slackhq / nebula

A scalable overlay networking tool with a focus on performance, simplicity and security
MIT License
14.59k stars 980 forks source link

Control over client DNS servers #318

Open RealOrangeOne opened 4 years ago

RealOrangeOne commented 4 years ago

It's be great if, on connection to a nebula mesh, the DNS servers of the client could be modified. Specifically, not to the DNS server served by Nebula, as this just serves the hostnames of the other nodes from the lighthouse.

I'm imagining this working much like the DNS key in a wireguard config (man page for reference). On connection, the DNS servers the client uses are modified based on those specified in the client config. These settings would not be pushed down by the lighthouse (although perhaps they could / should be?). On disconnect, these settings would be restored to the system default.

For versatility, I don't think these DNS servers should be constrained to nodes.

It's possible to achieve this currently by wrapping the nebula command and using resolvconf on Linux, but this is far from being both universal, and cross-platform. Doing a custom solution on mobile is especially difficult!

SamSirry commented 3 years ago

I can guess one use case, but may I ask why, explicitly? Other than using one of the nodes/hosts as a DNS server, how else could this be helpful?

p.s.: I love your blog

RealOrangeOne commented 3 years ago

Does there have to be another reason? Overriding DNS can have a number of different uses to a number of different people, depends on what they want to do.

My prime use cases is being able to route specific domains over the VPN rather than the public internet, which is I suspect the main use case. Especially useful if the public route is to go via a proxy or gateway, a la this.

LennyPenny commented 2 years ago

this would be awesome!

My favorite personal use case would be:

This would allow one to easily get tracker blocking + name resolution for all nodes. Bonus points if this would also be supported on the nebula ios/android app to get those benefits while on cellular.

HyperCriSiS commented 2 years ago

Do I understand right, that if I connect my clients with nebula, I am not able anymore to use my pi-hole? I just found out about Nebula and was really excited to try it, but if I can't use pi-hole then anymore, it is unusable.

RealOrangeOne commented 2 years ago

@HyperCriSiS this is different. So long as your pihole is still accessible by the new routes created by Nebula, then it'll "just work" with no impact at all.

This issue is about specifically changing the DNS server used whilst connected to Nebula, which isn't what you're talking about. You can always change it manually, but there's currently no automated way of doing it.

CovertIII commented 2 years ago

+1

I wanted to do what @LennyPenny suggested. I actually set up set up a Nebula network this week including a Raspberry Pi (on my local network), iPhone, laptop, and an AWS instance as the lighthouse. I was able to access the Pi Hole config from my phone via the private IP address of the PiHole in the nebula network. I was also able to ssh into the Pi while I was away from my house (which was super cool). Then I went to set the DNS server on my phone in the nebula config and didn't find a place for it. Then I did some searching and came across this issue.

So then I researched WireGuard and set up a WireGuard network. The advantage of Nebula over WireGuard is I can easily get a direct connection to my Raspberry Pi from my phone because the lighthouse node coordinates this. With WireGuard all the traffic needs to route through the AWS server because there's not an easy way to get a direct connection when both peers are behind a NAT (https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/). It's probably nearly impossible to set up on my phone without writing a new client app. But I am able to set the DNS server on my phone with WireGuard. So that won out for what I was try to achieve.

The Nebula network was considerably easier to get set up given it's more centralized nature, all the certs are signed by the same CA. Whereas with WireGuard, you need to update the server every time you want to add another peer on the network.

All that to say if there was a way to set the DNS server on the config, that would be super cool. Especially on mobile since there's no way as a user I can update my DNS server when I'm on cellular and if I'm on WiFi I need to update it for every WiFi network I join.

wildardoc commented 2 years ago

Is there a way on an iphone to modify the dns servers? I would have thought that apple would have that locked down. I have at my house with my computers implemented the lighthouse dns and use it to lookup machine addresses. However that requires me to add entries with the resolvectl command to tell my computers to query *.schaefermesh.neb address at the dns server on the lighthouse. Any regular dns wouldn't know and thus I would have thought apple (or google for that matter) wouldn't allow you to redirect dns queries to a private dns server as they couldn't track/sell info about the dns lookup.

On Sat, Apr 16, 2022 at 10:27 AM Bill Covert @.***> wrote:

+1

I wanted to do what @LennyPenny https://github.com/LennyPenny suggested. I actually set up set up a Nebula network this week including a Raspberry Pi (on my local network), iPhone, laptop, and an AWS instance as the lighthouse. I was able to access the Pi Hole config from my phone via the private IP address of the PiHole in the nebula network. I was also able to ssh into the Pi while I was away from my house (which was super cool). Then I went to set the DNS server on my phone in the nebula config and didn't find a place for it. Then I did some searching and came across this issue.

So then I researched WireGuard and set up a WireGuard network. The advantage of Nebula over WireGuard is I can easily get a direct connection to my Raspberry Pi from my phone because the lighthouse node coordinates this. With WireGuard all the traffic needs to route through the AWS server because there's not an easy way to get a direct connection when both peers are behind a NAT ( https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/). It's probably nearly impossible to set up on my phone without writing a new client app. But I am able to set the DNS server on my phone with WireGuard. So that won out for what I was try to achieve.

The Nebula network was considerably easier to get set up given it's more centralized nature, all the certs are signed by the same CA. Whereas with WireGuard, you need to update the server every time you want to add another peer on the network.

All that to say if there was a way to set the DNS server on the config, that would be super cool. Especially on mobile since there's no way as a user I can update my DNS server when I'm on cellular and if I'm on WiFi I need to update it for every WiFi network I join.

— Reply to this email directly, view it on GitHub https://github.com/slackhq/nebula/issues/318#issuecomment-1100688659, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIK3CW7NWZ5YC5OD5YYXH2DVFLL43ANCNFSM4SYNQTWQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

tcurdt commented 2 years ago

Is there a way on an iphone to modify the dns servers? I would have thought that apple would have that locked down.

There are other apps that do it (I think zerotier and wireguard support this). It's probably just a matter of entitlements and review.

noseshimself commented 2 years ago

Other than using one of the nodes/hosts as a DNS server, how else could this be helpful?

Actually most "reasonable VPN software" is providing that because it will permit you access to a previously unreachable DNS server with different/more knowledge (e. g. the names belonging to the inner structure of a private network). It's something many larger entities require...

uliluckas commented 2 years ago

+1 Any progress in the decision process wether to put that on the road map?

Cyberes commented 1 year ago

@LennyPenny

set DNS setting on the lighthouse to a node on the network running a pi-hole

That's exactly what I'd like to do, too. I'd like to not have to manually set the system's DNS servers of each nebula nebula host to the IP of the Pi-Hole both for administration reasons. It would be fantastic if DNS servers were either pre-set through the config or pushed down from the lighthouses and the nebula client would automatically change the system's DNS nameserver.

The DNS servers don't even have to be on the nebula network, all they have to do is return a record pointing to a nebula IP. In my usecase, I'd have nebula DNS server overwrite the domains of my services so they're accessible through the nebula network. For example, if I had example.com pointing to 123.123.123.123 on the normal internet, my nebula DNS server would change that to 10.0.0.10 without me having to manually change the DNS nameserver of my host when I leave and join.

Cyberes commented 1 year ago

I got DNS resolution set up on my Nebula network in a way that makes it easy for my Ubuntu laptop to join and leave the network regularly and not have to manually update the DNS settings. Here's what I did:

Install Pi-hole

  1. Install Pi-hole on the primary lighthouse node. During the install process, make sure to set it to listen on the nebula1 interface (the interface must exist or this option won't be available).
  2. Add some custom domains for Pi-hole to resolve in Custom DNS > DNS Records. I use the .nb domain.
  3. In Settings > DNS > Interface settings, set it to Respond only on interface nebula1.

Set up Ubuntu

  1. Create the file /etc/systemd/network/nebula1.network and put this in it:

    [Match]
    Name=nebula1
    
    [Network]
    DNS=<Nebula IP of your DNS server>
    Domains=~nb

    I use the .nb TLD for my Nebula domains so I add ~nb to Domains. This will make systemd-resolved use your custom DNS server for any .nb domain.

  2. Restart the network services. It's important to stop Nebula first so it doesn't get confused when you drop the network.

    
    sudo service nebula stop
    sudo systemctl daemon-reload
    sudo systemctl restart systemd-networkd
    sudo systemctl restart systemd-resolved
    sudo service network-manager restart
    sudo service nebula start
  3. Now confirm your changes with resolvectl status. It should look something like this:

    Global
           LLMNR setting: no                  
    MulticastDNS setting: no                  
      DNSOverTLS setting: no                  
          DNSSEC setting: no                  
        DNSSEC supported: no                  
      Current DNS Server: 1.1.1.1             
             DNS Servers: 1.1.1.1             
                          1.0.0.1             
              DNSSEC NTA: <long list of servers>                
    
    Link 17 (nebula1)
          Current Scopes: DNS       
    DefaultRoute setting: yes       
           LLMNR setting: yes       
    MulticastDNS setting: no        
      DNSOverTLS setting: no        
          DNSSEC setting: no        
        DNSSEC supported: no        
      Current DNS Server: <your Nebula DNS server IP>
             DNS Servers: <your Nebula DNS server IP>
  4. You can test DNS resolution still works when your Nebula link is down with:

    dig test.nb
    sudo service nebula stop
    dig google.com
    dig test.nb

    Where test.nb is a domain you set for Pi-hole to resolve. The first dig test.nb will work and after Nebula is stopped dig google.com should work but dig test.nb won't.

  5. To make Firefox resolve your .nb domains:

    1. Search for browser.fixup.domainsuffixwhitelist.nb
    2. Click the + to add a new key. Set it to true.

This doesn't work for Android since I think it doesn't send DNS over the VPN connection created by the app -> https://github.com/DefinedNet/mobile_nebula/issues/103