Menu
▾
▴
Re: [Astlinux-devel] [Astlinux-users] Configure DNS server in DHCP
|
From: David K. <da...@ke...> - 2018-11-02 00:32:44
|
Well, as I was initiator of this thread I am in favor. Lonnie's suggestion
of using the DMZ is actually quite elegant. A couple of thoughts though..
1) Is it okay to have one DNS set for all internal subnets (excluding
DMZ)? dnsmasq does allow setting of different DNS servers on a
per-interface basis. It is definitely simpler to just support the same for
all subnets but I have noticed that pi-hole can stop some things working
(like sponsored search results in google, and quite a few affiliate links
from blogs, etc.). So I might want the flexibility to leave my guest
network un-filtered while I send my main network to pi-hole.
2) And I put on my body armor here :-) the setting should allow for IPv6
as well as IPv4 address. Yes I know standard astlinux does not support
DHCPv6 on internal networks, but I have implemented it on my custom
version... just trying to keep the differences between the two as minimal
as possible. [sidebar, at some point AstLinux will need to up its game wrt
IPv6, but I know Lonnie is not at that point yet.]
David
On Thu, Nov 1, 2018 at 7:05 PM Michael Keuter <li...@mk...>
wrote:
>
> > Am 01.11.2018 um 22:46 schrieb Michael Knill <
> mic...@ip...>:
> >
> > I personally don't think I would use it. I use dnsmasq.static for
> everything that needs to be changed.
>
> +1
>
> > Are you thinking of adding it to the Network Tab?
> >
> > Regards
> > Michael Knill
> >
> > On 2/11/18, 6:51 am, "Lonnie Abelbeck" <li...@lo...>
> wrote:
> >
> > Any thoughts on adding a DHCP_OPTION_DNS_SERVER rc.conf variable ?
> (outlined below)
> >
> > Useful, or extraneous ?
> >
> >
> > Lonnie
> >
> >
> >
> >> On Oct 24, 2018, at 9:12 AM, Lonnie Abelbeck <li...@lo...>
> wrote:
> >>
> >>> Does DMZ require another physical ethernet port?
> >>
> >> No, the DMZ can be a VLAN.
> >>
> >> Lonnie
> >>
> >>
> >>
> >>> On Oct 24, 2018, at 8:55 AM, David Kerr <Da...@Ke...> wrote:
> >>>
> >>> Does DMZ require another physical ethernet port? I've used up all
> three on my APU2.
> >>>
> >>> David
> >>>
> >>> On Wed, Oct 24, 2018 at 9:14 AM Lonnie Abelbeck <
> li...@lo...> wrote:
> >>> How about this...
> >>>
> >>> Hardware Pi-hole with AstLinux
> >>> ------------------------------
> >>>
> >>> Place the Pi-hole box off the DMZ interface.
> >>>
> >>> Example: DMZ is 10.10.50.1/24 and Pi-hole static IP is 10.10.50.53/24
> with it's upstream DNS set to 10.10.50.1
> >>>
> >>> Network -> Firewall Configuration: {Firewall Configuration}
> >>> --
> >>> Action: [Pass DMZ->Local]
> >>> Source: 10.10.50.53
> >>> Port: 53
> >>> Protocol: TCP/UDP
> >>> Comment: Allow Pi-hole upstream DNS via Local
> >>> --
> >>>
> >>> Network -> Advanced Configuration: {Edit User Variables}
> >>> --
> >>> DHCP_OPTION_DNS_SERVER="10.10.50.53"
> >>> --
> >>>
> >>> The only code change required would be adding DHCP_OPTION_DNS_SERVER
> rc.conf support:
> >>> -- package/dnsmasq/dnsmasq.init --
> >>> trueDNSMASQnet()
> >>> ...
> >>> - dhcp-option=$1,option:dns-server,$gateway
> >>> + dhcp-option=$1,option:dns-server,${DHCP_OPTION_DNS_SERVER:-$gateway}
> >>> --
> >>> Same idea as David's, but simplified.
> >>>
> >>> FYI, in case you forgot, the default DMZ firewall rules are:
> >>> 1) Block all DMZ initiated connections to internal interfaces and
> Local AstLinux
> >>> 2) Allow all DMZ initiated connections via external interface.
> >>> 3) Allow all internal interfaces and Local AstLinux initiated
> connections to the DMZ
> >>>
> >>> With this scenario, AstLinux can be configured with "DNS-TLS Proxy
> Server" enabled to encrypt all Pi-hole upstream requests, as well as any
> local "DNS Hosts" can be honored via Pi-hole.
> >>>
> >>> Thoughts ?
> >>>
> >>> Lonnie
> >>>
> >>>
> >>>
> >>>
> >>>> On Oct 23, 2018, at 8:32 PM, David Kerr <Da...@Ke...> wrote:
> >>>>
> >>>> Hi Lonnie,
> >>>> Interesting thought about making pi-hole the upstream DNS for
> Astlinux (and therefore the whole network). You would certainly loose a
> lot of the metrics that pi-hole captures, though I am not sure how much I
> care about those. Mainly for geek interest I think. I do notice on
> pi-hole settings page support for DNSSEC with a note that it only works
> with google, norton, dns.watch and quad9 servers. I do not see a way to
> specify port number for pi-hole's upstream servers, but you could use
> iptables on Astlinux to REDIRECT traffic from pi-hole's static ip going to
> port 53 and send it instead to 2853, I think that might work.
> >>>>
> >>>> I do agree it is a pity that pi-hole isn't a whole lot simpler...
> would be great if it could just be added to AstLinux, but clearly that is
> not the approach they took and given cost of a Raspberry Pi it is maybe not
> that unreasonable for them to take the approach they did.
> >>>>
> >>>> Not at home this week so I cannot do any experimenting. I did leave
> pi-hole active at home, lets hope I don't return to annoyed family... I
> have already had to whitelist some domains just to get google sponsored
> search results to work.
> >>>>
> >>>> David
> >>>>
> >>>> On Sun, Oct 21, 2018 at 11:28 PM Lonnie Abelbeck <
> li...@lo...> wrote:
> >>>>> This is not a problem for standard AstLinux because that does not
> support DHCP for IPv6 so on a AstLinux LAN dual IPv4/IPv6 is required and
> DNS comes from IPv4.
> >>>>
> >>>> Indeed, and is why I like the idea of only supporting DHCPv4 on
> internal interfaces, it just works, and works consistently.
> >>>>
> >>>>
> >>>>> The changes to support that (IPv4 only for standard AstLinux) can be
> found here..
> >>>>>
> https://github.com/dkerr64/astlinux/commit/d20a4f40571258bbbf8725bfde6ec5a4254630ec
> >>>>
> >>>> David, nicely done (I have a few quibbles) but you put your finger on
> where it would go.
> >>>>
> >>>>
> >>>> Taking a step back, if a dedicated Raspberry Pi was performing DNS
> for the whole network, wouldn't it be better for AstLinux to just use it as
> it's static DNS source ? like ...
> >>>>
> >>>> Network -> DNS: ____
> >>>>
> >>>> In this case all the requests would be coming from AstLinux itself,
> would you be loosing any interesting statistics on the pi-hole web
> interface ?
> >>>>
> >>>> More importantly, the pi-hole should offer DNS-TLS upstream (via
> stubby like we do), I'm not sure if that has been implemented (lots of
> requests for it by DuckDuckGo'ing it).
> >>>>
> >>>> If you have a simple single LAN, then I can see tweaking the DHCP
> "option:dns-server" would be a reasonable choice, but when you have
> multiple LAN's/VLAN's and a single pi-hole it would require adding a bunch
> of firewall rules for DNS to be accessed across subnets. Not to mention
> requiring dnsmasq setup tweaks like what David proposed above.
> >>>>
> >>>> I would imagine that pi-hole should support DNS-TLS upstream at some
> point. I suppose we could optionally have our stubby daemon listen on
> 0.0.0.0@2853 instead of 127.0.0.1@2853 so a local pi-hole could direct
> DNS to it's internal gateway at port 2853 ... bypassing dnsmasq's DNS
> altogether. It would take some testing, assuming pi-hole can forward
> upstream to both address and port.
> >>>>
> >>>> Sadly the pi-hole project basically requires a full "Linux system"
> rather than just a single daemon, the later could be easily incorporated
> into AstLinux directly.
> >>>>
> >>>> Lonnie
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> On Oct 21, 2018, at 7:57 PM, David Kerr <da...@ke...> wrote:
> >>>>>
> >>>>> Moving this to developer list...
> >>>>>
> >>>>> I decided to go the same route as Michael. I found a old Raspberry
> Pi lying around and set it up as a pi-hole server. Then I went the route
> of setting dnsmasq option to replace the DNS server pushed out to DHCP
> clients.
> >>>>>
> >>>>> As I did this I found a quirk of dnsmasq...
> >>>>> NOTE... following does NOT apply to standard AstLinux, only to my
> version, but it is worth documenting.
> >>>>> For IPv4 all is fine. The dhcp-option statement in dnsmasq.static
> seems to replace/overwrite that in dnsmasq.conf.
> >>>>> However for IPv6 it was not as clean cut as that. On iOS devices
> both the IPv6 address in dnsmasq.conf and that in dnsmasq.static was
> getting picked up by the IPv6 network stack on iOS devices. This did not
> appear to be happening on MacOS devices however, very odd.
> >>>>> This is not a problem for standard AstLinux because that does not
> support DHCP for IPv6 so on a AstLinux LAN dual IPv4/IPv6 is required and
> DNS comes from IPv4. I have implemented much richer IPv6 support for local
> networks but this has not been incorporated back into the standard AstLinux
> (yet?).
> >>>>>
> >>>>> I decided therefore that it would make sense to allow for manual
> configuration of DNS servers in Astlinux, so that it would be done by the
> system into dnsmasq.conf and not require setting in dnsmasq.static. I
> therefore implemented support for...
> >>>>> INTDNS="192.168.1.1"
> >>>>> that can be set in user.conf.
> >>>>> And of course all the other interfaces as well... INT2DNS, INT3DNS,
> INT4DNS, DMZDNS and EXTDNS
> >>>>> These can be a space or comma separated list of IP addresses, so if
> you want to push a primary and secondary you can...
> >>>>> INT2DNS="8.8.8.8 8.8.4.4"
> >>>>>
> >>>>> The changes to support that (IPv4 only for standard AstLinux) can be
> found here..
> >>>>>
> https://github.com/dkerr64/astlinux/commit/d20a4f40571258bbbf8725bfde6ec5a4254630ec
> >>>>> The full IPv6 version is in my "develop" branch.
> >>>>>
> >>>>> Up to Lonnie if he wants to pull the IPv4 version into the Astlinux
> master.
> >>>>>
> >>>>> David
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Sat, Oct 20, 2018 at 6:00 PM Michael Keuter <
> li...@mk...> wrote:
> >>>>>
> >>>>>> Am 20.10.2018 um 23:50 schrieb David Kerr <da...@ke...>:
> >>>>>>
> >>>>>> So, been thinking this through. I didn't realize that primary and
> secondary DNS could in fact be both used in parallel. I had assumed that
> secondary would be used only if primary failed. If I had a dedicated DNS
> server for pi-hole this might be okay (raspberry pi on my network maybe?)
> but I have it running in a VM which is running on Astlinux and it is also
> my UniFi Controller. I am trying to cover the possibility of that VM not
> being running, even if for just a few minutes during a reboot. When
> Astlinux reboots the VM image also restarts but maybe delayed by a minute
> or two as it goes through its boot. So DNS will take longer to come back
> up.
> >>>>>>
> >>>>>> I think two choices. I can change DHCP to push out the IP address
> of pi-hole VM. Or I can put some iptables rules in place to reroute DNS
> requests that come in to Astlinux (using NAT rules, needs both DNAT and
> SNAT rules). The benefit of iptables rules is that I could apply it to
> entire network (even statically assigned clients) if I want and I can
> quickly revert the entire network to using Astlinux directly for DNS if I
> need to. But it is a more complex solution than just pushing out a DNS
> server address.
> >>>>>>
> >>>>>> Pondering over this. Any thoughts?
> >>>>>>
> >>>>>> David
> >>>>>
> >>>>> Hi David,
> >>>>>
> >>>>> I am running a real Raspi 3 Model B+ with Pi hole, and my AstLinux
> router does DHCP and upstream DNS.
> >>>>> All DHCP devices get only the Pi as DNS server, which does
> Ad-blocking and then forwards the requests to the AstLinux router (with the
> config described in my former email). The Raspi is always on.
> >>>>>
> >>>>>> On Fri, Oct 19, 2018 at 5:33 PM Lonnie Abelbeck <
> li...@lo...> wrote:
> >>>>>> Ahhh, pi-hole ....
> >>>>>>
> >>>>>> Keep in mind that depending on the DNS client, given two DNS server
> IP's they can be queried in parallel and not just failover as
> primary/secondary would imply.
> >>>>>>
> >>>>>> Can you configure AstLinux to use the pi-hole IP as the system's
> static DNS server ? or is there a startup chicken/egg issue ?
> >>>>>>
> >>>>>> Network -> DNS: ____
> >>>>>>
> >>>>>> Lonnie
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On Oct 19, 2018, at 4:13 PM, David Kerr <Da...@Ke...> wrote:
> >>>>>>>
> >>>>>>> I'll try dnsmasq.static. As to why... I have installed pi-hole (
> https://pi-hole.net/) on a VM and want to point clients at it as primary
> DNS, astlinux as secondary in case it fails. I configured pi-hole to use
> my astlinux as its primary DNS so all queries will ultimately go through
> astlinux, after pi-hole has done its thing to filter out the unwanted. No
> idea if I will keep this but thought I would give it a try and see if the
> family notices or if anything breaks.
> >>>>>>>
> >>>>>>> David
> >>>>>>>
> >>>>>>> On Fri, Oct 19, 2018 at 4:54 PM Lonnie Abelbeck <
> li...@lo...> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>> On Oct 19, 2018, at 3:44 PM, David Kerr <da...@ke...> wrote:
> >>>>>>>>
> >>>>>>>> I'm probably just overlooking it, but is there a way for me to
> define the DNS servers that get pushed to clients in DHCP responses? Say I
> wanted to push out 192.168.1.2 instead (or as well as) 192.168.1.1, how
> would I do that?
> >>>>>>>
> >>>>>>> No trivial way. Possibly you could override the
> "dhcp-option=lan,option:dns-server,.." value using /mnt/kd/dnsmasq.static .
> >>>>>>>
> >>>>>>> Which begs the question, Why ? :-)
> >>>>>>>
> >>>>>>> Lonnie
> >>>>>
> >>>>> Michael
>
>
> Michael
>
> http://www.mksolutions.info
>
>
>
>
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
|
