Menu
▾
▴
Re: [Astlinux-devel] [Astlinux-users] Configure DNS server in DHCP
|
From: David K. <da...@ke...> - 2018-10-24 13:55:40
|
Does DMZ require another physical ethernet port? I've used up all three on
my APU2.
David
On Wed, Oct 24, 2018 at 9:14 AM Lonnie Abelbeck <li...@lo...>
wrote:
> How about this...
>
> Hardware Pi-hole with AstLinux
> ------------------------------
>
> Place the Pi-hole box off the DMZ interface.
>
> Example: DMZ is 10.10.50.1/24 and Pi-hole static IP is 10.10.50.53/24
> with it's upstream DNS set to 10.10.50.1
>
> Network -> Firewall Configuration: {Firewall Configuration}
> --
> Action: [Pass DMZ->Local]
> Source: 10.10.50.53
> Port: 53
> Protocol: TCP/UDP
> Comment: Allow Pi-hole upstream DNS via Local
> --
>
> Network -> Advanced Configuration: {Edit User Variables}
> --
> DHCP_OPTION_DNS_SERVER="10.10.50.53"
> --
>
> The only code change required would be adding DHCP_OPTION_DNS_SERVER
> rc.conf support:
> -- package/dnsmasq/dnsmasq.init --
> trueDNSMASQnet()
> ...
> - dhcp-option=$1,option:dns-server,$gateway
> + dhcp-option=$1,option:dns-server,${DHCP_OPTION_DNS_SERVER:-$gateway}
> --
> Same idea as David's, but simplified.
>
> FYI, in case you forgot, the default DMZ firewall rules are:
> 1) Block all DMZ initiated connections to internal interfaces and Local
> AstLinux
> 2) Allow all DMZ initiated connections via external interface.
> 3) Allow all internal interfaces and Local AstLinux initiated connections
> to the DMZ
>
> With this scenario, AstLinux can be configured with "DNS-TLS Proxy Server"
> enabled to encrypt all Pi-hole upstream requests, as well as any local "DNS
> Hosts" can be honored via Pi-hole.
>
> Thoughts ?
>
> Lonnie
>
>
>
>
> > On Oct 23, 2018, at 8:32 PM, David Kerr <Da...@Ke...> wrote:
> >
> > Hi Lonnie,
> > Interesting thought about making pi-hole the upstream DNS for Astlinux
> (and therefore the whole network). You would certainly loose a lot of the
> metrics that pi-hole captures, though I am not sure how much I care about
> those. Mainly for geek interest I think. I do notice on pi-hole settings
> page support for DNSSEC with a note that it only works with google, norton,
> dns.watch and quad9 servers. I do not see a way to specify port number for
> pi-hole's upstream servers, but you could use iptables on Astlinux to
> REDIRECT traffic from pi-hole's static ip going to port 53 and send it
> instead to 2853, I think that might work.
> >
> > I do agree it is a pity that pi-hole isn't a whole lot simpler... would
> be great if it could just be added to AstLinux, but clearly that is not the
> approach they took and given cost of a Raspberry Pi it is maybe not that
> unreasonable for them to take the approach they did.
> >
> > Not at home this week so I cannot do any experimenting. I did leave
> pi-hole active at home, lets hope I don't return to annoyed family... I
> have already had to whitelist some domains just to get google sponsored
> search results to work.
> >
> > David
> >
> > On Sun, Oct 21, 2018 at 11:28 PM Lonnie Abelbeck <
> li...@lo...> wrote:
> > > This is not a problem for standard AstLinux because that does not
> support DHCP for IPv6 so on a AstLinux LAN dual IPv4/IPv6 is required and
> DNS comes from IPv4.
> >
> > Indeed, and is why I like the idea of only supporting DHCPv4 on internal
> interfaces, it just works, and works consistently.
> >
> >
> > > The changes to support that (IPv4 only for standard AstLinux) can be
> found here..
> > >
> https://github.com/dkerr64/astlinux/commit/d20a4f40571258bbbf8725bfde6ec5a4254630ec
> >
> > David, nicely done (I have a few quibbles) but you put your finger on
> where it would go.
> >
> >
> > Taking a step back, if a dedicated Raspberry Pi was performing DNS for
> the whole network, wouldn't it be better for AstLinux to just use it as
> it's static DNS source ? like ...
> >
> > Network -> DNS: ____
> >
> > In this case all the requests would be coming from AstLinux itself,
> would you be loosing any interesting statistics on the pi-hole web
> interface ?
> >
> > More importantly, the pi-hole should offer DNS-TLS upstream (via stubby
> like we do), I'm not sure if that has been implemented (lots of requests
> for it by DuckDuckGo'ing it).
> >
> > If you have a simple single LAN, then I can see tweaking the DHCP
> "option:dns-server" would be a reasonable choice, but when you have
> multiple LAN's/VLAN's and a single pi-hole it would require adding a bunch
> of firewall rules for DNS to be accessed across subnets. Not to mention
> requiring dnsmasq setup tweaks like what David proposed above.
> >
> > I would imagine that pi-hole should support DNS-TLS upstream at some
> point. I suppose we could optionally have our stubby daemon listen on
> 0.0.0.0@2853 instead of 127.0.0.1@2853 so a local pi-hole could direct
> DNS to it's internal gateway at port 2853 ... bypassing dnsmasq's DNS
> altogether. It would take some testing, assuming pi-hole can forward
> upstream to both address and port.
> >
> > Sadly the pi-hole project basically requires a full "Linux system"
> rather than just a single daemon, the later could be easily incorporated
> into AstLinux directly.
> >
> > Lonnie
> >
> >
> >
> >
> > > On Oct 21, 2018, at 7:57 PM, David Kerr <da...@ke...> wrote:
> > >
> > > Moving this to developer list...
> > >
> > > I decided to go the same route as Michael. I found a old Raspberry Pi
> lying around and set it up as a pi-hole server. Then I went the route of
> setting dnsmasq option to replace the DNS server pushed out to DHCP clients.
> > >
> > > As I did this I found a quirk of dnsmasq...
> > > NOTE... following does NOT apply to standard AstLinux, only to my
> version, but it is worth documenting.
> > > For IPv4 all is fine. The dhcp-option statement in dnsmasq.static
> seems to replace/overwrite that in dnsmasq.conf.
> > > However for IPv6 it was not as clean cut as that. On iOS devices both
> the IPv6 address in dnsmasq.conf and that in dnsmasq.static was getting
> picked up by the IPv6 network stack on iOS devices. This did not appear to
> be happening on MacOS devices however, very odd.
> > > This is not a problem for standard AstLinux because that does not
> support DHCP for IPv6 so on a AstLinux LAN dual IPv4/IPv6 is required and
> DNS comes from IPv4. I have implemented much richer IPv6 support for local
> networks but this has not been incorporated back into the standard AstLinux
> (yet?).
> > >
> > > I decided therefore that it would make sense to allow for manual
> configuration of DNS servers in Astlinux, so that it would be done by the
> system into dnsmasq.conf and not require setting in dnsmasq.static. I
> therefore implemented support for...
> > > INTDNS="192.168.1.1"
> > > that can be set in user.conf.
> > > And of course all the other interfaces as well... INT2DNS, INT3DNS,
> INT4DNS, DMZDNS and EXTDNS
> > > These can be a space or comma separated list of IP addresses, so if
> you want to push a primary and secondary you can...
> > > INT2DNS="8.8.8.8 8.8.4.4"
> > >
> > > The changes to support that (IPv4 only for standard AstLinux) can be
> found here..
> > >
> https://github.com/dkerr64/astlinux/commit/d20a4f40571258bbbf8725bfde6ec5a4254630ec
> > > The full IPv6 version is in my "develop" branch.
> > >
> > > Up to Lonnie if he wants to pull the IPv4 version into the Astlinux
> master.
> > >
> > > David
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Sat, Oct 20, 2018 at 6:00 PM Michael Keuter <li...@mk...>
> wrote:
> > >
> > > > Am 20.10.2018 um 23:50 schrieb David Kerr <da...@ke...>:
> > > >
> > > > So, been thinking this through. I didn't realize that primary and
> secondary DNS could in fact be both used in parallel. I had assumed that
> secondary would be used only if primary failed. If I had a dedicated DNS
> server for pi-hole this might be okay (raspberry pi on my network maybe?)
> but I have it running in a VM which is running on Astlinux and it is also
> my UniFi Controller. I am trying to cover the possibility of that VM not
> being running, even if for just a few minutes during a reboot. When
> Astlinux reboots the VM image also restarts but maybe delayed by a minute
> or two as it goes through its boot. So DNS will take longer to come back
> up.
> > > >
> > > > I think two choices. I can change DHCP to push out the IP address
> of pi-hole VM. Or I can put some iptables rules in place to reroute DNS
> requests that come in to Astlinux (using NAT rules, needs both DNAT and
> SNAT rules). The benefit of iptables rules is that I could apply it to
> entire network (even statically assigned clients) if I want and I can
> quickly revert the entire network to using Astlinux directly for DNS if I
> need to. But it is a more complex solution than just pushing out a DNS
> server address.
> > > >
> > > > Pondering over this. Any thoughts?
> > > >
> > > > David
> > >
> > > Hi David,
> > >
> > > I am running a real Raspi 3 Model B+ with Pi hole, and my AstLinux
> router does DHCP and upstream DNS.
> > > All DHCP devices get only the Pi as DNS server, which does Ad-blocking
> and then forwards the requests to the AstLinux router (with the config
> described in my former email). The Raspi is always on.
> > >
> > > > On Fri, Oct 19, 2018 at 5:33 PM Lonnie Abelbeck <
> li...@lo...> wrote:
> > > > Ahhh, pi-hole ....
> > > >
> > > > Keep in mind that depending on the DNS client, given two DNS server
> IP's they can be queried in parallel and not just failover as
> primary/secondary would imply.
> > > >
> > > > Can you configure AstLinux to use the pi-hole IP as the system's
> static DNS server ? or is there a startup chicken/egg issue ?
> > > >
> > > > Network -> DNS: ____
> > > >
> > > > Lonnie
> > > >
> > > >
> > > >
> > > > > On Oct 19, 2018, at 4:13 PM, David Kerr <Da...@Ke...> wrote:
> > > > >
> > > > > I'll try dnsmasq.static. As to why... I have installed pi-hole (
> https://pi-hole.net/) on a VM and want to point clients at it as primary
> DNS, astlinux as secondary in case it fails. I configured pi-hole to use
> my astlinux as its primary DNS so all queries will ultimately go through
> astlinux, after pi-hole has done its thing to filter out the unwanted. No
> idea if I will keep this but thought I would give it a try and see if the
> family notices or if anything breaks.
> > > > >
> > > > > David
> > > > >
> > > > > On Fri, Oct 19, 2018 at 4:54 PM Lonnie Abelbeck <
> li...@lo...> wrote:
> > > > >
> > > > >
> > > > > > On Oct 19, 2018, at 3:44 PM, David Kerr <da...@ke...> wrote:
> > > > > >
> > > > > > I'm probably just overlooking it, but is there a way for me to
> define the DNS servers that get pushed to clients in DHCP responses? Say I
> wanted to push out 192.168.1.2 instead (or as well as) 192.168.1.1, how
> would I do that?
> > > > >
> > > > > No trivial way. Possibly you could override the
> "dhcp-option=lan,option:dns-server,.." value using /mnt/kd/dnsmasq.static .
> > > > >
> > > > > Which begs the question, Why ? :-)
> > > > >
> > > > > Lonnie
> > >
> > > Michael
> > >
>
>
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
|
