Menu
▾
▴
Re: [Astlinux-devel] [Astlinux-users] Configure DNS server in DHCP
|
From: Lonnie A. <li...@lo...> - 2018-10-22 03:28:01
|
> This is not a problem for standard AstLinux because that does not support DHCP for IPv6 so on a AstLinux LAN dual IPv4/IPv6 is required and DNS comes from IPv4. Indeed, and is why I like the idea of only supporting DHCPv4 on internal interfaces, it just works, and works consistently. > The changes to support that (IPv4 only for standard AstLinux) can be found here.. > https://github.com/dkerr64/astlinux/commit/d20a4f40571258bbbf8725bfde6ec5a4254630ec David, nicely done (I have a few quibbles) but you put your finger on where it would go. Taking a step back, if a dedicated Raspberry Pi was performing DNS for the whole network, wouldn't it be better for AstLinux to just use it as it's static DNS source ? like ... Network -> DNS: ____ In this case all the requests would be coming from AstLinux itself, would you be loosing any interesting statistics on the pi-hole web interface ? More importantly, the pi-hole should offer DNS-TLS upstream (via stubby like we do), I'm not sure if that has been implemented (lots of requests for it by DuckDuckGo'ing it). If you have a simple single LAN, then I can see tweaking the DHCP "option:dns-server" would be a reasonable choice, but when you have multiple LAN's/VLAN's and a single pi-hole it would require adding a bunch of firewall rules for DNS to be accessed across subnets. Not to mention requiring dnsmasq setup tweaks like what David proposed above. I would imagine that pi-hole should support DNS-TLS upstream at some point. I suppose we could optionally have our stubby daemon listen on 0.0.0.0@2853 instead of 127.0.0.1@2853 so a local pi-hole could direct DNS to it's internal gateway at port 2853 ... bypassing dnsmasq's DNS altogether. It would take some testing, assuming pi-hole can forward upstream to both address and port. Sadly the pi-hole project basically requires a full "Linux system" rather than just a single daemon, the later could be easily incorporated into AstLinux directly. Lonnie > On Oct 21, 2018, at 7:57 PM, David Kerr <da...@ke...> wrote: > > Moving this to developer list... > > I decided to go the same route as Michael. I found a old Raspberry Pi lying around and set it up as a pi-hole server. Then I went the route of setting dnsmasq option to replace the DNS server pushed out to DHCP clients. > > As I did this I found a quirk of dnsmasq... > NOTE... following does NOT apply to standard AstLinux, only to my version, but it is worth documenting. > For IPv4 all is fine. The dhcp-option statement in dnsmasq.static seems to replace/overwrite that in dnsmasq.conf. > However for IPv6 it was not as clean cut as that. On iOS devices both the IPv6 address in dnsmasq.conf and that in dnsmasq.static was getting picked up by the IPv6 network stack on iOS devices. This did not appear to be happening on MacOS devices however, very odd. > This is not a problem for standard AstLinux because that does not support DHCP for IPv6 so on a AstLinux LAN dual IPv4/IPv6 is required and DNS comes from IPv4. I have implemented much richer IPv6 support for local networks but this has not been incorporated back into the standard AstLinux (yet?). > > I decided therefore that it would make sense to allow for manual configuration of DNS servers in Astlinux, so that it would be done by the system into dnsmasq.conf and not require setting in dnsmasq.static. I therefore implemented support for... > INTDNS="192.168.1.1" > that can be set in user.conf. > And of course all the other interfaces as well... INT2DNS, INT3DNS, INT4DNS, DMZDNS and EXTDNS > These can be a space or comma separated list of IP addresses, so if you want to push a primary and secondary you can... > INT2DNS="8.8.8.8 8.8.4.4" > > The changes to support that (IPv4 only for standard AstLinux) can be found here.. > https://github.com/dkerr64/astlinux/commit/d20a4f40571258bbbf8725bfde6ec5a4254630ec > The full IPv6 version is in my "develop" branch. > > Up to Lonnie if he wants to pull the IPv4 version into the Astlinux master. > > David > > > > > > > > > > > On Sat, Oct 20, 2018 at 6:00 PM Michael Keuter <li...@mk...> wrote: > > > Am 20.10.2018 um 23:50 schrieb David Kerr <da...@ke...>: > > > > So, been thinking this through. I didn't realize that primary and secondary DNS could in fact be both used in parallel. I had assumed that secondary would be used only if primary failed. If I had a dedicated DNS server for pi-hole this might be okay (raspberry pi on my network maybe?) but I have it running in a VM which is running on Astlinux and it is also my UniFi Controller. I am trying to cover the possibility of that VM not being running, even if for just a few minutes during a reboot. When Astlinux reboots the VM image also restarts but maybe delayed by a minute or two as it goes through its boot. So DNS will take longer to come back up. > > > > I think two choices. I can change DHCP to push out the IP address of pi-hole VM. Or I can put some iptables rules in place to reroute DNS requests that come in to Astlinux (using NAT rules, needs both DNAT and SNAT rules). The benefit of iptables rules is that I could apply it to entire network (even statically assigned clients) if I want and I can quickly revert the entire network to using Astlinux directly for DNS if I need to. But it is a more complex solution than just pushing out a DNS server address. > > > > Pondering over this. Any thoughts? > > > > David > > Hi David, > > I am running a real Raspi 3 Model B+ with Pi hole, and my AstLinux router does DHCP and upstream DNS. > All DHCP devices get only the Pi as DNS server, which does Ad-blocking and then forwards the requests to the AstLinux router (with the config described in my former email). The Raspi is always on. > > > On Fri, Oct 19, 2018 at 5:33 PM Lonnie Abelbeck <li...@lo...> wrote: > > Ahhh, pi-hole .... > > > > Keep in mind that depending on the DNS client, given two DNS server IP's they can be queried in parallel and not just failover as primary/secondary would imply. > > > > Can you configure AstLinux to use the pi-hole IP as the system's static DNS server ? or is there a startup chicken/egg issue ? > > > > Network -> DNS: ____ > > > > Lonnie > > > > > > > > > On Oct 19, 2018, at 4:13 PM, David Kerr <Da...@Ke...> wrote: > > > > > > I'll try dnsmasq.static. As to why... I have installed pi-hole (https://pi-hole.net/) on a VM and want to point clients at it as primary DNS, astlinux as secondary in case it fails. I configured pi-hole to use my astlinux as its primary DNS so all queries will ultimately go through astlinux, after pi-hole has done its thing to filter out the unwanted. No idea if I will keep this but thought I would give it a try and see if the family notices or if anything breaks. > > > > > > David > > > > > > On Fri, Oct 19, 2018 at 4:54 PM Lonnie Abelbeck <li...@lo...> wrote: > > > > > > > > > > On Oct 19, 2018, at 3:44 PM, David Kerr <da...@ke...> wrote: > > > > > > > > I'm probably just overlooking it, but is there a way for me to define the DNS servers that get pushed to clients in DHCP responses? Say I wanted to push out 192.168.1.2 instead (or as well as) 192.168.1.1, how would I do that? > > > > > > No trivial way. Possibly you could override the "dhcp-option=lan,option:dns-server,.." value using /mnt/kd/dnsmasq.static . > > > > > > Which begs the question, Why ? :-) > > > > > > Lonnie > > Michael > > http://www.mksolutions.info > > > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
