[dns-operations] Split view autoconfiguration

Petr Menšík pemensik at redhat.com
Thu Nov 12 15:12:11 UTC 2020 


On 11/12/20 3:01 PM, Paul Wouters wrote:
> On Nov 12, 2020, at 07:59, Petr Menšík <pemensik at redhat.com> wrote:
>>
>> Hello DNS experts, Hi Paul,
>>
>> I am looking for correct way to autoconfigure split DNS. By that, I mean
>> something that dnssec-trigger prepares, when I connect to our enterprise
>> VPN. It keeps most of queries to original connection servers provided.
> 
> That is exactly what RFC 8598 does for IKEv2/IPsec. This is supported by libreswan and supports a local unbound. For the next version of libreswan we will add support for NM. systemd-resolved, knot, resolvconf (Debian)
Could you provide issue or merge request on NM if available?
> 
> I submitted build for openvpn with unbound support but those changes got lost over time.
> 
>> But for special internal domains, it redirects queries on local running
>> unbound server to addresses provided by VPN connection. Similar way
>> behaves systemd-resolved and dnsmasq configured by Network Manager.
> 
> I don’t quite understand what you are saying here?

I'll try to rephrase. Connection provides list of domains, it considers
internal. All names in that domains should be resolved using DNS servers
provided by that connection. Because common network connection managed
by NM or systemd-networkd does not have "internal domains" property,
systemd-resolved and dnssec-trigger uses DHCP search (119) option.
> 
>> I think they use DHCP option 119 [1], which was originally used for
>> different thing. It is already used and can be used as a hint. But its
>> purpose is to search relative names. I found only explicit configuration
>> for IKEv2 [2], which provides required information.
> 
> DHCP options are only useful for non-VPN connections. There has been talk about putting the RFC 8598 options into a dhcp option but people connecting to enterprise  wired/wireless don’t have a split dns normally. Either you (have to) trust the network or you fully distrust it (and want dot/doh to an external party)

They still can be connected to different network by wired and wireless
connection. They may want to send some name queries over "untrusted"
wireless and different over "trusted" wired connection. List of internal
domains provided for each connection may help with autoconfiguration.

Anyway, it might want to propagate lan domain instead, when I send all
default queries to VPN server. I would like then lan. domain still sent
to my home router and not to the VPN. DHCP option would work for that case.
> 
> 
>> Am I missing standard way to pass internal domains on VPN connections
>> for different types? Is there any best practice or recommendation how to
>> configure it in general?
> 
> openvpn surely has something but as I said, patches were lost. WireGuard will invent something homegrown once they have their userland daemon (WG-dynamic). 

I personally think VPN should not usually push it directly to specific
nameserver. Instead, some standard tool should be used, whatever
supported local resolver is running. Most often it woult be Network
Manager on linux machine. Not sure if resolvconf would be correct tool
for that.

> We can’t really standardize openvpn/WireGuard. 
We could prepare standard handler and let VPN plugin to extract
variables from specific connection protocol.

>> Is it so uncommon to have split horizon setup with internal connection?
>> I hope I don't know just correct terminology, could you help with that?
>> Is there DHCP option 119 alternative, which means list of internal
>> domains without additional search hints? Is there other way to configure it?
> 
> For IETF standard VPN protocol, we have the solution, and it is implemented. I can give you a certificate for VPN.nohats.ca to test.
Would be useful for testing.
> 
> Note it does do fallback to re-using the list of dns domains as search domains in resolv.conf if it doesn’t find a locally running dns server. 
> 
> Paul
> 
This means IPSEC VPN has configured "internal" domains. When local
endpoint is not able to configure split-dns on the machine, they are
converted to search domains, correct?

I think there should be also other ways to manually configure internal
domains for a connection. Just like Domains= in systemd-networkd, but
not only for consumption of systemd-resolved.

Is there any way to configure something similar in different systems?
What about Windows 10 or Apple OSX?

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201112/b4a1d74a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201112/b4a1d74a/attachment.sig>

More information about the dns-operations mailing list