On 8/24/17 3:45 AM, Mark Fletcher
wrote:
Hello the list! [I suppose this is a little bit OT -- but you guys are the best concentration of experts I know, so here goes anyway...] My local network consists of a bunch of Debian machines of various ages, various iDevices, and the odd Windows machine connected either by wired or wireless ethernet to a Buffalo AirStation, whose WAN port is connected to a mini-ITX machine running LFS which acts as my firewall. The firewall's other interface connects to my cable modem and thence to the internet. For co-operation with my ISP my firewall gets its external IP address via DHCP from the ISP. I use systemd-networkd to achieve this, and this also takes care of populating /etc/resolv.conf with the name servers provided by the ISP. So the firewall has 2 interfaces, the external facing one of which gets an IP address from my ISP via DHCP, and the internal facing one has a fixed private IP address. The AirStation is also set up to get its WAN IP address via DHCP, since A) that is how it comes out of the box, B) the AirStation was for years the last line of defence between my network and the internet and the addition of the dedicated firewall is a relatively recent thing, and C) both the instructions and the web configuration tool are in Japanese and, this being a Japan-market-facing device, the language can't be changed. So I like to futz with the settings on the AirStation as little as possible. So I run dhcpd on the firewall machine, facing only the local-network-facing interface, so that when the AirStation asks for an IP address, it can be provided with one. The Airstation is _itself_ running a DHCP server on its LAN ports / WiFi, which is how the rest of my machines on my network get their local IP addresses. So the DHCP server on my firewall in effect services _only_ the AirStation. My question is this -- I want to pass through the name servers my ISP is providing, to the AirStation when it asks, so that the AirStation can use the ISP's name servers. I did think about running a DNS on the firewall also but this seems unnecessary, and would just create an extra hop to answer DNS queries. Right now I have the name server IP addresses hard coded in the dhcp.conf config file, which is fine as long as the ISP doesn't change them. But, if the ISP were to change its name servers, the firewall would pick up the changes but as things stand it would continue to provide the old name server addresses to the AirStation, which would mean the rest of the network would no longer be able to resolve DNS queries the AirStation didn't already have cached. Is there any clever way to pass through the name server settings the DHCP server provides, so that if the ISP should change its name server IP addresses in the future, my local DHCP server would pass along the new addresses when next asked? In other words, instead of specifying the name server addresses explicitly in the dhcp.conf file, is there a way to specify that they should be taken from the host the DHCP server is running on? Thanks Mark I have a similar setup as yours but I agree with Reco as I have a
caching DNS server on my firewall machine along with dhcp. It is
setup to use DNSCrypt to encrypt/protect the connection to
opendns (most DNS is in the open and can be hacked). I also have
a local domain (like mynamehome.net) so I can connect to my local
machines by name (bob.mynamehome.net). I do have my wireless
access points only serving wireless connections
(192.168.xxx.xxx/24) and the wired part of my network connects
directly to the firewall through a switch (172.16.0.0/16). I also
have firewall rules set up to redirect all connections going to
external DNS servers (google chrome and android devices sometimes
make their own connections to google DNS) to be re-directed to my
own DNS server so I am assured that all DNS is over a encrypted
link. All this allows you to be in complete control over what DNS
server is used and that your ISP isn't redirecting your internet
connections through a botched DNS server returning incorrect
addresses (either on purpose or because of a hacked server). Of
course the firewall machine has rules that block all external
(internet) connections while allowing internal connections
through. I use shorewall which makes setting up firewall rules a
little easier. --
...Bob |