Yes, I had not thought of the fact that certificates would change the rules of this game completely. And it doesn't need to be an enterprise-level network to require that.Originally Posted by sky-knight
And I am fortunate that my IoT stuff doesn't really need ActiveDirectory! 'cause neither does my brain.
Last edited by Jim.Alles; 08-09-2020 at 09:00 AM.
this is a true statement.
of course it did.If you want a DNS name that doesn't actually exist in the world to wildcard resolve based on your own configuration, just stuff this into config -> networking -> advanced -> DHCP & DNS
Obviously you'll want to change the domain and address you want it to resolve. I just shoved that line into my Untangle and foo.wildcardtest.com happily resolved to 100.100.100.100.Code:address=/wildcardtest.com/100.100.100.100
And this is also the answer to the O.P.'s quest.
(An internal address of NGFW).Code:address=/myhouse.duckdns.org/192.168.192.1
tested and approved.
Wow, that's a lot of replies, thanks !
I'll explain more about why I want to do this....
So, within my network I have an internet accessable service for home automation, say on 192.168.1.30. There us a port forward rule forwarding traffic from port 8100 onto the host at 192.168.1.30.
I want to use the same URL to access this resource when connected to my private network, or when I'm roaming out in public.
This is simple, I just access my house.duckdns.org:8100. This works because this hostname resolves to the public IP of my NGFW WAN port, so when I'm actually on my own network, or on a public network the requests still hit the port forwarding rules and get seen to the right place.
The problem is setting the local DNSMASQ directive:
local=/myhouse.duckdns.org/
stops this base name from being resolved, when what I actually want to do is prevent any host lookups for *.myhouse.duckdns.org that are not present in my local DNS config from being forwarded to upstream servers.
So, I hear you say, why not have static internal entry for my public hostname that points to my internal NGFW gateway just as the previous poster suggested. Well, this would work but for the fact that I use my NGFW DNS server when I'm out in the wild.
I do this my having a secure DNS server setup in my network that responds to requests over DoT on port 853, and I use the 'Private DNS setting on Android to point to my house.duckdns.org:853. This DNS server then uses the NGFW DNS server as it upstream service to resolve unqualified host lookups and those to myhouse.duckdns.org, so I need this base domain to resolve to my public IP, otherwise I can't access other services I've setup.like my home automation system.
If I don't set the DNSMASQ 'local' directive, then this works perfectly well.
The reason I WANT to set the local directive is that many systems eg. Google Chrome send DNS requests to random local hosts in order to test for DNS hijacking. If the local directive is not set, then all such requests will resolve to my public IP which could look like hijacking.
Convoluted I know, but the original.question still stands, and why doesn't the interface directive work as I think it should, or is it likely the WAN interface is not coming up fast enough and the directive runs before eth1 gets its public IP ?
Last edited by tescophil; 08-09-2020 at 03:33 PM.
Oh goodness, no wonder you're confused! You're simply barking up the wrong tree!
All you need to do is forward TCP 8100 to your automation properly. The DNS name used to get to an address on Untangle is irrelevant at this point. It's just a port forward. Duck DNS will then resolve whatevertheheckyouwant.myhouse.duckdns.org, which you configure the service to use and everything just works.
So forget all this DNS junk, you've already got that pointed at the public address on Untangle right? So post a screen grab of your forward rule, that's what's screwed up.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Hi Rob,
So, everything does work perfectly when I do not set the local option in the Advanced DNS config on NGFW. I can access everything as I want too, when on my private or a public network. My port forwarding setup is not the issue here.
My problem is that I want to stop the NGFW DNS server resolving host names on my local domain (myhouse.duckdns.org) that do not exist i.e. Have a specific static entry under DNS Server settings. eg. if I'm on my local network and ping a host name 'foo' I get a ping response from my public IP. This is because the search domain is automatically appended to unqualified DNS lookups, so the NGFW sees a request to foo.myhouse.duckdns.org. Since there is no static entry for 'foo' in my DNS setup the server then forwards this request upstream where it then correctly resolves to my public IP.
So, the behaviour I want to see is that when I ping 'foo' it just returns 'No address associated with this hostname'
This CAN be achieved by setting the DNSMASQ directive 'local=/myhouse.duckdns.org/' which stops any hostname that cannot be resolved locally eg. foo.myhouse.duckdns.org from being forwarded to upstream servers. However, this also causes a lookup for myhouse.duckdns.com to return 'No address' associated with this hostname', because I can't have a static entry for myhouse.duckdns.org in my settings because my public IP associated with this name is dynamic.
So, same question again..., how to configure the NGFW DNS server to return my dynamic public IP for my chosen domain name of myhouse.duckdns.org AND not forward unknown local hostnames like foo.myhouse.duckdns.org to upstream servers.
I Still think the solution to this should be:
interface-name=myhouse.duckdns.org,eth1
Where eth1 is my NGFW WAN port and has my public IP associated with it. The man page for this says if the interface is not up when the directive executes, no record will be created, which is what I think is happening. Can anyone confirm that this is what this directive is supposed to do ?
Last edited by tescophil; 08-10-2020 at 02:42 AM.
I've already provided the solution for that, and again it's rather silly to even attempt. Publicly any name resolves back to your IP. So even if you change this behavior internally, the rest of the world remains undaunted.
If DuckDNS doesn't give you the ability to disable wildcard, you cannot stop this from happening. So My question is, what are you trying to accomplish?
By the way, you CAN have a static entry for your specific domain name, just use the Internal IP address. There's no reason to subject interior devices to hairpin NAT when they can simply connect directly. Reserve the internal address if the device running the service is dynamic, or set it static, and set that name to resolve internally, to an internal address.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Hi Rob, whilst I appreciate your reply, my question is still not answered..., I'll have another go...
I CANNOT have a static entry my hostname myhouse.duckdns.org in my config pointing to my internal IP address. As I've already said, I use my NGFW DNS Server in conjunction with a secure DNS server on my local network to provide a secure (filtered) DNS service to my phone when I'm out in the wild.
I access this by setting the 'Private DNS' setting on my android phone to myhouse.duckdns.org. So, say i'm on the mobile network away from my house, the phone wishes to make a DNS request, it first looks up the IP for myhouse.duckdns.org using whatever DNS resolver the phone company uses, and this returns my public IP. A DoT request is then sent to myhouse.duckdns.org:853 which then hits my NGFW port forwarding rules and gets sent to my private DNS server on my network at 192.168.1.20:853. This server then attempts to resolve the DNS name within the query. If this is bbc.co,.uk, then no problem. However if the DNS name contained in the query is myhouse.duckdns.org, which it will be if, for example I'm attempting to connect to my home automation server located at https://myhouse.duckdns.org:8100, then this query will be forwarded upstream to my NGFW DNS server. This happens because I have a rule in the primary DNS server which looks like this [//myhouse.duckdns.org/]192.168.1.1 which directs the server to send unqualified lookups, and those to myhouse.duckdns.org domains to 192.168.1.1, i.e. NGFW internal DNS server/gateway. This is because this secure DNS server handles the DNS for my entire network, so I need it setup like this to resolve local hostnames.
With me so far ?
So, a query reaches the NGFW DNS server for myhouse.duckdns.org. If, as you suggest, this were to return the internal IP of my gateway, then this would return 192.168.1.1 to my phone on the internet.., FAIL.., this needs to return my Public IP, which it does (HURRAY) when I DO NOT set the local DNSMASQ directive.
So, to reiterate, I am neither confused, or silly, I'm just asking a question on the configuration of DNSMASQ. My configuration works perfectly, I just want to make one additional change: Stop DNS requests for hosts *.myhouse.duckdns.org that are not contained in my local DNS config from being resolved by upstream servers, without also blocking the external (or otherwise), resolution of the base domain (I think thats the 4th time I've asked the same question)
If you don't know the answer, or cannot understand my config, then I can try and explain it again, but don't put me down just because you don't know the answer, or don't understand the question.
Last edited by tescophil; 08-10-2020 at 07:44 AM.
I understand that you've made your life more difficult by using PiHole. That's not the issue here.
The issue is a confluence of events, Untangle cannot be authoritative for a domain it doesn't own. No DNS server can, much less limited ones based on DNSMasq. And even if you hack it up until it thinks it is, your devices and every other device on the planet will defer to DuckDNS. Which means, those wildcard names all work.
Given your configuration, I no longer feel this is even possible to accomplish. So I'm back to wondering why you care so much about wildcard resolution. If you care that much about that, then you should simply not use DuckDNS, there are other providers.
From what I can see, if you simply have your forwards working publicly, it works regardless of DNS name used. That's rather the point of wildcard DNS.
But the crux of the issue, is the simple fact that there is no DNS implementation I'm aware of that can pull an IP address off a NIC, and use that in its records. They must be statically defined. Which means you're stuck manually updating that A record with your real public address every time it changes.
Or... perhaps redirecting that lookup with a CNAME against a dynamic DNS record of some sort. But again I'm not sure how to do that with DNSMasq either. The CNAME directive doesn't do this according to the docs.
Last edited by sky-knight; 08-10-2020 at 08:48 AM.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
For questions like this, you are going to need to talk to the dnsmasq folks. There is a mailing list for that.
http://lists.thekelleys.org.uk/mailm...nsmasq-discuss
You might search the archives, as well.
http://lists.thekelleys.org.uk/piper...smasq-discuss/
You will need to understand what is going on in your logs at /var/log/syslog
I have some other things you might find useful in my custom options.
Disclaimer:Code:# don't look at WAN # By default dnsmasq offers DNS service on all the configured interfaces of a host. It's likely that you don't (for instance) want to offer a DNS service to # the world via an interface connected to ADSL or cable-modem so dnsmasq allows you to specify which interfaces it will listen on. # * NGFW normally blocks this through it's [Access Rules]. # * This is WAN for rail.road except-interface=eth0 # Reject (and log) addresses from upstream nameservers which are in the private ranges. # This blocks an attack where a browser behind a firewall is used to probe machines on the local network. stop-dns-rebind # Set the size of dnsmasq's cache for DNS. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance. # * big enough to be useful cache-size=3000 # Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers. # If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned. # # blocks incomplete external requests domain-needed # Bogus private reverse lookups. # All reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc/hosts or the DHCP leases file are answered with "no such domain" rather than # being forwarded upstream. The set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6. # # Never forward addresses in the non-routed address spaces # blocks reverse look-ups for private address forwarding bogus-priv # private queries are only answered locally # Sometimes people have local domains which they do not want forwarded to upstream servers. This is accommodated by using server options without the server IP address. # To make things clearer local is a synonym for server. For example the option local=/localnet/ ensures that any domain name query which ends in .localnet will be answered if # possible from /etc/hosts or DHCP, but never sent to an upstream server. local=/road/ # reverse lookup # Dnsmasq acts as an authoritative server for in-addr.arpa and ip6.arpa domains associated with the subnets given in --auth-zone declarations, so reverse (address to name) lookups can # be simply configured with a suitable NS record local=/148.168.192.in-addr.arpa/ local=/202.168.192.in-addr.arpa/ local=/203.168.192.in-addr.arpa/ local=/204.168.192.in-addr.arpa/ # Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 4096, which is the RFC5625-recommended size. # The values 1232 and 1432 are chosen to allow for an IPv4/IPv6 encapsulated UDP message to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks. # This is to reduce the amount of TCP fallback. # 1220 is the minimum in RFC4035. # * JA clamped because? (was 1023) edns-packet-max=1232 # Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. # To give both IPv4 and IPv6 addresses for a domain, use repeated --address flags. To include multiple IP addresses for a single query, use --addn-hosts=<path> instead. # Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. # The domain specification works in the same was as for --server, with the additional facility that /#/ matches any domain. # Add domains which you want to force to an IP address here. # * DNS over HTTPS: address=/doh.opendns.com/146.112.41.2 # * Force Google SafeSearch address=/www.google.com/216.239.38.120 address=/www.google.co.uk/216.239.38.120 address=/www.google.ca/216.239.38.120 address=/www.google.fr/216.239.38.120 address=/www.google.it/216.239.38.120 address=/www.google.es/216.239.38.120 address=/www.google.nl/216.239.38.120 address=/www.google.rs/216.239.38.120 address=/www.google.ru/216.239.38.120 # The filterwin2k option makes dnsmasq ignore certain DNS requests which are made by Windows boxen every few minutes. The requests generally don't get sensible answers in the global # DNS and cause trouble by triggering dial-on-demand internet links. # The requests blocked are for records of types SOA and SRV, and type ANY where the requested name has underscores, to catch LDAP requests. # Note that (amongst other things) this blocks all SRV requests, so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. # This option only affects forwarding, SRV records originating for dnsmasq (via srv-host= lines) are not suppressed by it. # filterwin2k # Read the Linux connection track mark associated with incoming DNS queries and set the same mark value on upstream traffic used to answer those queries. # This allows traffic generated by dnsmasq to be associated with the queries which cause it, useful for bandwidth accounting and firewalling. # Dnsmasq must have conntrack support compiled in and the kernel must have conntrack support included and configured. # conntrack # Log lots of extra information about DHCP transactions. # log-dhcp # The log-queries option tells dnsmasq to verbosely log the queries it is handling (and causes SIGUSR1 to trigger a complete dump of the contents of the cache to the syslog). # log-queries # Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the DNSSEC records needed to validate the replies. # The replies are validated and the result returned as the Authenticated Data bit in the DNS packet. In addition the DNSSEC records are stored in the cache, # making validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for clients unable to do validation, # use of the AD bit set by dnsmasq is useful, provided that the network between the dnsmasq server and the client is trusted. # Dnsmasq must be compiled with HAVE_DNSSEC enabled, and DNSSEC trust anchors provided, see --trust-anchor. # Because the DNSSEC validation process uses the cache, it is not permitted to reduce the cache size below the default when DNSSEC is enabled. # The nameservers upstream of dnsmasq must be DNSSEC-capable, ie capable of returning DNSSEC records with data. If they are not, # then dnsmasq will not be able to determine the trusted status of answers and this means that DNS service will be entirely broken. # # * Using DNSSEC at OpenDNS servers conf-file=/usr/share/dnsmasq-base/trust-anchors.conf dnssec # server=1.1.1.1#5053
Use of these options is not supported by Untangle. Use at your own risk.
This configuration was developed for my purposes, on my system, based on my experience and opinions.
It is provided for informational and educational purposes only. It is not advice on what you should do.
Certain options, if copied directly, are likely to stop DNS/DHCP from working on your local network.
It is provided to spur research into the use of these options for your own purposes. Understand them before you implement any of it.
Most of the comment text was copied from the man pages at: http://www.thekelleys.org.uk/dnsmasq...smasq-man.html
There is more valuable documentation at: http://www.thekelleys.org.uk/dnsmasq...q.conf.example
I have proven Rob wrong before. That is up to you.
In this case, I am not inclined to. He seems to be trying to provide good, reasoned advice based on his experience.
In my opinion, DuckDNS's wildcard thing is kind of a hack in the first place. I don't think I have ever run across that behavior before, FWIW.
For my purposes, on my system, I accomplish far more with a lot less grief by using OpenVPN on NGFW as a server.
By connecting to your own network, not only do you gain access to your filtered DNS, but you secure ALL of your traffic back to a known source, take advantage of ALL of NGFWs UTM capabilties, and have access to all of your devices in your local network. (All without opening anything up with a port-forward that can be scanned from the InterWebs).
As far as OpenVPN configuration options go, select [push DNS] and [full tunnel].
YMMV
Last edited by Jim.Alles; 08-10-2020 at 09:47 AM.
Posting Permissions
LinkBack URL
About LinkBacks