Control over client DNS servers

[RealOrangeOne]

It's be great if, on connection to a nebula mesh, the DNS servers of the client could be modified. Specifically, not to the DNS server served by Nebula, as this just serves the hostnames of the other nodes from the lighthouse.

I'm imagining this working much like the DNS key in a wireguard config (man page for reference). On connection, the DNS servers the client uses are modified based on those specified in the client config. These settings would not be pushed down by the lighthouse (although perhaps they could / should be?). On disconnect, these settings would be restored to the system default.

For versatility, I don't think these DNS servers should be constrained to nodes.

It's possible to achieve this currently by wrapping the nebula command and using resolvconf on Linux, but this is far from being both universal, and cross-platform. Doing a custom solution on mobile is especially difficult!

[SamSirry]

I can guess one use case, but may I ask why, explicitly? Other than using one of the nodes/hosts as a DNS server, how else could this be helpful?

p.s.: I love your blog

[RealOrangeOne]

Does there have to be another reason? Overriding DNS can have a number of different uses to a number of different people, depends on what they want to do.

My prime use cases is being able to route specific domains over the VPN rather than the public internet, which is I suspect the main use case. Especially useful if the public route is to go via a proxy or gateway, a la this.

[LennyPenny]

this would be awesome!

My favorite personal use case would be:

• set DNS setting on the lighthouse to a node on the network running a pi-hole
• in pi hole add the lighthouse DNS server as a source

This would allow one to easily get tracker blocking + name resolution for all nodes. Bonus points if this would also be supported on the nebula ios/android app to get those benefits while on cellular.

[HyperCriSiS]

Do I understand right, that if I connect my clients with nebula, I am not able anymore to use my pi-hole? I just found out about Nebula and was really excited to try it, but if I can't use pi-hole then anymore, it is unusable.

[RealOrangeOne]

@HyperCriSiS this is different. So long as your pihole is still accessible by the new routes created by Nebula, then it'll "just work" with no impact at all.

This issue is about specifically changing the DNS server used whilst connected to Nebula, which isn't what you're talking about. You can always change it manually, but there's currently no automated way of doing it.

[CovertIII]

+1

I wanted to do what @LennyPenny suggested. I actually set up set up a Nebula network this week including a Raspberry Pi (on my local network), iPhone, laptop, and an AWS instance as the lighthouse. I was able to access the Pi Hole config from my phone via the private IP address of the PiHole in the nebula network. I was also able to ssh into the Pi while I was away from my house (which was super cool). Then I went to set the DNS server on my phone in the nebula config and didn't find a place for it. Then I did some searching and came across this issue.

So then I researched WireGuard and set up a WireGuard network. The advantage of Nebula over WireGuard is I can easily get a direct connection to my Raspberry Pi from my phone because the lighthouse node coordinates this. With WireGuard all the traffic needs to route through the AWS server because there's not an easy way to get a direct connection when both peers are behind a NAT (https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/). It's probably nearly impossible to set up on my phone without writing a new client app. But I am able to set the DNS server on my phone with WireGuard. So that won out for what I was try to achieve.

The Nebula network was considerably easier to get set up given it's more centralized nature, all the certs are signed by the same CA. Whereas with WireGuard, you need to update the server every time you want to add another peer on the network.

All that to say if there was a way to set the DNS server on the config, that would be super cool. Especially on mobile since there's no way as a user I can update my DNS server when I'm on cellular and if I'm on WiFi I need to update it for every WiFi network I join.

[wildardoc]

Is there a way on an iphone to modify the dns servers? I would have thought that apple would have that locked down. I have at my house with my computers implemented the lighthouse dns and use it to lookup machine addresses. However that requires me to add entries with the resolvectl command to tell my computers to query *.schaefermesh.neb address at the dns server on the lighthouse. Any regular dns wouldn't know and thus I would have thought apple (or google for that matter) wouldn't allow you to redirect dns queries to a private dns server as they couldn't track/sell info about the dns lookup.

On Sat, Apr 16, 2022 at 10:27 AM Bill Covert @.***> wrote:

+1

I wanted to do what @LennyPenny https://github.com/LennyPenny suggested. I actually set up set up a Nebula network this week including a Raspberry Pi (on my local network), iPhone, laptop, and an AWS instance as the lighthouse. I was able to access the Pi Hole config from my phone via the private IP address of the PiHole in the nebula network. I was also able to ssh into the Pi while I was away from my house (which was super cool). Then I went to set the DNS server on my phone in the nebula config and didn't find a place for it. Then I did some searching and came across this issue.

So then I researched WireGuard and set up a WireGuard network. The advantage of Nebula over WireGuard is I can easily get a direct connection to my Raspberry Pi from my phone because the lighthouse node coordinates this. With WireGuard all the traffic needs to route through the AWS server because there's not an easy way to get a direct connection when both peers are behind a NAT ( https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/). It's probably nearly impossible to set up on my phone without writing a new client app. But I am able to set the DNS server on my phone with WireGuard. So that won out for what I was try to achieve.

The Nebula network was considerably easier to get set up given it's more centralized nature, all the certs are signed by the same CA. Whereas with WireGuard, you need to update the server every time you want to add another peer on the network.

All that to say if there was a way to set the DNS server on the config, that would be super cool. Especially on mobile since there's no way as a user I can update my DNS server when I'm on cellular and if I'm on WiFi I need to update it for every WiFi network I join.

— Reply to this email directly, view it on GitHub https://github.com/slackhq/nebula/issues/318#issuecomment-1100688659, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIK3CW7NWZ5YC5OD5YYXH2DVFLL43ANCNFSM4SYNQTWQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[tcurdt]

Is there a way on an iphone to modify the dns servers? I would have thought that apple would have that locked down.

There are other apps that do it (I think zerotier and wireguard support this). It's probably just a matter of entitlements and review.

[noseshimself]

Other than using one of the nodes/hosts as a DNS server, how else could this be helpful?

Actually most "reasonable VPN software" is providing that because it will permit you access to a previously unreachable DNS server with different/more knowledge (e. g. the names belonging to the inner structure of a private network). It's something many larger entities require...

[uliluckas]

+1 Any progress in the decision process wether to put that on the road map?

[Cyberes]

@LennyPenny

set DNS setting on the lighthouse to a node on the network running a pi-hole

That's exactly what I'd like to do, too. I'd like to not have to manually set the system's DNS servers of each nebula nebula host to the IP of the Pi-Hole both for administration reasons. It would be fantastic if DNS servers were either pre-set through the config or pushed down from the lighthouses and the nebula client would automatically change the system's DNS nameserver.

The DNS servers don't even have to be on the nebula network, all they have to do is return a record pointing to a nebula IP. In my usecase, I'd have nebula DNS server overwrite the domains of my services so they're accessible through the nebula network. For example, if I had example.com pointing to 123.123.123.123 on the normal internet, my nebula DNS server would change that to 10.0.0.10 without me having to manually change the DNS nameserver of my host when I leave and join.

[Cyberes]

I got DNS resolution set up on my Nebula network in a way that makes it easy for my Ubuntu laptop to join and leave the network regularly and not have to manually update the DNS settings. Here's what I did:

Install Pi-hole

1. Install Pi-hole on the primary lighthouse node. During the install process, make sure to set it to listen on the nebula1 interface (the interface must exist or this option won't be available).
2. Add some custom domains for Pi-hole to resolve in Custom DNS > DNS Records. I use the .nb domain.
3. In Settings > DNS > Interface settings, set it to Respond only on interface nebula1.

Set up Ubuntu

1. Create the file /etc/systemd/network/nebula1.network and put this in it:

   [Match]
   Name=nebula1
   
   [Network]
   DNS=<Nebula IP of your DNS server>
   Domains=~nb

   I use the .nb TLD for my Nebula domains so I add ~nb to Domains. This will make systemd-resolved use your custom DNS server for any .nb domain.

2. Restart the network services. It's important to stop Nebula first so it doesn't get confused when you drop the network.

   
   sudo service nebula stop
   sudo systemctl daemon-reload
   sudo systemctl restart systemd-networkd
   sudo systemctl restart systemd-resolved
   sudo service network-manager restart
   sudo service nebula start

3. Now confirm your changes with resolvectl status. It should look something like this:

   Global
          LLMNR setting: no                  
   MulticastDNS setting: no                  
     DNSOverTLS setting: no                  
         DNSSEC setting: no                  
       DNSSEC supported: no                  
     Current DNS Server: 1.1.1.1             
            DNS Servers: 1.1.1.1             
                         1.0.0.1             
             DNSSEC NTA: <long list of servers>                
   
   Link 17 (nebula1)
         Current Scopes: DNS       
   DefaultRoute setting: yes       
          LLMNR setting: yes       
   MulticastDNS setting: no        
     DNSOverTLS setting: no        
         DNSSEC setting: no        
       DNSSEC supported: no        
     Current DNS Server: <your Nebula DNS server IP>
            DNS Servers: <your Nebula DNS server IP>

4. You can test DNS resolution still works when your Nebula link is down with:

   dig test.nb
   sudo service nebula stop
   dig google.com
   dig test.nb

   Where test.nb is a domain you set for Pi-hole to resolve. The first dig test.nb will work and after Nebula is stopped dig google.com should work but dig test.nb won't.

5. To make Firefox resolve your .nb domains:

   2. Search for browser.fixup.domainsuffixwhitelist.nb
   3. Click the + to add a new key. Set it to true.

This doesn't work for Android since I think it doesn't send DNS over the VPN connection created by the app -> https://github.com/DefinedNet/mobile_nebula/issues/103