Possible to define a local host override pointing to an externally hosted CNAME?
-
Situation:
We have several sites set up with wireless APs that during bootup need to "phone home" to a WAP controller in our DC. The way they do this is by issuing an unqualified DNS query for "unifi" which up until now we've simply defined in the Host Overrides area and pointed to our public controller IP. This works well.
The problem is we recently got assigned a new IP block by the ISP and as a result it was a very time consuming task to log into each firewall, update the DNS, and make sure all the WAPs rebooted and came up properly (of course some didn't and required on site visits!)
TL;DR I would love if anyone knows a way that instead of defining just an "A" record override pointing to a specific IP, we could instead plant a CNAME there so that e.g. unifi.foo.lan would resolve to CNAME unifi.whatever.com (whatever.com being a public DNS that we control)
-
Found this page https://unbound.net/pipermail/unbound-users/2012-April/002338.html on setting up unbound to use a "stub zone" that passes queries to another server. It seems like that might work, has anyone done such a thing, maybe by adding it to the 'Advanced' section of the resolver config page? Am I going about this the wrong way? :-[
-
The advanced textarea definitely is usable for this.
-
I developed a hack to workaround this limitation of Unbound without the need to an external authoritative name server (BIND).
With it, you are able to create a Host Override to resolve names to other domain names.
Maybe it is useful to someone:http://diegoqueiroz.com.br/how-to-override-results-from-unbound-with-domain-names/
Best regards,
-
you do understand you can change that unifi inform to point to fqdn, or you could point it to the actual IP, you can hand this IP out with a dhcp option 43 even.
https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Layer-3-methods-for-UAP-adoption-and-management
-
This really does not appear to be the same thing.
Anyway, I have static members in my network.
I can not assume my users will respect the policies of my DHCP, but I can force them to use my DNS. -
huh?
The guy wants his unifi aps to talk to the controller.. He can point them to his controllers IP with correct inform, or just handing out the controllers IP via dhcp for the unifi ap..
-
Oh, OK. I get it. I really was not reading the user problem, but only his request. My fault.
The request is to add a CNAME to DNS Resolver (this is the title of this topic), and this is the problem that my answer intend to solve.
-
Thank you for posting that. I wound up going about it differently- I installed nsd and run it on port 10053 on localhost. Then created a stub-zone that serves my CNAME. It's fragile (I doubt it will survive an upgrade) but it does work for me.
-
still confused why you dont set the AP to use the correct fqdn in their inform, or just setup option 43 in your dhcp to hand the AP the IP for the controller directly?
-
@johnpoz. You are just thinking on luckman212's problem itself and how you would solve it without the need of any DNS hack.
But you must consider that allowing a domain name to be included in the DNS Resolver has thousand of uses.
For example, my problem has nothing to with luckman212's problem. Some offices of my company use ISPs that provide a dynamic IP address, and each of these offices is set to update its IP address using some DDNS service (no-ip, dyndns, etc). I do not want to provide ugly unrelated names to my users like "xpto.no-ip.net", but "service.mycompany.com" instead. Since I do not have access to my company's name servers, a DNS override was my solution.
Anyway, it is just a solution. It is up to the network admin to choose the one that best fits his needs.
-
still confused why you dont set the AP to use the correct fqdn in their inform, or just setup option 43 in your dhcp to hand the AP the IP for the controller directly?
The reasons are simple:
-
DHCP 43 is only looked up once (at boot time) - if the IP changes, the site goes "down" until someone manually power cycles the WAPs which is not always possible. We use managed switches wherever we can but sometimes we are forced to use whatever was in place. Also a scalability nightmare for making changes if you have to log on to many firewalls to update the IP.
-
Manually setting the inform URL on the AP – suffers the same problem as #1 if the IP changes.
In my testing, at least with the Unifi equipment, the only robust option is to have a local DNS server serve out the IP of the controller. This is really something Ubiquiti should enhance but for now it is what it is.
-
-
Curious why would your IP change in a DC?? At a loss to understand how that would happen on any sort of schedule.. I would think this would only change very rarely to be honest.
"The problem is we recently got assigned a new IP block by the ISP"
How often does that happen?? When it does your reboot the AP, you should be able to redo that remotely very simple since they are POE and you can just remove the POE power from them if done via a switch and not injector. If not just have local on hands power cycle them..
As to your firewall changes - yeah that is something you would have to do.. But that could be setup to use a fqdn that refreshes depending on the firewall being used..
-
Thanks for your input & questions. The unifi stuff will not accept an fqdn. Only an IP (sucks) which is how this whole conversation started.
True our IPs in the DC don't usually change but we expanded to a new set of cabinets and at the same time there was a circuit change so yeah we got a new block. Hopefully it will not happen again but you never know. And updating stuff manually on 50-100 devices really puts a dent in your day.
-
Curious why would your IP change in a DC?? At a loss to understand how that would happen on any sort of schedule.. I would think this would only change very rarely to be honest.
Believe, strange things just happen. Two offices with fixed IP address suddenly started to change its IP every week. The ISP was contacted and it is trying to solve the problem, but the problem is still happening, despite my fixed IP contract.
I don't know who to blame, but instead of blaming the poor service that is offered to me, I acted and now my company's infrastructure is mostly dynamic.
When they solve the problem, I'll have nothing to do and everything will just work. If the same problem happens again, nobody will notice.