Use same hostname internally and externally
All, To quickly summarize my problem/question, I’d like to host a nextcloud server at my house and be able to access it with the same hostname whether I’m home or away. I own a domain, let’s call it example.com. Its main DNS record points to a node at digital oceans. However I’d like to host a sub-domain at my house, let’s call it home.example.com. Currently home.example.com resolves to a routable IP address at my house. - When I’m on the road, I’d like to be able to connect to https://home.example.come - When I’m home, I’d like to be able to connect to https://home.example.com. The above works on a well-behaved desktop receiving dns servers via dhcp. Specifically, I have setup local dns to resolve home.example.com to 192.168.1.1. Searching this topic has taught me that this method is called Split-DNS. However android and iOS do not appear to honer my local dns server — I’m not sure why — so they resolve the address to a routable IP and connect from within the private 192.168.1.0 subnet. My firewall sees this and drops it b/c it is a non-routable IP address connecting to the external interface. (I got this info by running tcpdump and watching traffic). Has anyone attempted something similar? Is there something I’m overlooking? (Probably) My goal is to not do special configurations on enduser devices. Thanks, — brad
"brad" == brad via WLUG <wlug@lists.wlug.org> writes:
brad> To quickly summarize my problem/question, I’d like to host a brad> nextcloud server at my house and be able to access it with the brad> same hostname whether I’m home or away. brad> I own a domain, let’s call it example.com. Its main DNS record brad> points to a node at digital oceans. However I’d like to host a brad> sub-domain at my house, let’s call it brad> home.example.com. Currently home.example.com resolves to a brad> routable IP address at my house. brad> - When I’m on the road, I’d like to be able to connect to https://home.example.come brad> - When I’m home, I’d like to be able to connect to https://home.example.com. brad> The above works on a well-behaved desktop receiving dns servers brad> via dhcp. Specifically, I have setup local dns to resolve brad> home.example.com to 192.168.1.1. Searching this topic has taught brad> me that this method is called Split-DNS. brad> However android and iOS do not appear to honer my local dns brad> server — I’m not sure why — so they resolve the address to a brad> routable IP and connect from within the private 192.168.1.0 brad> subnet. My firewall sees this and drops it b/c it is a brad> non-routable IP address connecting to the external interface. (I brad> got this info by running tcpdump and watching traffic). Are your iphone and android getting their data from the Wifi network or their phone network? You might need to sniff port 53 traffic on your firewall and see where they're sending queries to. Then you might need to block or redirect those queries to your own internal DNS server. brad> Has anyone attempted something similar? Is there something I’m brad> overlooking? (Probably) I've been meaning to do it myself, putting in a local internal override for my dynamic DNS external name, so I can conncent from both inside and outside (when I'm on the $WORK VPN mostly) without having to remember things. Silly to bounce SSH across the country to get downstairs... but when you sit at a $WORK laptop most days... it's nice to be able to hit home stuff via SSH and screen. brad> My goal is to not do special configurations on enduser devices. What is your firewall or router at home? Depending on what you have, you might be able to block outgoing port 53 traffic, or redirect it to your internal DNS server so those devices get the results you want. I use OpnSense at home, so if that's what you're using, we can work together on this. John
On Nov 12, 2021, at 19:34, John Stoffel <john@stoffel.org> wrote:
"brad" == brad via WLUG <wlug@lists.wlug.org> writes:
brad> To quickly summarize my problem/question, I’d like to host a brad> nextcloud server at my house and be able to access it with the brad> same hostname whether I’m home or away.
brad> I own a domain, let’s call it example.com. Its main DNS record brad> points to a node at digital oceans. However I’d like to host a brad> sub-domain at my house, let’s call it brad> home.example.com. Currently home.example.com resolves to a brad> routable IP address at my house.
brad> - When I’m on the road, I’d like to be able to connect to https://home.example.come brad> - When I’m home, I’d like to be able to connect to https://home.example.com.
brad> The above works on a well-behaved desktop receiving dns servers brad> via dhcp. Specifically, I have setup local dns to resolve brad> home.example.com to 192.168.1.1. Searching this topic has taught brad> me that this method is called Split-DNS.
brad> However android and iOS do not appear to honer my local dns brad> server — I’m not sure why — so they resolve the address to a brad> routable IP and connect from within the private 192.168.1.0 brad> subnet. My firewall sees this and drops it b/c it is a brad> non-routable IP address connecting to the external interface. (I brad> got this info by running tcpdump and watching traffic).
Are your iphone and android getting their data from the Wifi network or their phone network?
This is a great question and led to what I believe is the solution.
You might need to sniff port 53 traffic on your firewall and see where they're sending queries to. Then you might need to block or redirect those queries to your own internal DNS server.
I did sniff port 53 (and 853) to observe dns traffic. I also sniffed port 67 and 68 to make sure that the DNS server was getting sent w/ the dhcp request. All was good on the dhcp front, and port 53 sniffing did display the fact that my internal domain names were getting resolved to CNAMEs, but on Andoird, it stopped at that step. I.e. android got a CNAME for up.internal.example.com, but did not resolve the CNAME any further.
brad> Has anyone attempted something similar? Is there something I’m brad> overlooking? (Probably)
I've been meaning to do it myself, putting in a local internal override for my dynamic DNS external name, so I can conncent from both inside and outside (when I'm on the $WORK VPN mostly) without having to remember things. Silly to bounce SSH across the country to get downstairs... but when you sit at a $WORK laptop most days... it's nice to be able to hit home stuff via SSH and screen.
Agreed, I recently setup wireguard to use as VPN for this purpose.
brad> My goal is to not do special configurations on enduser devices.
What is your firewall or router at home? Depending on what you have, you might be able to block outgoing port 53 traffic, or redirect it to your internal DNS server so those devices get the results you want.
I use OpnSense at home, so if that's what you're using, we can work together on this.
My firewall is openbsd — my preferred firewall OS as I love pf — and my name server is unbound. I believe OpnSense is built on a BSD, so unbound maybe an option for you. On to the solution, or at least ‘what works for me’. As far as I can tell unbound is not an authoritative name server, so I had to change all the CNAMEs to A records. That is a little annoying when I comes to my config file, but it does work. For your reference, a related bug report for opnsense is linked below with subsequent links about why unbound and CNAMEs do not go together. https://github.com/opnsense/core/issues/1041 Thanks for provoking my curiosity into the eventual solution! — brad
"brad" == brad <bkn@ithryn.net> writes:
brad> On Nov 12, 2021, at 19:34, John Stoffel <john@stoffel.org> wrote: brad> "brad" == brad via WLUG <wlug@lists.wlug.org> writes: brad> To quickly summarize my problem/question, I’d like to host a brad> nextcloud server at my house and be able to access it with the brad> same hostname whether I’m home or away. brad> I own a domain, let’s call it example.com. Its main DNS record brad> points to a node at digital oceans. However I’d like to host a brad> sub-domain at my house, let’s call it brad> home.example.com. Currently home.example.com resolves to a brad> routable IP address at my house. brad> - When I’m on the road, I’d like to be able to connect to https://home.example.come brad> - When I’m home, I’d like to be able to connect to https://home.example.com. brad> The above works on a well-behaved desktop receiving dns servers brad> via dhcp. Specifically, I have setup local dns to resolve brad> home.example.com to 192.168.1.1. Searching this topic has taught brad> me that this method is called Split-DNS. brad> However android and iOS do not appear to honer my local dns brad> server — I’m not sure why — so they resolve the address to a brad> routable IP and connect from within the private 192.168.1.0 brad> subnet. My firewall sees this and drops it b/c it is a brad> non-routable IP address connecting to the external interface. (I brad> got this info by running tcpdump and watching traffic). brad> Are your iphone and android getting their data from the Wifi network brad> or their phone network? brad> This is a great question and led to what I believe is the solution. brad> You might need to sniff port 53 traffic on brad> your firewall and see where they're sending queries to. Then you brad> might need to block or redirect those queries to your own internal DNS brad> server. brad> I did sniff port 53 (and 853) to observe dns traffic. I also brad> sniffed port 67 and 68 to make sure that the DNS server was brad> getting sent w/ the dhcp request. All was good on the dhcp brad> front, and port 53 sniffing did display the fact that my brad> internal domain names were getting resolved to CNAMEs, but on brad> Andoird, it stopped at that step. I.e. android got a CNAME for brad> up.internal.example.com, but did not resolve the CNAME any brad> further. Interesting, I'm kinda surprised. brad> Has anyone attempted something similar? Is there something I’m brad> overlooking? (Probably) You might need/want to reboot the Android, or see if there's a way to flush it's own internal DNS cache. But I don't have any android to play with at home. brad> I've been meaning to do it myself, putting in a local internal brad> override for my dynamic DNS external name, so I can conncent from both brad> inside and outside (when I'm on the $WORK VPN mostly) without having brad> to remember things. Silly to bounce SSH across the country to get brad> downstairs... but when you sit at a $WORK laptop most days... it's brad> nice to be able to hit home stuff via SSH and screen. brad> Agreed, I recently setup wireguard to use as VPN for this brad> purpose. I just ssh home, no really need for wireguard at this time. brad> My goal is to not do special configurations on enduser devices. A laudable goal for sure! brad> What is your firewall or router at home? Depending on what you have, brad> you might be able to block outgoing port 53 traffic, or redirect it to brad> your internal DNS server so those devices get the results you want. brad> I use OpnSense at home, so if that's what you're using, we can work brad> together on this. brad> My firewall is openbsd — my preferred firewall OS as I love pf — brad> and my name server is unbound. I believe OpnSense is built on a brad> BSD, so unbound maybe an option for you. I'm already running unbound as my internal DNS server. brad> On to the solution, or at least ‘what works for me’. As far as I brad> can tell unbound is not an authoritative name server, so I had brad> to change all the CNAMEs to A records. That is a little annoying brad> when I comes to my config file, but it does work. No, unbound works just fine as an authoritative nameserver from what I know. It's dnsmasq which doesn't work as an authoritative. I think the solution of using A records is actually the right one, since you want to override the outside world's A record for your hostname, so using a CNAME inside isn't going to really help because it will lookup the name, and I *think* A records are a higher priority than CNAMEs in the response. So just doing a CNAME won't do the trick. Since it's not something that changes often, having to buidl your own A record shouldn't be that big a deal. brad> For your reference, a related bug report for opnsense is linked brad> below with subsequent links about why unbound and CNAMEs do not brad> go together. brad> https://github.com/opnsense/core/issues/1041 This is an old bug, I'm running the latest production release of OpnSense and unbound, so I think I'm ok. brad> Thanks for provoking my curiosity into the eventual solution! Excellent! John
On 2021-11-12 10:50, brad via WLUG wrote:
However android and iOS do not appear to honer my local dns server — I’m not sure why — so they resolve the address to a routable IP and connect from within the private 192.168.1.0 subnet. My firewall sees this and drops it b/c it is a non-routable IP address connecting to the external interface. (I got this info by running tcpdump and watching traffic).
Has anyone attempted something similar? Is there something I’m overlooking? (Probably)
Yeah, you're not missing anything - mobile devices are just sortof a PITA. Throw in a work device which tunnels all DNS over VPN and it turns in to a real headache. If you can't seem to get the phones to obey (blocking external DNS or re-directing it *might* work), you may have to resort to NAT reflection. It's working OK for me on pfSense. Unfortunately, all traffic ends up going through the firewall, but the performance hit probably isn't too critical for most things. Here's docs for doing this in pfSense, other "real" routers should have a similar functionality: https://docs.netgate.com/pfsense/en/latest/nat/reflection.html
participants (3)
-
brad -
Brandon Hartshorn -
John Stoffel