Hi, James(ja...@jmp-e.com) on 2020.05.28 11:12:29 +0100: > Thanks. Your solution works but is not ideal for my situation. The > reason it's not ideal is that one of the rdomains gets its nameserver > from DHCP and I don't think unbound can read this information. > > For example, In the case of a captive portal or floating between APs I > would like DNS to work on different LANs where outbound DNS queries are > blocked. > > I'm trying to build an isolated network environment in which all traffic > is routed over an interface with a custom DNS server and no network leaks. > > My solution so far is as follows: > ___________ ___________ > | | | | > | rdomain0 | | rdomain1 | > | pair0 |----| pair1 | > | tun0 | | wlan0 | > |___________| |___________| > > with pf tagging and NAT'ing tun0 traffic behind wlan0. > rdomain0 DNS queries should be routed to a fixed address and > rdomain1 DNS queries should be sent to the nameserver as per > /etc/resolv.conf generated from dhclient. > > Linux's implementation of network namespaces allows for custom > resolv.conf files per network namespace [1]. The problem I > currently face is that only 1 rdomain can perform DNS queries at a > time by modifying /etc/resolv.conf.
This should work in OpenBSD 6.7: run unwind in rdomain 0 (this is optional, kind of, but a good idea to see how it works): rcctl enable unwind rcctl start unwind then set your resolver to 127.0.0.1: echo "supersede domain-name-servers 127.0.0.1;" > /etc/dhclient.conf dhclient <if> That assumes that your rdomain 0 uses dhcp, if it does not, just set the nameserver in /etc/resolv.conf to 127.0.0.1. Now check that DNS works in rdomain 0. If it does, run unwind in your rdomain1, same method as Tom described for nsd: ln -s /etc/rc.d/unwind /etc/rc.d/unwind1 rcctl enable unwind1 rcctl set unwind1 rtable=1 rcctl start unwind1 Now put the supersede option into the dhclient.conf for rdomain 1, and run dhclient there. Dns in rdomain 1 should work, and route -T 1 exec unwindctl sta should show that its using the dhcp supplied nameserver: $ unwindctl sta 1. recursor validating, 50ms 3. stub resolving, 90ms 2. dhcp validating, 150ms 4. oDoT-dhcp dead, N/A --> see ...........^^^^^^^^^^ here > > Thanks, > > > > [1] https://www.man7.org/linux/man-pages/man8/ip-netns.8.html > > On Wed, May 27, 2020 at 11:35:11PM +0100, Tom Smyth wrote: > >howdy, > > > >you can use symbolic links for /etc/rc.d/nsd to /etc/rc.d/nsd1 > >and to /etc/rc.d/nsd2 to /etc/rc.d/nsdn where 1,2 n are your r > >domains for your > >dns servers (authoritive) or you can use unbound instead of nsd > >if it is just a forwarding dns server > > > >then use for a dns server for rdomain1 > >rcctl enable nsd1 > >rcctl set nsd1 rtable=1 > > > >repeat the procedure for each domain configured > >rcctl enable nsd2 > >rcctl set nsd2 rtable=2 > > > >then go back to rdomain0 > >route -T0 exec ksh > >and then run the following to start each of your daemons > > > >rcctl start nsd1 > >rcctl start nsd2 > > > >and so on and so fourth... > > > >I used to have issues starting and stopping daemons if I was not in > >the correct domain when running the rcctl command, > >I saw a diff by ajacoutot a few months / (years ago that might have > >fixed the rcctl starting domains from a shell in a different > >Rdomain... > >I just got into the habit... of going to the correct rdomain of the > >daemon or rdomain0 before running the rcctl command to start / stop or > >restart the daemon > > > >Hope this helps, > > > >Tom Smyth > > > > > >On Wed, 27 May 2020 at 23:24, James <ja...@jmp-e.com> wrote: > >> > >>Hi all, > >> > >>How can I allow different rdomains to use separate DNS nameservers? > >> > >>Thanks > >> > > > > > >-- > >Kindest regards, > >Tom Smyth. > > > --
