Solved Routing all jail DNS queries on an epair to localhost:53 .

[baaz]

Hi,
I have a local DNS server running on localhost:53.
I want all my jails DNS traffic to be redirected to my local DNS server.
The host also uses the local DNS server
The jails are each on their own epairs on sequential IPs in range 10.0.0.0/24 (even ones for the host side odd ones for the jail side).
Packets from this range on the external interface are nat'ed to the external interface
with rules like this:

nat pass on $ext_if from 10.0.0.2 to any -> ($ext_if)

The nat rules work all fine.
Can this be done in PF?
None of the things that I tried in PF worked.
Thanks in advance!

 

[SirDice]

I want all my jails DNS traffic to be redirected to my local DNS server.
The host also uses the local DNS server

Why the need for any redirections? It sound like you're using local-unbound (or something similar) on the host and the host's resolv.conf is pointing to 127.0.0.1?

 

[baaz]

Why the need for any redirections? It sound like you're using local-unbound (or something similar) on the host and the host's resolv.conf is pointing to 127.0.0.1?

Sorry if my message was unclear.
I want the jails to use the host's DNS server (which is dnscrypt-proxy) transparently.
The host is using dnscrypt, and everything is OK on its side.
The jails are the issue.
I don't want to set up dnscrypt on each of the jails, I just want all port 53 traffic from their interfaces to be redirected to localhost:53 on the hosts loopback.
So for example, then you could then set the jails resolv.conf nameserver to 1.1.1.1 (or any address) and the DNS queries of the jail will still be redirected to the host's dnscrypt-proxy.
Thanks!

 

[VladiBG]

You can redirect standard 53 DNS to your IP but the jails still will be able to go around this by using DNS over HTTPS or DNSSec (853) or mDNS 5353 and so on. and go around your filtering/ redirection.

rdr on $LAN_if proto udp from any to any port 53 -> 192.168.10.1 port 53

 

[SirDice]

Really no need for any redirections, make dnscrypt listen on 127.0.0.1 (for the host itself) and the host's IP address. Then configure the jail's /etc/resolv.conf to use DNS on the host's IP address.

 

[baaz]

Really no need for any redirections, make dnscrypt listen on 127.0.0.1 (for the host itself) and the host's IP address. Then configure the jail's /etc/resolv.conf to use DNS on the host's IP address.

But that makes dnscrypt exposed to "outside" and I don't want that.
What I want is something like VladiBG suggestion but the redirect rule, redirects packets to 127.0.0.1:53.
i.e: rdr on $ext_if proto udp from any to any port 53 -> 127.0.0.1 port 53
But this rule doesn't work.

 

[SirDice]

But that makes dnscrypt exposed to "outside" and I don't want that.

That's something you can firewall. Block incoming requests originating from outside your network, I hope you're already blocking all incoming, external, connections anyway. And I'm sure dnscrypt itself also has the ability to ACL incoming requests, so only allow queries from internal hosts.

What I want is something like @VladiBG suggestion but the redirect rule, redirects packets to 127.0.0.1:53.
i.e: rdr on $ext_if proto udp from any to any port 53 -> 127.0.0.1 port 53
But this rule doesn't work.

It doesn't work because the redirect (rdr) works for incoming traffic on $ext_if, the DNS queries from your jails don't come in on the host through $ext_if.

 

[baaz]

That's something you can firewall. Block incoming requests originating from outside your network. And I'm sure dnscrypt itself also has the ability to ACL incoming requests, so only allow queries from internal hosts.

I did not consider that, thanks!

It doesn't work because a redirect (rdr) works on incoming traffic on $ext_if, the DNS queries from your jails don't come in on the host through $ext_if.

So I am curious now, just from a theoretical standpoint, can PF (or any other FBSD FW) do this with a different rule?

 

[SirDice]

You might be able to do this with a bridge (and attaching your jails to that bridge), and enabling filtering on that bridge. Never tried it but that should theoretically work.

But generally I try to solve issues like this in other ways, as I've shown above. Lots of people expect a packet filter to be able to do things it shouldn't be doing in the first place.

 

[VladiBG]

Why you want to redirect traffic when you can just configure your jails to use your dns ?

 

[baaz]

You might be able to do this with a bridge (and attaching your jails to that bridge), and enabling filtering on that bridge. Never tried it but that should theoretically work.

But generally I try to solve issues like this in other ways, as I've shown above. Lots of people expect a packet filter to be able to do things it shouldn't be doing in the first place.

It's possible with the current wiring!

It doesn't work because the redirect (rdr) works for incoming traffic on $ext_if, the DNS queries from your jails don't come in on the host through $ext_if.

I reread this line few times more and then decided to apply the rule to the host side of the jail epair instead of the external interface.
Like this:

rdr on $jail1_if proto udp from any to any -> 127.0.0.1 53

Then with a few changes to the block rules, everything is functioning according to plan.
Thanks lot, this little exercise made me better visualize how PF works.

 

[SirDice]

rdr on $jail1_if proto udp from any to any -> 127.0.0.1 53

You may want to try using the bridge interface here. This rule would only work for 'jail1', if you use the bridge interface it should work for all jails on that bridge interface.
You also want to include TCP here, DNS typically uses UDP but queries have become so large nowadays it more often uses TCP. So you want to redirect both UDP and TCP port 53.

Thanks lot, this little exercise made me better visualize how PF works.

Yes, you really have to take note of the directionality of the traffic, and where things go out and where they come in. NAT (as in nat on ... translates the source address of a packet and works on outgoing traffic, a redirection (as in rdr on ...) translates the destination address of a packet and works on incoming traffic.[/i]

 

[baaz]

You may want to try using the bridge interface here. This rule would only work for 'jail1', if you use the bridge interface it should work for all jails on that bridge interface.
You also want to include TCP here, DNS typically uses UDP but queries have become so large nowadays it more often uses TCP. So you want to redirect both UDP and TCP port 53.


Yes, you really have to take note of the directionality of the traffic, and where things go out and where they come in. NAT (as in nat on ... translates the source address of a packet and works on outgoing traffic, a redirection (as in rdr on ...) translates the destination address of a packet and works on incoming traffic.[/i]

Yep that rule was just a test, since I have a macro of all the jail interfaces the full rule is simple and looks something like this:

rdr on $jail_ifs proto ${ tcp, udp } from $jail_nets to any port domain -> 127.0.0.1 port domain

Thanks again for the tips!