On Wed, 30 Sep 2020 16:32:41 +0100 Mark Rogers mark@more-solutions.co.uk allegedly wrote:
The use case is that inside my office they resolve via local DNS, but outside the office I may connect to them via VPN. Since I don't want to redirect all my DNS queries across the VPN, the external DNS solves this problem.
If there's a better solution I'm interested.
Why do you not want your DNS queries to go over the VPN? Surely that is /exactly/ what you /should/ want? Certainly I always do. Anything else is a leak and a potential privacy nightmare.
If you are inside your network, then the internal DNS will correctly resolve the addreses and you can reach the servers. If you are /outside/ the network, then by definition you cannot reach the internal servers unless you use the VPN, and if you are using the VPN, what is the problem with using the internal DNS?
And my colleagues will have to add them to their router DNS too, and if I want to use my laptop from a hotel they'll need to be in the laptop hosts anyway (and I have several laptops). And I have no idea how to add them to the hosts file on my phone (although I'm sure that is possible.) A single external DNS solves all that.
I'm sorry, perhaps I'm not understanding something here, but I really don't get this at all. If your colleagues are inside the office, then they use the same DNS you do, if they are outside, then they could not possibly reach the internal servers anyway (unless they too use a VPN) so what is the point of them having DNS entries on their routers (or entries on the external DNS server) pointing to the internal servers? And if they /do/ use VPNs. then again the internal DNS would resolve things correctly for them.
Furthermore, if you are in a hotel (and thus outside) again you cannot reach the internal office server unless you use a VPN, and as I have said, if you use a VPN, it should resolve addresses internally so your DNS queries /need/ to go over the VPN. Same applies tp your phone. You don't need to add a hosts file to your phone, so long as it connects over a VPN and uses the internal DNS. And if it doesn't connect over a VPN, it cannot reach the servers anyway.
I /really/ don't understand why you should think you need to have internal unrouteable addresses in an external DNS server.
I don't think turning off dns-rebind is a good idea. It leaves you open to same origin attacks from hostile websites. (See https://en.wikipedia.org/wiki/DNS_rebinding ).
Indeed, and I'd like a better solution. (I only need it for a single domain but I can't see a way to limit it that way.)
It worked fine before I installed OpenWRT so whilst OpenWRT's default is better than my old router's, having this open isn't unusual it seems.
I think Adam has answered this.
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------