Re: DHCP server that itself gets an IP address by DHCP

To: debian-user@lists.debian.org
Subject: Re: DHCP server that itself gets an IP address by DHCP
From: Bob Weber <bobrweber@gmail.com>
Date: Thu, 24 Aug 2017 09:31:25 -0400
Message-id: <[🔎] 213fec77-2cb1-3678-8eec-d3847a9c3c0a@gmail.com>
Reply-to: bobrweber@gmail.com
In-reply-to: <[🔎] 20170824074515.y4z2ummdigk2fcbn@kazuki.local>
References: <[🔎] 20170824074515.y4z2ummdigk2fcbn@kazuki.local>

On 8/24/17 3:45 AM, Mark Fletcher wrote:

Hello the list!

[I suppose this is a little bit OT -- but you guys are the best 
concentration of experts I know, so here goes anyway...]

My local network consists of a bunch of Debian machines of various ages, 
various iDevices, and the odd Windows machine connected either by wired 
or wireless ethernet to a Buffalo AirStation, whose WAN port is 
connected to a mini-ITX machine running LFS which acts as my firewall. 
The firewall's other interface connects to my cable modem and thence to 
the internet.

For co-operation with my ISP my firewall gets its external IP address 
via DHCP from the ISP. I use systemd-networkd to achieve this, and this 
also takes care of populating /etc/resolv.conf with the name servers 
provided by the ISP.

So the firewall has 2 interfaces, the external facing one of which gets 
an IP address from my ISP via DHCP, and the internal facing one has a 
fixed private IP address.

The AirStation is also set up to get its WAN IP address via DHCP, since 
A) that is how it comes out of the box, B) the AirStation was for years 
the last line of defence between my network and the internet and the 
addition of the dedicated firewall is a relatively recent thing, and C) 
both the instructions and the web configuration tool are in Japanese 
and, this being a Japan-market-facing device, the language can't be 
changed. So I like to futz with the settings on the AirStation as little 
as possible.

So I run dhcpd on the firewall machine, facing only the 
local-network-facing interface, so that when the AirStation asks for an 
IP address, it can be provided with one.

The Airstation is _itself_ running a DHCP server on its LAN ports / 
WiFi, which is how the rest of my machines on my network get their local 
IP addresses. So the DHCP server on my firewall in effect services 
_only_ the AirStation.

My question is this -- I want to pass through the name servers my ISP is 
providing, to the AirStation when it asks, so that the AirStation can 
use the ISP's name servers. I did think about running a DNS on the 
firewall also but this seems unnecessary, and would just create an extra 
hop to answer DNS queries.

Right now I have the name server IP addresses hard coded in the 
dhcp.conf config file, which is fine as long as the ISP doesn't change 
them. But, if the ISP were to change its name servers, the firewall 
would pick up the changes but as things stand it would continue to 
provide the old name server addresses to the AirStation, which would 
mean the rest of the network would no longer be able to resolve DNS 
queries the AirStation didn't already have cached.

Is there any clever way to pass through the name server settings 
the DHCP server provides, so that if the ISP should change its name 
server IP addresses in the future, my local DHCP server would pass along 
the new addresses when next asked?

In other words, instead of specifying the name server addresses 
explicitly in the dhcp.conf file, is there a way to specify that they 
should be taken from the host the DHCP server is running on?

Thanks

Mark

I have a similar setup as yours but I agree with Reco as I have a caching DNS server on my firewall machine along with dhcp. It is setup to use DNSCrypt to encrypt/protect the connection to opendns (most DNS is in the open and can be hacked). I also have a local domain (like mynamehome.net) so I can connect to my local machines by name (bob.mynamehome.net). I do have my wireless access points only serving wireless connections (192.168.xxx.xxx/24) and the wired part of my network connects directly to the firewall through a switch (172.16.0.0/16). I also have firewall rules set up to redirect all connections going to external DNS servers (google chrome and android devices sometimes make their own connections to google DNS) to be re-directed to my own DNS server so I am assured that all DNS is over a encrypted link. All this allows you to be in complete control over what DNS server is used and that your ISP isn't redirecting your internet connections through a botched DNS server returning incorrect addresses (either on purpose or because of a hacked server). Of course the firewall machine has rules that block all external (internet) connections while allowing internal connections through. I use shorewall which makes setting up firewall rules a little easier.

--

...Bob

Reply to:

References:
- DHCP server that itself gets an IP address by DHCP
  - From: Mark Fletcher <mark27q1@gmail.com>

Prev by Date: Re: Question to new network device names
Next by Date: Re: Debian v9 it's a stretch
Previous by thread: DHCP server that itself gets an IP address by DHCP
Next by thread: Re: DHCP server that itself gets an IP address by DHCP
Index(es):
- Date
- Thread