Using pfSense DNS resolver to create a "pool" of names?



  • I'm trying to create a local DNS entry that is made up of a "pool" of external A records.

    Let's say a.foo.com, b.foo.com, c.foo.com are all valid public A records. I would like to create a DNS entry on my pfsense box so that anyone using my pfsense's DNS resolver (all my local DHCP clientS) can resolve pool.foo.com. I want it to resolve to the super-set of a|b|c.foo.com. I really don't care if the pfsense DNS resolver does a round robin between a, b, & c or joins the IPs all together. What I want to achieve is that if a client of the pfsense DNS server (all of the DHCP clients on my local subnets) trys to resolve pool.foo.com, the end result over time is that it will resolve to all of the IPs that make up a|b|c.foo.com

    Any ideas?


  • LAYER 8 Global Moderator

    and does a.foo.com resolve on the public internet?

    If not sure create entries for a.foo.com in the override, then one for b.foo.com and c.foo.com and they will be returned roundrobin.

    you can also do a redirect for foo.com so than anything.foo.com resolves to an IP or a list of ips.



  • @johnpoz:

    and does a.foo.com resolve on the public internet?

    If not sure create entries for a.foo.com in the override, then one for b.foo.com and c.foo.com and they will be returned roundrobin.

    you can also do a redirect for foo.com so than anything.foo.com resolves to an IP or a list of ips.

    Yes, let's say this this resolves on the public internet. I don't control the records for foo.com. The owner cycles thru IP addresses, it's not a static set, but at any given time, 2-5 IPs will be returned.
    a.foo.com -> 11.1.1.1, 11.2.2.2
    b.foo.com -> 12.1.1.1, 12.2.2.2
    c.foo.com -> 13.1.1.1, 13.2.2.2

    What I would like to do on my local pfSense is create a alias called pool.foo.com and have my local clients that use this pool.foo.com get DNS results that include the whole set on average. I don't actually care if any given DNS query returns just a.foo.com or the IPs in a.foo.com, or whatever, I just want over the long term of many resolutions of pool.foo.com to resolve to the union of the IPs in a|b|c.foo.com.

    This pool.foo.com would only be local to my DHCP clients that use my pfSense box as their DNS.


  • LAYER 8 Global Moderator

    so do you know all the IPs that get returned from a.foo.com and b.foo.com ?  that you could put them in this pool record?  Since unbound is not authoritative it does not resolve cnames for you.  You can create a cname record, but it would have to be specifically queried for cname, etc..

    but you can create a pool.foo.com override with multiple ips, and then whatever IPs you put in would get returned.

    I don't believe the gui will let you do this, but you can put in the options box

    see example…

    
    C:\>dig @192.168.9.253 pool.foo.com
    
    ; <<>> DiG 9.10.3 <<>> @192.168.9.253 pool.foo.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28104
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pool.foo.com.                  IN      A
    
    ;; ANSWER SECTION:
    pool.foo.com.           3600    IN      A       1.1.1.1
    pool.foo.com.           3600    IN      A       1.1.1.2
    pool.foo.com.           3600    IN      A       1.1.1.3
    
    ;; Query time: 64 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Mon May 09 10:31:36 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 89
    
    C:\>dig @192.168.9.253 adfsdf.pool.foo.com
    
    ; <<>> DiG 9.10.3 <<>> @192.168.9.253 adfsdf.pool.foo.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15422
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;adfsdf.pool.foo.com.           IN      A
    
    ;; ANSWER SECTION:
    adfsdf.pool.foo.com.    600     IN      A       23.21.179.138
    adfsdf.pool.foo.com.    600     IN      A       23.21.224.150
    
    ;; AUTHORITY SECTION:
    foo.com.                600     IN      NS      ns2.digimedia.com.
    foo.com.                600     IN      NS      ns1.digimedia.com.
    
    ;; Query time: 249 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Mon May 09 10:31:43 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 126
    
    C:\>
    
    

    now if you wanted you could use redirect vs transparent.. Then anything.pool.foo.com would also return these IPs….  If you use transparent if you look up something other than pool you would get back what the public net says about that record..  Above is example of transparent zone..

    If you want round robin type responses where the order changes.. then add
    rrset-roundrobin: yes

    Under the server: line in the custom box.  Then you get back like below

    
    C:\>dig @192.168.9.253 pool.foo.com +short
    1.1.1.3
    1.1.1.1
    1.1.1.2
    
    C:\>dig @192.168.9.253 pool.foo.com +short
    1.1.1.1
    1.1.1.2
    1.1.1.3
    
    C:\>dig @192.168.9.253 pool.foo.com +short
    1.1.1.2
    1.1.1.3
    1.1.1.1
    
    




  • @johnpoz:

    so do you know all the IPs that get returned from a.foo.com and b.foo.com ?  that you could put them in this pool record?  Since unbound is not authoritative it does not resolve cnames for you.  You can create a cname record, but it would have to be specifically queried for cname, etc..

    Hmm, I don't and I didn't want this to be static so it could deal with old/new IPs over time as the owner of the domain changes them. But given what you said about CNAME, I think I'm stuck.

    What I'm trying to do is have the OpenVPN client pick a new IP every time it starts up. The VPN service I'm using has names per location (london.vpn4u.com, chicago.vpn4u.com, etc) which resolve to a set of IPs that change as the servers get busier or get taken offline.

    I am trying to pick 3-4 locations and have my local pfSense box or its DHCP clients sorta randomly pick an IP from one of these locations every time the vpn client starts up.


  • LAYER 8 Global Moderator

    why don't you just create a cname on the public side that resolves to all your host names??

    Not sure why you want/think you need to do this in pfsense resolver???



  • @johnpoz:

    why don't you just create a cname on the public side that resolves to all your host names??

    Not sure why you want/think you need to do this in pfsense resolver???

    I don't follow what you mean by "cname on the public side".  I don't control the SOA record for the domain I'm trying to do this with.  I think I need to do this in the pfsense resolver because that's the thing I do have control over and I can force all the pfsense DHCP clients to use the  pfSense resolver as their DNS server.

    It sounds like I'm using the wrong tool for the job. Is there a host file or some other override I can use to map a made up name "vpnpool.lan" to a set of someone else's publicly available hostnames?


  • LAYER 8 Global Moderator

    unbound is not an authoritative server, you can not point a name you create to other name, ie cname and expect it to resolve correctly.

    If you want to do that you need an authoritative name server.  Create a public domain you want to use, then create a cname record and point it to whatever other names you want it to resolve too.

    I agree your using the wrong tool.. No a host file doesn't work that way either..



  • @johnpoz:

    Create a public domain you want to use, then create a cname record and point it to whatever other names you want it to resolve too.

    I agree your using the wrong tool.. No a host file doesn't work that way either..

    Oh man. I hate being dense. I've done this before (CNAME in my own domain to another hostname), I'm embarrassed I didn't think of it. Thanks for spoon-feeding me the answer, I'll just skulk away now  :'(


  • Banned

    This post is deleted!

Log in to reply