I am a very satisfied owner of a Turris Omnia and so far it was always able to do what I needed.
There was one thing now that I wanted to set up, but I did not manage to find a way to set up the OpenWRT as an authoritative DNS server for a domain that I own.
Let’s say I own example.c om, the registrar is Cloudflare.
What I want to achieve at the end is:
I want to have home.example.c om point to a server that I have on my network even from the internet (I can definitely add the DNS records needed to Cloudflare, no problem)
I want to have abc.home.example.c om to point to a server in my local network that would only be accessible from inside
The desired outcome would be something like this: https://youtu.b e/syzwLwE3Xq4?t=366
But I was thinking about instead of hosting Bind9 on a PC in the network I would use the Omnia to be the DNS server. This way it would always work even if I mess up the hypervisor of the hosted Bind9.
I spent hours trying to find the right steps but I have found nothing that was really OK to follow.
This one for example: https://www.youtube.c om/watch?v=d1HhcLCJ6gI
Explains it quite well, but the LUCI package can not be installed due to missing dependencies.
Are you aware of any documentation that I can follow?
Is there even a way to do this on the Omnia? Should I host Bind9 somewhere and just use that as a DNS server handed out in DHCP?
Thanks!
I appreciate any hints, tips or help.
Best regards
Botond
PS: So I can not put links into a post as a new user (to be honest this is quite strange for such a network focused forum, but neven mind)
actually knot-resolver is already running on your turris omnia
In general, knot-resolver isn’t designed to serve anything authoritatively. There is very limited support for that, e.g. the hints module which you found. Even that one doesn’t serve a real full zone (that wouldn’t be so easy).
Still, one can write basically anything in the configuration, being lua code with access to most resolver internals, so let me post an example that should work well, but there are no guarantees about some “edge cases” or about breakage due to some internal API changes after some months or years. BTW, your question is the same as [SOLVED] How to configure local DNS to route *.abc.xyz to one host?
Do you have a public static IP or more on the WAN interface?
Your LAN is on a private IP range with a NAT firewall?
Or you do just routing and have a bunch of public IP’s on LAN?
Will it be the only authoritative dns server for this domain?
Are you behind a typical isp provider? they mostly prohibit a open 53 port…
if you do some NAT translating and your servers are on private IP’s
with some portforwarding / SNAT and DNAT / NAT 1:1 / etc.
most configurations will have different domains for public IP('s)
and the private IP’s
(and if you need to change a public ip to point to a private
for let’s say developing purposes - you do it on the clients hosts file)
and you should split your authoritative and recursive (local) dns server
even your authoritative dns server should not be recursive …
(with complex configurations you can achieve both behaviors on one server)
the best option seems to me to have on the omnia a recursive local dns server
with the local domain names (.lan/.localdomain/.domain/.local/.example.com/…)
not accesible from the internet and not mixing local domain names with the public
just serving the local names and caching/forwarding all requests to another dns server
and spin up a full blown authoritative dns server on one of your servers
with for example portforwarding the right port’s from WAN to this server
but you can do it also all in one on the omnia firewall with a authoritative dns server
try the original knot-resolver - i dont think it will work
or install an authoritative dns server instead of the knot-resolver (even full knot)
(or run it in a container…) for example: Unbound DNS Resolver on Turris
this will break the dns part of the reforis gui…
you have to open the ports on wan for dns for the omnia device itself
enable local domain resolving only for local clients ip
disable recursive resolving for the internet ip’s (or the isp will hate you)
define your zone, acl’s for your zone, notify for the zone, dynamic updates, tsig etc.
or have two dns servers running on the omnia,
one bound to the lan ip and another to the wan ip
i didn’t try this with a dns server on omnia, but it should be possible
(I’m running a couple of bind and technitium dns servers
configured as all in one or separate authoritative / recursive…)
abc.example.com points to your private IP on the internal LAN
And your are done.
P.S.
You probably need port-forwarding on your router for home.example.com
You probably need to setup DynDNS with the Cloudflare API on your router to update the host record for home.example.com, if you don’t have a static public IP.
If you want more, avoiding BigTech like Cloudflare, doing everything self-hosted and or have more complex DNS requirements. I would recommend setting up an Authoritative DNS server on your internal LAN as a hidden Master.
Rent two or three cheapest and smallest vHosts and set them up a secondaries, distribute them over the planet and use a different hosting provider for each.
In my case I use PowerDNS with a MariaDB backend.
The database is replicated over Wireguard VPN to the vHosts.
I manage my domain records with a Web-Frontend on the Master in the LAN and also provide API for select clients for DynDNS, ACME for Let’s Encrypt and the like. Everything gets replicated by MariaDB. That comes close to what Cloudflare provides, but is self-hosted
Don’t use BIND, AXFR and all that crap.
All that has nothing to do with the router. Except that it needs to properly forward WireGuard and API calls to the hidden Master on the LAN.
Its agains good practice to make non public routable addresses go in wild in public namespace. But YMMV. Maybe there is no law but you should not do that. At least with public DNSes. If you spin up your own do what you like but then dont expose that to public
I didn’t think of that, because I have my resolver (I’m using unbound not kresd) configured to skip rebind protection for my specific internal hosts, which defeats the simplicity of my proposed solution.
But most larger networks I worked for and with, don’t use split-DNS, since that is also considered bad practice and only 0.0001% of their IP addresses are reachable from the outside but all resolving to the same public zone. They don’t use private IPs, because they have plenty of their own public IPs, but from a technical stand-point it’s a very small difference between “not routable” and “not reachable”. From a user stand-point there is no difference at all.
If you set a hostname for a static IP on your DHCP configuration, it should be picked up by kresd and served to your local clients, rigtht?
Another way is the hosts file on the router, which, if memory serves my right, in traditional OpenWrt, was also picked up and served by dnsmasq, Don’t know if that still works on TOS with kresd.