Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: DNS Setup

  1. #1
    Untangler
    Join Date
    Jan 2011
    Posts
    76

    Default DNS Setup

    I have what on the face of it looks like a simple issue, but so far I have not found a solution..

    I have Untangle setup with a dynamic DNS domain myhouse.duckdns.org
    Untangle runs DHCP and DNS
    I have DNS entries for all devices on my network.

    So..,for example, if I do a DNS lookup of nas, this will return the local IP of my nas box eg. 192.168.1.10
    I can also look this up including the local domain eg. nas.myhouse.duckdns.org will also return 192.168.1.10

    The issue I have is that when a lookup is performed for a local host that does not exist, the public IP of my network is returned.
    eg. foo.myhouse.duckdns.org returns my public IP, I I would instead like this to return NXDOMAIN/No Answer

    I found the 'local' directive in dnsmasq, so in the Config -> Network -> Advanced -> DNS & DHCP set l
    Code:
    local=/myhouse.duckdns.org/
    This does work, directing the DNS server not to forward DNS requests to upstream servers that it cannot resolve locally for myhouse.duckdns.org.

    However, there is one problem with this: the base DNS name of myhouse.duckdns.org will no longer resolve to my public IP (and I need this to work)

    I found another DNSMASQ directive which sounds like it does what I need:

    --interface-name=<name>,<interface>[/4|/6]
    Return DNS records associating the name with the address(es) of the given interface. This flag specifies an A or AAAA record for the given name in the same way as an /etc/hosts line, except that the address is not constant, but taken from the given interface. The interface may be followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses of the interface should be used. If the interface is down, not configured or non-existent, an empty record is returned. The matching PTR record is also created, mapping the interface address to the name. More than one name may be associated with an interface address by repeating the flag; in that case the first instance is used for the reverse address-to-name mapping. Note that a name used in --interface-name may not appear in /etc/hosts.


    So I tried this in the config
    Code:
    interface-name=myhouse.duckdns.org,eth1
    Where eth1 is the WAN interface on my untangle box showing my public IP as its current address
    But, this didn't have any effect, and a DNS query to myhouse.duckdns.org returns 'No Response'

    So, any DNSMASQ masters out there have a solution ?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,485

    Default

    It's not a bug, it's a feature.

    Some rather quick Googling reveals that DuckDNS does Wildcard forwarding. So if you're using that service for DNS resolution on Untangle, it's going to happily forward everything from your named domain as the listed address.

    You might be able to disable it... you'll have to dig into your web admin panel and take a peek.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Jan 2011
    Posts
    76

    Default

    Hi, yes, I know its not a bug, and you cannot turn off wildcard forwarding for duckdns domains, so the question remains.., is there any config setting for DNSMASQ that would allow the domain name myhouse.duckdns.org to be resolved by an upstream server, and *.myhouse.duckdns.org to be resolved locally ?

    The problem being there seems to be no way to separate the specific myhouse.duckdns.org domain name with *.myhouse.duckdns.org

    And, is my interpretation of the interface directive incorrect ? I thought that this would direct DNSMASQ to take the A record for myhouse.duckdns.org from the eth1 (which is set to the correct ip) ?
    Last edited by tescophil; 08-09-2020 at 02:10 AM.

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    disclaimer: I haven't had any coffee yet.

    However, there is one problem with this: the base DNS name of myhouse.duckdns.org will no longer resolve to my public IP (and I need this to work)
    testing from where?
    EDIT: and is 'myhouse' a pseudonym?

    and I am tempted to ask you to try to put a FQDN in --interface-name=<name> but I haven't tried it and don't even know if it makes sense.
    Last edited by Jim.Alles; 08-09-2020 at 06:08 AM.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    So don't mind me, I talk to myself once in a while to work things out.

    As Rob said, it is a feature from the outside. duckdns doesn't care or know what you have inside your network, so anything goes to that IP address. And that doesn't matter, because of the NAT gatekeeper, which is NGFW in our case.

    In order to get to those hosts, NGFW needs to do some specific port forwards, in order to poke through NAT, and put it on the proper server.
    From the outside, those internal host destinations are uniquely identified by port number, not IP address or hostname.

    So my logic is that dnsmasq needs to know about each of those specific hostnames (FQDN) even though they have the same IP address on external.

    NGFW should do the hairpin port forward?

    That may be gibberish, but I need to figure this out too.
    I recently got a dynamic DNS from Google domains, but it doesn't do the wildcard forwarding.
    Last edited by Jim.Alles; 08-09-2020 at 08:24 AM.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,485

    Default

    Well... given that duckdns.org doesn't belong to you... all lookups that Untangle doesn't explicitly have defined in its DNS tab are going to the world to be resolved, and resolved... they will be.

    So the only thing you can do is take that entire domain and shove it into a busted DNS resolution path.

    Config -> Networking -> DNS Server

    See that domain section on the right? Make an entry for myhouse.duckdns.org and aim it at an IP address that goes nowhere. You cannot use 127.0.0.1, because that'll just route it back to itself for bad things to happen. This address doesn't go to clients, you're configuring DNS masq to use that address and only that address for resolution of the entire defined domain. Then you need to make sure you have entries on the left in the Static DNS Entries list for the stuff you want to work aimed at the correct IP addresses.

    But here's the rub... all you've done is configure your Untnagle's DNS resolution path to not resolve against public DNS. Literally every other public DNS lookup against the domain in question is going to work normally. So you've effectively changed nothing. If DuckDNS doesn't provide the means to turn off this feature, your only resolution is to stop using DuckDNS.
    Last edited by sky-knight; 08-09-2020 at 07:31 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,485

    Default

    Jim, your problem is entirely different. If you want a DNS name that doesn't actually exist in the world to wildcard resolve based on your own configuration, just stuff this into config -> networking -> advanced -> DHCP & DNS

    Code:
    address=/wildcardtest.com/100.100.100.100
    Obviously you'll want to change the domain and address you want it to resolve. I just shoved that line into my Untangle and foo.wildcardtest.com happily resolved to 100.100.100.100.

    But... that doesn't really matter for what you're doing as far as I can tell because port forwarding has NOTHING to do with DNS resolution. One port on one IP address can be used exactly ONCE. You can however make static entries for different domain names that terminate on whatever you want, say an alias on Internal so you can port forward from THERE if you want. But it'd probably just be easier to aim them at the service they're needed for directly.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by sky-knight View Post
    Jim, your problem is entirely different. If you want a DNS name that doesn't actually exist in the world to wildcard resolve based on your own configuration, just stuff this into config -> networking -> advanced -> DHCP & DNS
    WHAT DO YOU MEAN i HAVE A PROBLEM?


    haha - seriously, yes I have several of those address entries,
    EDIT: one for each subnet (VLANs). no , not for subnets, but to redirect other things.

    I also have local=/...in-addr.arpa/ entries for the reverse lookups on the various subnets (VLANs).

    I am just thinking out loud, trying to solve his problem. I just haven't wrapped my head around the whole topic.

    In my case, I have a FQDN pointing at NGFW, and that one public facing service-thing is very limited. I am pretty certain that I don't want my internal domain name to be real/routable or have anything to do with the external one, to avoid confusion on my part. This is just a residential scenario.
    Last edited by Jim.Alles; 08-09-2020 at 09:07 AM.
    If you think I got Grumpy

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,485

    Default

    There are two competing schools of thought on that one... and as usual I fall back to a hybrid approach because it lets you shift from one extreme to the other as needs demand without having to do a complete rework.

    So let's say for example you own example.domain.

    I used to use example.local for my internal stuff, and example.domain for my public stuff. I still have a BUCKET of this in the wild, because you don't just change this crap after the fact...

    BUT because you can no longer get real certificates for example.local, or anything like it... it's better now to use a subdomain of the parent domain for internal stuff. Something like lan.example.domain or local.example.domain.

    Now you configure a DNS server to handle that new zone internally, and you can choose to put the records in the public domain to aim at them... or not. But because those records can be made to resolve publicly easily while using split DNS or only from trusted locations you can easily get certificates for that sub-domain from any source, including let's encrypt.

    If you're working with AD this solution opens the door for a fully integrated Federated domain, which users can log into from anywhere, regardless of connectivity. You simply cannot do that with a fully private domain.

    The point is if you use a sub domain you can operate as a complete split DNS if you want, a fully merged DNS if you want, or any hybrid of the two... without killing yourself. It's just a function of controlling which DNS service has what records.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by sky-knight View Post
    as far as I can tell because port forwarding has NOTHING to do with DNS resolution. One port on one IP address can be used exactly ONCE.
    Yes, and correct.

    So, for the O.P. -from the outside, public perspective- what internal resource can be reached is wholly dependent on the port forwards from the NGFW external IP address. It doesn't matter what FQDN hostname was used.

    I am trying to understand what else has to work from the inside? and it can't be a wildcard, anyway.

    Quote Originally Posted by tescophil View Post
    However, there is one problem with this: the base DNS name of myhouse.duckdns.org will no longer resolve to my public IP (and I need this to work)
    To do what, exactly?
    Last edited by Jim.Alles; 08-09-2020 at 09:19 AM. Reason: answer stated in O.P.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2