Re: [Freeipa-users] non-authoritative tricks for DNS resolution
On 18.7.2016 23:06, Brendan Kearney wrote: > On 07/18/2016 06:12 AM, Petr Spacek wrote: >> On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: >>> Would a DNS view (bind) work? >>> >>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm >>> >>> Also, depending on what you are using for NAT, some devices will mangle the >>> reply payload of A record lookups as they traverse NAT to avoid haripinning >>> (a packet going out and then back in the same interface as it traverses >>> NAT). This is known as DNS doctoring, at least in the world of Cisco. >>> >>> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html >>> >>> >>> Let me know if either of those will solve your problem. If not, I might >>> have a misunderstanding of what you are asking. >>> >>> Dan >>> On Jul 17, 2016, at 3:36 PM, Brendan Kearneywrote: i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. any pointers would be greatly appreciated. >> Background note: >> All these DNS tricks are hacks to work around IP routing problem in >> configuration you described. >> >> If you really want to use DNS tricks, you can create a DNS zone with name >> equal to the you want to override and will this zone with A/ record at >> zone apex (@). >> The DNS approach has some inherent advantages: >> >> 1. All DNS names below the name you want to 'hijack' will not be resolvable >> in >> your network. E.g. if the name is hijacked.example.com. then sub-domains like >> anything.hijacked.example.com. will not be resolvable. >> >> 2. Your clients will go securely over VPN if and only if they use your local >> DNS servers. Any client configured (even accidentally) to use some other DNS >> server (e.g. public 8.8.8.8) will get the 'public' address and do not tunnel >> the traffic over VPN. >> >> >> Secure and reliable solution is not to use DNS but solve things on IP layer: >> On the network gateway, configure IPSec tunnel (or any other VPN) in a way >> that *the original IP address* is routed over VPN. >> >> This does not require any DNS tricks and thus will work regardless of client >> configuration. >> >> I hope it helps. >> > our posture states that we do not route network space that is not ours, unless > exigent circumstances dictate otherwise. we have dedicated address space to > NAT pools, in order to facilitate this. we also forbid external dns resolution > from endpoints, by limiting what can go out to the roots for recursion. Blocking port 53 is slowly becoming a pointless exercise as RFC 7858 gets incrementally adopted. DNS is going to be indistinguishable from any TLS traffic, potentially even over port 443. Having said that, it is better to plan for changes sooner than later. > misconfigured clients are not able to perform DNS resolution. we work with > our counterparts on the other side of the VPN to ensure we are only adding a > host record, and that sub-domains are not a point of failure for our access. > > in terms of setting up this zone, how would one construct the ldif to create > it? because i am not using FreeIPA, i do not have the seemingly built-in > tools to perform this function. any reading material on the subject is > welcomed. The zone would be the very same as any other DNS zone, please see doc/example.ldif file in bind-dyndb-ldap distribution. You want may play RPZ tricks but this needs to be done using standard BIND's config. Keep in mind that all this will break as soon as DNSSEC is enabled because your address hijacking will be indistinguishable from an attack. (In other words, this is the technically wrong approach. Solution on IP routing layer is technically cleaner.) -- Petr^2 Spacek --
Re: [Freeipa-users] non-authoritative tricks for DNS resolution
On 07/18/2016 06:12 AM, Petr Spacek wrote: On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: Would a DNS view (bind) work? http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same interface as it traverses NAT). This is known as DNS doctoring, at least in the world of Cisco. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html Let me know if either of those will solve your problem. If not, I might have a misunderstanding of what you are asking. Dan On Jul 17, 2016, at 3:36 PM, Brendan Kearneywrote: i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. any pointers would be greatly appreciated. Background note: All these DNS tricks are hacks to work around IP routing problem in configuration you described. If you really want to use DNS tricks, you can create a DNS zone with name equal to the you want to override and will this zone with A/ record at zone apex (@). The DNS approach has some inherent advantages: 1. All DNS names below the name you want to 'hijack' will not be resolvable in your network. E.g. if the name is hijacked.example.com. then sub-domains like anything.hijacked.example.com. will not be resolvable. 2. Your clients will go securely over VPN if and only if they use your local DNS servers. Any client configured (even accidentally) to use some other DNS server (e.g. public 8.8.8.8) will get the 'public' address and do not tunnel the traffic over VPN. Secure and reliable solution is not to use DNS but solve things on IP layer: On the network gateway, configure IPSec tunnel (or any other VPN) in a way that *the original IP address* is routed over VPN. This does not require any DNS tricks and thus will work regardless of client configuration. I hope it helps. our posture states that we do not route network space that is not ours, unless exigent circumstances dictate otherwise. we have dedicated address space to NAT pools, in order to facilitate this. we also forbid external dns resolution from endpoints, by limiting what can go out to the roots for recursion. misconfigured clients are not able to perform DNS resolution. we work with our counterparts on the other side of the VPN to ensure we are only adding a host record, and that sub-domains are not a point of failure for our access. in terms of setting up this zone, how would one construct the ldif to create it? because i am not using FreeIPA, i do not have the seemingly built-in tools to perform this function. any reading material on the subject is welcomed. thanks, brendan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] non-authoritative tricks for DNS resolution
On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: > Would a DNS view (bind) work? > > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm > > Also, depending on what you are using for NAT, some devices will mangle the > reply payload of A record lookups as they traverse NAT to avoid haripinning > (a packet going out and then back in the same interface as it traverses NAT). > This is known as DNS doctoring, at least in the world of Cisco. > > http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html > > Let me know if either of those will solve your problem. If not, I might have > a misunderstanding of what you are asking. > > Dan > >> On Jul 17, 2016, at 3:36 PM, Brendan Kearneywrote: >> >> i am looking to setup a VPN in order to access some resources, and want to >> point my clients at this resource via DNS. the resource i am accessing is >> internet resolvable, but i am accessing it via the VPN, and using a NAT for >> the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for >> this resource, using its proper name (which i am not authoritative for), but >> assign it the IP of my NAT. >> >> say for example, host.domain-ext.tld is the resource i want to access, and >> it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i >> want internal resolution of DNS to point to 192.168.99.137 so the network >> routing takes my internal clients to the VPN and not out to the internet. >> >> i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. >> how do i setup the zone and record to accomplish this DNS trick? i have >> talked with some DNS gurus and they indicate that i can do something with >> the "@" record. it seems that the record i want, would be its own zone, and >> the @ record would point to the name, and the SOA would be the NAT IP. i >> could be wrong about the details, but something like this is how to setup >> resolution the way i want. >> >> any pointers would be greatly appreciated. Background note: All these DNS tricks are hacks to work around IP routing problem in configuration you described. If you really want to use DNS tricks, you can create a DNS zone with name equal to the you want to override and will this zone with A/ record at zone apex (@). The DNS approach has some inherent advantages: 1. All DNS names below the name you want to 'hijack' will not be resolvable in your network. E.g. if the name is hijacked.example.com. then sub-domains like anything.hijacked.example.com. will not be resolvable. 2. Your clients will go securely over VPN if and only if they use your local DNS servers. Any client configured (even accidentally) to use some other DNS server (e.g. public 8.8.8.8) will get the 'public' address and do not tunnel the traffic over VPN. Secure and reliable solution is not to use DNS but solve things on IP layer: On the network gateway, configure IPSec tunnel (or any other VPN) in a way that *the original IP address* is routed over VPN. This does not require any DNS tricks and thus will work regardless of client configuration. I hope it helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] non-authoritative tricks for DNS resolution
Would a DNS view (bind) work? http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same interface as it traverses NAT). This is known as DNS doctoring, at least in the world of Cisco. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html Let me know if either of those will solve your problem. If not, I might have a misunderstanding of what you are asking. Dan > On Jul 17, 2016, at 3:36 PM, Brendan Kearneywrote: > > i am looking to setup a VPN in order to access some resources, and want to > point my clients at this resource via DNS. the resource i am accessing is > internet resolvable, but i am accessing it via the VPN, and using a NAT for > the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for > this resource, using its proper name (which i am not authoritative for), but > assign it the IP of my NAT. > > say for example, host.domain-ext.tld is the resource i want to access, and it > resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want > internal resolution of DNS to point to 192.168.99.137 so the network routing > takes my internal clients to the VPN and not out to the internet. > > i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. > how do i setup the zone and record to accomplish this DNS trick? i have > talked with some DNS gurus and they indicate that i can do something with the > "@" record. it seems that the record i want, would be its own zone, and the > @ record would point to the name, and the SOA would be the NAT IP. i could > be wrong about the details, but something like this is how to setup > resolution the way i want. > > any pointers would be greatly appreciated. > > thanks, > > brendan > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] non-authoritative tricks for DNS resolution
i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. any pointers would be greatly appreciated. thanks, brendan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project