Re: Unbound with split VPN and local domain

2019-04-15 Thread Paul Wouters via Unbound-users 




 Am 14.04.19 um 12:43 schrieb Herbert Meier via Unbound-users:

 Dear experts,

 I would like to configure unbound for my setup but I am totally lost with
 the terminology and the settings. Here is my setup:

* I have a split VPN client runnging that forwards certain subnets to
the VPN server and forwards *all* DNS request to the VPN server side
(I guess all subdomains of myvpn.org  should be
answered by the DNS on the VPN server side)
* I have a local router with domain "lan"
* I would like to use my ISPs DNS but do caching myself (not sure if
the router does it)

 How could I make all this work, i.e.,

* Forward all DNS request for *.myvpn.org  through
VPN


Depending on the vpn software, you can redirect DNS automatically if
running unbound locally. eg libreswan will automatically run
unbound-control to forward the DNS zone(s) obtained from the IKE/IPsec
VPN server, clear cache and do the reverse on disconnect.

I used to have a patch to openvpn to do the same.

but these depend on running unbound on the device that starts the vpn
too.


* Query the route for for request *.lan


That could be a permanent override as people explained already. You add
it to the unbound config.


* And use my ISPs DNS (via the router 192.168.178.1) for all other
queries?


That can be a simple: unbound-forward forward_add "." IpOfISPNameserver
or you can add it statically in the unbound.conf file.

Paul

Re: Unbound with split VPN and local domain

2019-04-14 Thread Eric Luehrsen via Unbound-users 

On 4/14/19 8:00 AM, A. Schulze via Unbound-users wrote:



Am 14.04.19 um 12:43 schrieb Herbert Meier via Unbound-users:

Dear experts,

I would like to configure unbound for my setup but I am totally lost with the 
terminology and the settings. Here is my setup:

   * I have a split VPN client runnging that forwards certain subnets to the VPN 
server and forwards *all* DNS request to the VPN server side (I guess all subdomains 
of myvpn.org  should be answered by the DNS on the VPN server 
side)
   * I have a local router with domain "lan"
   * I would like to use my ISPs DNS but do caching myself (not sure if the 
router does it)

How could I make all this work, i.e.,

   * Forward all DNS request for *.myvpn.org  through VPN
   * Query the route for for request *.lan
   * And use my ISPs DNS (via the router 192.168.178.1) for all other queries?

Thanks so much for your help.


Hello Herbert,

assuming VPN-Server side an router act as authoritative nameserver you may try 
this:

 stub-zone:
name: "myvpn.org."
stub-addr: 
 stub-zone:
name: "lan."
stub-addr: 
 forward-zone:
name: "."
forward-addr: 

You may replace a stub-zones with a forward-zones

Andreas



Your router is likely running dnsmasq so "forward-zone:" probably in order to "lan." Also don't forget about the reverse 
IP zones. Otherwise you will leak your VPN IP. I am assuming addresses to make the example clear. Also side note, I 
would guess OpenWrt with fake domain "lan." You might install Unbound and a VPN client on your home router.


stub-zone:
# split VPN
name: "myvpn.org."
stub-addr: 192.0.2.1
stub-addr: 2001:db8::1

stub-zone:
# split VPN
name: "2.0.192.in-addr.arpa."
stub-addr: 192.0.2.1
stub-addr: 2001:db8::1

stub-zone:
# split VPN
name: "8.b.d.0.1.0.0.2.ip6.arpa."
stub-addr: 192.0.2.1
stub-addr: 2001:db8::1

forward-zone:
# home router
name: "lan."
forward-addr: 10.10.0.1
forward-addr: fd00:0a0a::1

forward-zone:
# home router
name: "0.10.10.in-addr.arpa."
forward-addr: 10.10.0.1
forward-addr: fd00:0a0a::1

forward-zone:
# home router
name: "a.0.a.0.0.0.d.f.ip6.arpa."
forward-addr: 10.10.0.1
forward-addr: fd00:0a0a::1

forward-zone:
# protect your universe look ups with TLS
# ISP have been suspected of data mining customers
name "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-first: no
forward-tls-upstream: yes

# forward-zone:
# home router will likely know ISP DNS server from DHCP
# so forward to it and no maintenance if ISP changes
# name: "."
# forward-addr: 10.10.0.1
# forward-addr: fd00:0a0a::1