Re: DNS resolution when 1st nameserver does not know
Stuart Henderson wrote:
> On 2024-02-15, Rudolf Sykora wrote:
> > Josh Grosse wrote:
> >> On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote:
> >> > my computer is connected to a LAN, from which it obtains its
> >> > IP and also local-DNS-server IP via DHCP. The latter is then
> >> > inserted into /etc/resolv.conf by, I believe, resolvd. The
> >> > computer is furthermore connected via wireguard VPN to
> >> > another network with its own DNS server, serving the local
> >> > IPs there. The DNS server in my LAN, of course, does not
> >> > know the (non-public) IPs in the remote network. However, as
> >> > it comes 1st in /etc/resolv.conf, the nameserver that comes
> >> > next (I manually added it to the file) --- and which would
> >> > know the answer --- is never asked. I can stop resolvd and
> >> > use the DNS server within the VPN for all the traffic. But
> >> > I'd still prefer to have most of the work done by the local
> >> > DNS server, and only if it doesn't know I would ask the
> >> > server in the VPN. Is there anything simple I can do?
> >>
> >> Take a look at unwind(8) and unwind.conf(5).
> >
> >
> > Ok. Creating /etc/unwind.conf with
> >
> > forwarder {X.X.X.X}
> >
> > where X.X.X.X is the IP address of the DNS server within the VPN,
> > and turning on unwind with
> >
> > ;rcctl enable unwind
> > ;rcctl start unwind
> >
> > does do something, in the sense that I get all the symbolic
> > names resolved. But can I tell what DNS server was asked for
> > the translation? --- so that I can check that it is the
> > local nameserver (as obtained from the local DHCP server)
> > that gets queried first and only when it does not know the
> > answer, unwind asks VPN DNS server (X.X.X.X above) for the
> > answer?
>
> you can't do "fallback if domain doesn't exist in the first resolver",
> but you can tell it to always use the forwarder for certain domains.
> as well as configuring the forwarder, use something like "preference
> autoconf" and "force forwarder {some.domain other.domain}".
Thanks. I think
force forwarder {vpn.domain}
works for me.
Ruda
Re: DNS resolution when 1st nameserver does not know
On 2024-02-15, Rudolf Sykora wrote:
> Josh Grosse wrote:
>> On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote:
>> > my computer is connected to a LAN, from which it obtains its
>> > IP and also local-DNS-server IP via DHCP. The latter is then
>> > inserted into /etc/resolv.conf by, I believe, resolvd. The
>> > computer is furthermore connected via wireguard VPN to
>> > another network with its own DNS server, serving the local
>> > IPs there. The DNS server in my LAN, of course, does not
>> > know the (non-public) IPs in the remote network. However, as
>> > it comes 1st in /etc/resolv.conf, the nameserver that comes
>> > next (I manually added it to the file) --- and which would
>> > know the answer --- is never asked. I can stop resolvd and
>> > use the DNS server within the VPN for all the traffic. But
>> > I'd still prefer to have most of the work done by the local
>> > DNS server, and only if it doesn't know I would ask the
>> > server in the VPN. Is there anything simple I can do?
>>
>> Take a look at unwind(8) and unwind.conf(5).
>
>
> Ok. Creating /etc/unwind.conf with
>
> forwarder {X.X.X.X}
>
> where X.X.X.X is the IP address of the DNS server within the VPN,
> and turning on unwind with
>
> ;rcctl enable unwind
> ;rcctl start unwind
>
> does do something, in the sense that I get all the symbolic
> names resolved. But can I tell what DNS server was asked for
> the translation? --- so that I can check that it is the
> local nameserver (as obtained from the local DHCP server)
> that gets queried first and only when it does not know the
> answer, unwind asks VPN DNS server (X.X.X.X above) for the
> answer?
you can't do "fallback if domain doesn't exist in the first resolver",
but you can tell it to always use the forwarder for certain domains.
as well as configuring the forwarder, use something like "preference
autoconf" and "force forwarder {some.domain other.domain}".
--
Please keep replies on the mailing list.
Re: DNS resolution when 1st nameserver does not know
Josh Grosse wrote:
> On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote:
> > my computer is connected to a LAN, from which it obtains its
> > IP and also local-DNS-server IP via DHCP. The latter is then
> > inserted into /etc/resolv.conf by, I believe, resolvd. The
> > computer is furthermore connected via wireguard VPN to
> > another network with its own DNS server, serving the local
> > IPs there. The DNS server in my LAN, of course, does not
> > know the (non-public) IPs in the remote network. However, as
> > it comes 1st in /etc/resolv.conf, the nameserver that comes
> > next (I manually added it to the file) --- and which would
> > know the answer --- is never asked. I can stop resolvd and
> > use the DNS server within the VPN for all the traffic. But
> > I'd still prefer to have most of the work done by the local
> > DNS server, and only if it doesn't know I would ask the
> > server in the VPN. Is there anything simple I can do?
>
> Take a look at unwind(8) and unwind.conf(5).
Ok. Creating /etc/unwind.conf with
forwarder {X.X.X.X}
where X.X.X.X is the IP address of the DNS server within the VPN,
and turning on unwind with
;rcctl enable unwind
;rcctl start unwind
does do something, in the sense that I get all the symbolic
names resolved. But can I tell what DNS server was asked for
the translation? --- so that I can check that it is the
local nameserver (as obtained from the local DHCP server)
that gets queried first and only when it does not know the
answer, unwind asks VPN DNS server (X.X.X.X above) for the
answer?
Thanks.
Ruda
Re: DNS resolution when 1st nameserver does not know
On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote: > my computer is connected to a LAN, from which it obtains its > IP and also local-DNS-server IP via DHCP. The latter is then > inserted into /etc/resolv.conf by, I believe, resolvd. The > computer is furthermore connected via wireguard VPN to > another network with its own DNS server, serving the local > IPs there. The DNS server in my LAN, of course, does not > know the (non-public) IPs in the remote network. However, as > it comes 1st in /etc/resolv.conf, the nameserver that comes > next (I manually added it to the file) --- and which would > know the answer --- is never asked. I can stop resolvd and > use the DNS server within the VPN for all the traffic. But > I'd still prefer to have most of the work done by the local > DNS server, and only if it doesn't know I would ask the > server in the VPN. Is there anything simple I can do? Take a look at unwind(8) and unwind.conf(5).
