is easy enough to achieve in a small company intranet. If there are loads of OpenVPN tunnel links it can be more hassle to maintain all the internal routing (and I guess when the company intranet gets big you start using some rotuing protocol - OSPF…)

      (2) sounds a little tricky - is there something here that I have not thought of that will be broken by that?

      Any comments or better ideas for the solution to this with Unbound DNS Resolver?

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Yeah there isn't a direct equivalent for the source IP per-domain override that's in dnsmasq.

        Ideally that won't be an issue because #1 will work, but that isn't the case at times and fixing that can be a significant undertaking.

        The best alternative I've seen is #2, picking only a single interface for the outgoing interface option. I don't think there are any caveats to that. Any queries that go to an Internet destination will have that IP source NATed. The only potential issue I can think of there is if you need one domain override to use one source IP, and a diff domain override to use a diff source IP. I've never seen anyone have such a requirement so it's likely exceptionally rare. Choosing only LAN for the outbound interface should be safe in most every scenario.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post