On 8/24/17 3:45 AM, Mark Fletcher wrote: > Hello the list! > > [I suppose this is a little bit OT -- but you guys are the best > concentration of experts I know, so here goes anyway...] > > My local network consists of a bunch of Debian machines of various ages, > various iDevices, and the odd Windows machine connected either by wired > or wireless ethernet to a Buffalo AirStation, whose WAN port is > connected to a mini-ITX machine running LFS which acts as my firewall. > The firewall's other interface connects to my cable modem and thence to > the internet. > > For co-operation with my ISP my firewall gets its external IP address > via DHCP from the ISP. I use systemd-networkd to achieve this, and this > also takes care of populating /etc/resolv.conf with the name servers > provided by the ISP. > > So the firewall has 2 interfaces, the external facing one of which gets > an IP address from my ISP via DHCP, and the internal facing one has a > fixed private IP address. > > The AirStation is also set up to get its WAN IP address via DHCP, since > A) that is how it comes out of the box, B) the AirStation was for years > the last line of defence between my network and the internet and the > addition of the dedicated firewall is a relatively recent thing, and C) > both the instructions and the web configuration tool are in Japanese > and, this being a Japan-market-facing device, the language can't be > changed. So I like to futz with the settings on the AirStation as little > as possible. > > So I run dhcpd on the firewall machine, facing only the > local-network-facing interface, so that when the AirStation asks for an > IP address, it can be provided with one. > > The Airstation is _itself_ running a DHCP server on its LAN ports / > WiFi, which is how the rest of my machines on my network get their local > IP addresses. So the DHCP server on my firewall in effect services > _only_ the AirStation. > > My question is this -- I want to pass through the name servers my ISP is > providing, to the AirStation when it asks, so that the AirStation can > use the ISP's name servers. I did think about running a DNS on the > firewall also but this seems unnecessary, and would just create an extra > hop to answer DNS queries. > > Right now I have the name server IP addresses hard coded in the > dhcp.conf config file, which is fine as long as the ISP doesn't change > them. But, if the ISP were to change its name servers, the firewall > would pick up the changes but as things stand it would continue to > provide the old name server addresses to the AirStation, which would > mean the rest of the network would no longer be able to resolve DNS > queries the AirStation didn't already have cached. > > Is there any clever way to pass through the name server settings > the DHCP server provides, so that if the ISP should change its name > server IP addresses in the future, my local DHCP server would pass along > the new addresses when next asked? > > In other words, instead of specifying the name server addresses > explicitly in the dhcp.conf file, is there a way to specify that they > should be taken from the host the DHCP server is running on? > > Thanks > > Mark > > I have a similar setup as yours but I agree with Reco as I have a caching DNS server on my firewall machine along with dhcp. It is setup to use DNSCrypt to encrypt/protect the connection to opendns (most DNS is in the open and can be hacked). I also have a local domain (like mynamehome.net) so I can connect to my local machines by name (bob.mynamehome.net). I do have my wireless access points only serving wireless connections (192.168.xxx.xxx/24) and the wired part of my network connects directly to the firewall through a switch (172.16.0.0/16). I also have firewall rules set up to redirect all connections going to external DNS servers (google chrome and android devices sometimes make their own connections to google DNS) to be re-directed to my own DNS server so I am assured that all DNS is over a encrypted link. All this allows you to be in complete control over what DNS server is used and that your ISP isn't redirecting your internet connections through a botched DNS server returning incorrect addresses (either on purpose or because of a hacked server). Of course the firewall machine has rules that block all external (internet) connections while allowing internal connections through. I use shorewall which makes setting up firewall rules a little easier.
-- *...Bob*
