Re: DNS and rdomains
Hi, James(ja...@jmp-e.com) on 2020.05.28 11:12:29 +0100: > Thanks. Your solution works but is not ideal for my situation. The > reason it's not ideal is that one of the rdomains gets its nameserver > from DHCP and I don't think unbound can read this information. > > For example, In the case of a captive portal or floating between APs I > would like DNS to work on different LANs where outbound DNS queries are > blocked. > > I'm trying to build an isolated network environment in which all traffic > is routed over an interface with a custom DNS server and no network leaks. > > My solution so far is as follows: > ___ ___ > | || | > | rdomain0 || rdomain1 | > | pair0 ||pair1 | > |tun0 ||wlan0 | > |___||___| > > with pf tagging and NAT'ing tun0 traffic behind wlan0. > rdomain0 DNS queries should be routed to a fixed address and > rdomain1 DNS queries should be sent to the nameserver as per > /etc/resolv.conf generated from dhclient. > > Linux's implementation of network namespaces allows for custom > resolv.conf files per network namespace [1]. The problem I > currently face is that only 1 rdomain can perform DNS queries at a > time by modifying /etc/resolv.conf. This should work in OpenBSD 6.7: run unwind in rdomain 0 (this is optional, kind of, but a good idea to see how it works): rcctl enable unwind rcctl start unwind then set your resolver to 127.0.0.1: echo "supersede domain-name-servers 127.0.0.1;" > /etc/dhclient.conf dhclient That assumes that your rdomain 0 uses dhcp, if it does not, just set the nameserver in /etc/resolv.conf to 127.0.0.1. Now check that DNS works in rdomain 0. If it does, run unwind in your rdomain1, same method as Tom described for nsd: ln -s /etc/rc.d/unwind /etc/rc.d/unwind1 rcctl enable unwind1 rcctl set unwind1 rtable=1 rcctl start unwind1 Now put the supersede option into the dhclient.conf for rdomain 1, and run dhclient there. Dns in rdomain 1 should work, and route -T 1 exec unwindctl sta should show that its using the dhcp supplied nameserver: $ unwindctl sta 1. recursorvalidating, 50ms 3. stub resolving, 90ms 2. dhcpvalidating, 150ms 4. oDoT-dhcp dead, N/A --> see ...^^ here > > Thanks, > > > > [1] https://www.man7.org/linux/man-pages/man8/ip-netns.8.html > > On Wed, May 27, 2020 at 11:35:11PM +0100, Tom Smyth wrote: > >howdy, > > > >you can use symbolic links for /etc/rc.d/nsd to /etc/rc.d/nsd1 > >and to/etc/rc.d/nsd2 to /etc/rc.d/nsdn where 1,2 n are your r > >domains for your > >dns servers (authoritive) or you can use unbound instead of nsd > >if it is just a forwarding dns server > > > >then use for a dns server for rdomain1 > >rcctl enable nsd1 > >rcctl set nsd1 rtable=1 > > > >repeat the procedure for each domain configured > >rcctl enable nsd2 > >rcctl set nsd2 rtable=2 > > > >then go back to rdomain0 > >route -T0 exec ksh > >and then run the following to start each of your daemons > > > >rcctl start nsd1 > >rcctl start nsd2 > > > >and so on and so fourth... > > > >I used to have issues starting and stopping daemons if I was not in > >the correct domain when running the rcctl command, > >I saw a diff by ajacoutot a few months / (years ago that might have > >fixed the rcctl starting domains from a shell in a different > >Rdomain... > >I just got into the habit... of going to the correct rdomain of the > >daemon or rdomain0 before running the rcctl command to start / stop or > >restart the daemon > > > >Hope this helps, > > > >Tom Smyth > > > > > >On Wed, 27 May 2020 at 23:24, James wrote: > >> > >>Hi all, > >> > >>How can I allow different rdomains to use separate DNS nameservers? > >> > >>Thanks > >> > > > > > >-- > >Kindest regards, > >Tom Smyth. > > > --
Re: DNS and rdomains
Thanks. Your solution works but is not ideal for my situation. The reason it's not ideal is that one of the rdomains gets its nameserver from DHCP and I don't think unbound can read this information. For example, In the case of a captive portal or floating between APs I would like DNS to work on different LANs where outbound DNS queries are blocked. I'm trying to build an isolated network environment in which all traffic is routed over an interface with a custom DNS server and no network leaks. My solution so far is as follows: ___ ___ | || | | rdomain0 || rdomain1 | | pair0 ||pair1 | |tun0 ||wlan0 | |___||___| with pf tagging and NAT'ing tun0 traffic behind wlan0. rdomain0 DNS queries should be routed to a fixed address and rdomain1 DNS queries should be sent to the nameserver as per /etc/resolv.conf generated from dhclient. Linux's implementation of network namespaces allows for custom resolv.conf files per network namespace [1]. The problem I currently face is that only 1 rdomain can perform DNS queries at a time by modifying /etc/resolv.conf. Thanks, [1] https://www.man7.org/linux/man-pages/man8/ip-netns.8.html On Wed, May 27, 2020 at 11:35:11PM +0100, Tom Smyth wrote: howdy, you can use symbolic links for /etc/rc.d/nsd to /etc/rc.d/nsd1 and to/etc/rc.d/nsd2 to /etc/rc.d/nsdn where 1,2 n are your r domains for your dns servers (authoritive) or you can use unbound instead of nsd if it is just a forwarding dns server then use for a dns server for rdomain1 rcctl enable nsd1 rcctl set nsd1 rtable=1 repeat the procedure for each domain configured rcctl enable nsd2 rcctl set nsd2 rtable=2 then go back to rdomain0 route -T0 exec ksh and then run the following to start each of your daemons rcctl start nsd1 rcctl start nsd2 and so on and so fourth... I used to have issues starting and stopping daemons if I was not in the correct domain when running the rcctl command, I saw a diff by ajacoutot a few months / (years ago that might have fixed the rcctl starting domains from a shell in a different Rdomain... I just got into the habit... of going to the correct rdomain of the daemon or rdomain0 before running the rcctl command to start / stop or restart the daemon Hope this helps, Tom Smyth On Wed, 27 May 2020 at 23:24, James wrote: Hi all, How can I allow different rdomains to use separate DNS nameservers? Thanks -- Kindest regards, Tom Smyth.
Re: DNS and rdomains
Unbound can use root hints And you can over ride nameservers learned from dhclient Check man dhclient for more info And Set your resolv.conf nameservers to 127.0.0.1 Peace out On Thursday, 28 May 2020, James wrote: > Thanks. Your solution works but is not ideal for my situation. The > reason it's not ideal is that one of the rdomains gets its nameserver > from DHCP and I don't think unbound can read this information. > > For example, In the case of a captive portal or floating between APs I > would like DNS to work on different LANs where outbound DNS queries are > blocked. > I'm trying to build an isolated network environment in which all traffic > is routed over an interface with a custom DNS server and no network leaks. > > My solution so far is as follows: > ___ ___ > | || | > | rdomain0 || rdomain1 | > | pair0 ||pair1 | > |tun0 ||wlan0 | > |___||___| > > with pf tagging and NAT'ing tun0 traffic behind wlan0. > rdomain0 DNS queries should be routed to a fixed address and > rdomain1 DNS queries should be sent to the nameserver as per > /etc/resolv.conf generated from dhclient. > > Linux's implementation of network namespaces allows for custom > resolv.conf files per network namespace [1]. The problem I currently face > is that only 1 rdomain can perform DNS queries at a time by modifying > /etc/resolv.conf. > > Thanks, > > > > [1] https://www.man7.org/linux/man-pages/man8/ip-netns.8.html > > On Wed, May 27, 2020 at 11:35:11PM +0100, Tom Smyth wrote: > >> howdy, >> >> you can use symbolic links for /etc/rc.d/nsd to /etc/rc.d/nsd1 >> and to/etc/rc.d/nsd2 to /etc/rc.d/nsdn where 1,2 n are your r >> domains for your >> dns servers (authoritive) or you can use unbound instead of nsd >> if it is just a forwarding dns server >> >> then use for a dns server for rdomain1 >> rcctl enable nsd1 >> rcctl set nsd1 rtable=1 >> >> repeat the procedure for each domain configured >> rcctl enable nsd2 >> rcctl set nsd2 rtable=2 >> >> then go back to rdomain0 >> route -T0 exec ksh >> and then run the following to start each of your daemons >> >> rcctl start nsd1 >> rcctl start nsd2 >> >> and so on and so fourth... >> >> I used to have issues starting and stopping daemons if I was not in >> the correct domain when running the rcctl command, >> I saw a diff by ajacoutot a few months / (years ago that might have >> fixed the rcctl starting domains from a shell in a different >> Rdomain... >> I just got into the habit... of going to the correct rdomain of the >> daemon or rdomain0 before running the rcctl command to start / stop or >> restart the daemon >> >> Hope this helps, >> >> Tom Smyth >> >> >> On Wed, 27 May 2020 at 23:24, James wrote: >> >>> >>> Hi all, >>> >>> How can I allow different rdomains to use separate DNS nameservers? >>> >>> Thanks >>> >>> >> >> -- >> Kindest regards, >> Tom Smyth. >> >> -- Kindest regards, Tom Smyth.
DNS and rdomains
Hi all, How can I allow different rdomains to use separate DNS nameservers? Thanks
Re: DNS and rdomains
oh yeah you will have to adjust the flags for each daemon (to accept a different config file for each dns server in each Rdomain... hope this helps... On Wed, 27 May 2020 at 23:35, Tom Smyth wrote: > howdy, > > you can use symbolic links for /etc/rc.d/nsd to /etc/rc.d/nsd1 > and to/etc/rc.d/nsd2 to /etc/rc.d/nsdn where 1,2 n are your r > domains for your > dns servers (authoritive) or you can use unbound instead of nsd > if it is just a forwarding dns server > > then use for a dns server for rdomain1 > rcctl enable nsd1 > rcctl set nsd1 rtable=1 > > repeat the procedure for each domain configured > rcctl enable nsd2 > rcctl set nsd2 rtable=2 > > then go back to rdomain0 > route -T0 exec ksh > and then run the following to start each of your daemons > > rcctl start nsd1 > rcctl start nsd2 > > and so on and so fourth... > > I used to have issues starting and stopping daemons if I was not in > the correct domain when running the rcctl command, > I saw a diff by ajacoutot a few months / (years ago that might have > fixed the rcctl starting domains from a shell in a different > Rdomain... > I just got into the habit... of going to the correct rdomain of the > daemon or rdomain0 before running the rcctl command to start / stop or > restart the daemon > > Hope this helps, > > Tom Smyth > > > On Wed, 27 May 2020 at 23:24, James wrote: > > > > Hi all, > > > > How can I allow different rdomains to use separate DNS nameservers? > > > > Thanks > > > > > -- > Kindest regards, > Tom Smyth. > -- Kindest regards, Tom Smyth.
Re: DNS and rdomains
howdy, you can use symbolic links for /etc/rc.d/nsd to /etc/rc.d/nsd1 and to/etc/rc.d/nsd2 to /etc/rc.d/nsdn where 1,2 n are your r domains for your dns servers (authoritive) or you can use unbound instead of nsd if it is just a forwarding dns server then use for a dns server for rdomain1 rcctl enable nsd1 rcctl set nsd1 rtable=1 repeat the procedure for each domain configured rcctl enable nsd2 rcctl set nsd2 rtable=2 then go back to rdomain0 route -T0 exec ksh and then run the following to start each of your daemons rcctl start nsd1 rcctl start nsd2 and so on and so fourth... I used to have issues starting and stopping daemons if I was not in the correct domain when running the rcctl command, I saw a diff by ajacoutot a few months / (years ago that might have fixed the rcctl starting domains from a shell in a different Rdomain... I just got into the habit... of going to the correct rdomain of the daemon or rdomain0 before running the rcctl command to start / stop or restart the daemon Hope this helps, Tom Smyth On Wed, 27 May 2020 at 23:24, James wrote: > > Hi all, > > How can I allow different rdomains to use separate DNS nameservers? > > Thanks > -- Kindest regards, Tom Smyth.