Bypass for internal subnets

[francispeixoto]

The app shouldn't try to resolve internal subnets using an external DNS server. My local DNS server should pick those up.

[bemasc]

Could you give an example of a DNS name that you would not want to resolve using the external DNS server?

[ghedo]

Don't know if this what was being asked, but kind of related, would be whitelisting specific domains that should go over plain DNS, for private / split horizon domains that should be resolved using the LAN's resolver (e.g. the one configured via DHCP and the like).

[francispeixoto]

It isn't a question of certain domains that should resolve internally, but requests should hit the lan DHCP assigned DNS for internal resolve before seeking an answer on the web.

[bemasc]

@francispeixoto That's not easy to do for Intra. For privacy reasons, Intra doesn't disclose DNS queries in cleartext, so we can't send the queries to your LAN's resolver. Also, if Intra gets back different answers from the LAN's resolver and the secure resolver, we have no way of knowing which one is correct.

We might be able to direct queries in "*.local", "*.localhost", and "*.home.arpa" to the local DNS resolver. Would that work for you?

[andrebrait]

Setting up wildcard addresses to redirect to the default DNS in advanced settings would be the ideal thing to do IMHO.

[francispeixoto]

You could have a defacto rule that routes private up spaces defined in rfc1918 to the local DNS server instead of intra. Ref: https://tools.ietf.org/html/rfc1918

This is pretty much the standard for private IP allocations. Those ranges aren't assigned on the net.

[andrebrait]

@francispeixoto There's no way to do that. In order to do that the DNS would have to know the IP (which means it would have to send an insecure request to the external DNS anyway) and the fact the external request could reply with such address shouldn't be taken into account.

There's nothing stopping someone from performing a Man-in-the-middle attack on a DNS query and respond to google.com with a 192.168.x.x address (or any of the categor C, Private ones). And also there's no guarantee that the internal DNS would respond to such queries with a private address (technically a network could have any of them and others, like I've seen happen in enterprise networks).

Just having the user define the domain wildcards is both the best, safest and more flexible solution.

[andrebrait]

(the Google.com example is just an example, I know the idea is to try the internal DNSonly if there's a NXDOMAIN from the external one, but still, there are many things at play here and automatic inference is not something that should be attempted here)

[MaXFalstein]

The best way to facilitate this without adding security vulnerabilities would be for Google to allow users to install a DNS-over-HTTPS server for LAN routing. Intra could resolve to LAN and WAN DNS-over-HTTPS servers. I run local DNS servers but I would like to be able to run DNS-over-HTTPS servers.