1
Virtual private networks / Best practice advice for internal/VPN dns overrides
« on: June 10, 2021, 11:30:47 pm »
Hello everyone,
I'm running a proxmox server that contains several service/application VMs as well as an OPNS VM. All VMs, including OPNS are connected to one dedicated internal-only bridge so that they can communicate seperately from external traffic handling / NATing for purely internal purposes.
I'm managing two domains: foo.network and bar.com, with the latter one used for publicly used (and advertised) services and the former one for internal or more technical use (but they are still available from www).
To limit access to security-critical services like OPNS, Mail-Server, analysis etc. I'm shutting them down on firewall-side and specifically whitelist IPs. This obviously lacks any dynamics and seems kind of clumsy.
With the given infrastructure, it'd be ideal if I would simply limit access to these services to their internal interfaces. My question is: Is it possible (in a clean, not-hacky way) to implement a dns-server for VPN connected users (to OPNS) that has then a higher priority than (or: overrides) the public ones, so that e.g. x.foo.network, which resolves to 88.88.88.100 when requested from the www then resolves to 10.0.0.100 because it is requested by someone in the VPN network (and thus be accessible for the VPN connected user by just typing in the URI in the browser, not blocked by OPNS because its internal-to-internal traffic)? May this be even possible with the builtin unbound server of OPNS?
Thanks!
I'm running a proxmox server that contains several service/application VMs as well as an OPNS VM. All VMs, including OPNS are connected to one dedicated internal-only bridge so that they can communicate seperately from external traffic handling / NATing for purely internal purposes.
I'm managing two domains: foo.network and bar.com, with the latter one used for publicly used (and advertised) services and the former one for internal or more technical use (but they are still available from www).
To limit access to security-critical services like OPNS, Mail-Server, analysis etc. I'm shutting them down on firewall-side and specifically whitelist IPs. This obviously lacks any dynamics and seems kind of clumsy.
With the given infrastructure, it'd be ideal if I would simply limit access to these services to their internal interfaces. My question is: Is it possible (in a clean, not-hacky way) to implement a dns-server for VPN connected users (to OPNS) that has then a higher priority than (or: overrides) the public ones, so that e.g. x.foo.network, which resolves to 88.88.88.100 when requested from the www then resolves to 10.0.0.100 because it is requested by someone in the VPN network (and thus be accessible for the VPN connected user by just typing in the URI in the browser, not blocked by OPNS because its internal-to-internal traffic)? May this be even possible with the builtin unbound server of OPNS?
Thanks!