OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: GurliGebis on February 12, 2021, 10:15:52 pm
-
I'm trying to limit my IOT network, to only talk to what it needs to.
I have a hostname that one of my devices needs to talk to, and if I use an online dns resolver, I can see it resolves to 3 A records (with different IP's).
The problem is, it seems that only one of these gets added to the pfTable for the alias.
So it seems like it only uses the first response it gets, instead of looking up the entire record for the host.
Is there a way to fix this, or am I back to having to allow HTTPS traffic for this device to all IP's?
-
sure you set the parameters correctly?
-
What parameters should I set? (not sure, since there does not seems to be any wrt. this).
The one I'm trying to use is "nucleo.neatocloud.com" - if I look it up at https://www.ultratools.com/tools/dnsLookup, it get three different A records.
However, when I add "nucleo.neatocloud.com" as a Host alias, only one of them gets added to the pfTable.
Which one changes in a round robin fashion, like normal DNS does when there is more than on A record.
So what I'm asking is, if there is a way to ensure that all the A records are added to the pfTable, and not just one of them.
-
hm. looks like "nucleo.neatocloud.com" is on AWS Route 53 servers. so standard DNS resolver _should_ get one IP in response (depends on routing plan but in this case it looks like it is).
https://dns.google.com/query?name=nucleo.neatocloud.com&rr_type=A&ecs=
can check how often IP will change
imo it is better to leave it as it is. every 300sec (by default) hostname in alias will be resolved and get the IP that AWS wants to give it for the current circumstances
the only question is whether this record will match the one that the devices will receive at the time of the request)
so it is probably more correct to make the alias for the address pool (AWS?), and not the hostname
-
Adding the entire AWS address pool sounds a bit too much.
The right solution would be for OpnSense to take all the A records and add all the results to the pfTable.
If there is no way to do it currently, I'll create a ticket in github about it :)
-
No need for a ticket, it works correctly. As @Fright explained, you only get one A record (use dig / nslookup to verify). Which one you get depends on your source address, which name server is being used and probably some other factors. Ultratools is a diagnostics tool, they query each name server individually (and still don't get all A records). That's not how a normal DNS resolvers works.
Reliably getting all records from such a dynamic DNS setup is simply not possible.
-
Hmm, okay.
It is weird, the device is configured to use the opnsense as DNS, so they should resolve the same records both.
But somehow, it seems like the device is getting another response than what is added to the pfTable. (Looking at the firewall log, it shows it trying to connect to one of the other IP's than the one currently in the table.)
-
Hard-coded IP? Hard-coded DNS? How sure are you the Iotrash is using OPNsense DNS? :-)
-
But somehow, it seems like the device is getting another response than what is added to the pfTable
dns-records have very short TTL (<60sec). alias updates every 300sec
-
neato realy should share cloud ip-ranges
device is configured to use the opnsense as DNS
in this case there is one wild idea: point beehive.neatocloud.com and nucleo.neatocloud.com to LAN interface IPs (need virtual IP for second address) and port-forward requests from IoT on 443 ports to Host-Aliases . probably it will be necessary to reduce the Aliases Resolve Interval a little
(need to be tested. just an idea)
-
No devices on that VLAN is allowed to talk on port 53, except with the gateway, so I'm pretty sure it is only using the gateway as dns. Also, the dns logfile shows the requests 🙂
Hmm, so you say the alias is not using the same dns response the device is getting? That makes it impossible to get working, or am I missing something?
-
Hmm, the port forward idea might work.
Would a virtual ip on the same VLAN work?
-
Would a virtual ip on the same VLAN work?
sure, why not?
That makes it impossible to get working, or am I missing something?
I think that neato tech support would recommend opening an AWS address range)
-
neato realy should share cloud ip-ranges
device is configured to use the opnsense as DNS
in this case there is one wild idea: point beehive.neatocloud.com and nucleo.neatocloud.com to LAN interface IPs (need virtual IP for second address) and port-forward requests from IoT on 443 ports to Host-Aliases . probably it will be necessary to reduce the Aliases Resolve Interval a little
(need to be tested. just an idea)
I just tried this - the only problem with this is that if I set a host override on the opnsense box, it causes it to resolve the alias to this ip too, since it is using itself as a DNS server.
-
can try to enable "Do not use the local DNS service as a nameserver for this system" on "System: Settings: General"
https://docs.opnsense.org/manual/settingsmenu.html#general
-
can try to enable "Do not use the local DNS service as a nameserver for this system" on "System: Settings: General"
https://docs.opnsense.org/manual/settingsmenu.html#general
Yep, that did the trick.
Had to do some other tricks to get the app to work (conditional forwarding that domain directly outside from my internal dns server).
It is a mess, but it works :)
-
It's a complete mess, but I'm glad it works ;D
-
Me too - do you think it would have worked lowering the alias interval to something lower than the TTL on the records?
-
I would try to leave it as it is (I think that most likely this is just balancing and everything will work with default 300sec). if there are periodic connection losses, then you can try to reduce the update interval
AWS TTL is too short imho - in any case i would not set such a short interval (~60sec) for Alias hostname resolution.
-
Okay, I'll leave it as is - it seems to be working now, which is the most important part.
Limiting IoT devices is an interresting challenge.
-
I optimized it a bit, instead of having to use a conditional forwarder for my internal dns, i included a custom config for unbound that overrides the host only for my IOT VLAN :)