DNS & network news

Author Archive: firstdns

Blocking port 53 to force DNS over TLS Problem

Hi everyone!

First time poster here and was hoping for some help.

Overview of my setup: Pfsense box running in dns resolver mode with domain override pointing to my AD DNS servers and forwarding mode to 1.1.1.1 and 1.0.0.1 for DNS over TLS. All domain clients point to my internal AD DNS. Lastly, I added my pfsense box IP to the AD DNS forwarder list.

Problem: Resolving *SOME* host names for websites very slow and also preventing VPN from starting unless I use an IP instead of host name. Also causing issues with pfsense updates not working. Website once loaded is fast, but then if I close browser and wait a bit, it will revert to loading slow again for the first time visiting.

Cause: I narrowed down the cause to a floating rule I have that blocks port 53 dns in the “Out” direction on my WAN/VPN interface. If i disable this rule, everything works normally but then my network starts using port 53 for dns instead of 853.

Banging my head for a awhile for why blocking port 53 outbound causes these issues – as it seems no one else doing this have similar complaints. Any help is appreciated! Thanks

submitted by /u/TechGeek0011
[link] [comments]

Powered by WPeMatico

DNS CNAME Not Resolving

Morning all,

Having some DNS problems that I can’t figure out. Let me start by giving you a rough guide to how I have things set up.

I have a Windows DNS server set up and configured at home, along with an NGINX reverse proxy, serving a couple of different sites on a web server. On the web server I have Plex, Radarr, Sonarr and NZBGET installed, and have set up the reverse proxy to point to this server but with a passthrough to the relevant port. This is all working fine.

Obviously, I have then set up CNAME records for each of the following, all pointing to the reverse proxy.

  • plex.domain.com
  • radarr.domain.com
  • sonarr.domain.com
  • nzb.domain.com

https://preview.redd.it/5y1rzpff4pd41.png?width=602&format=png&auto=webp&s=18798e33837bf8d967001a133200c8cdedfee822

I have OpenVPN set up on my router, and I’m currently at work, connected to my home network via the VPN.

The problem I’m having is that “plex.domain.com” is resolving externally from my work PC, both in a browser and when I try and ping it.

Initially I thought that it was a problem with the VPN not pushing my DNS server, but everything else, which is configured exactly the same as “plex.domain.com” is working fine across the VPN.

If I RDP or SSH onto any of my devices at home “plex.domain.com” resolves as it should and is routed through the reverse proxy.

Any ideas welcome.

submitted by /u/TheD4rkSide
[link] [comments]

Powered by WPeMatico

How would the TTL of a CNAME work?

Hi, we use Windows DNS and you can set the TTL per record there (is that possible in bind btw?) but I dont know how the TTL of a CNAME works.

For example, if I have an A record a.example.com with a TTL of 15 minutes and a CNAME pointing to that with a TTL of 1 day. Someone/something caches that. Then would it cache the result of the lookup (the IP) for 15 minutes and the fact that it points to a.example.com for a day? So, treat it as 2 seperate lookups..

Or would it cache the complete result for a day, treating it as 1 lookup with the ttl of the cname?

My guess is the first, simply because it makes more sense (to me) but I would really like to be sure.

submitted by /u/Xzenor
[link] [comments]

Powered by WPeMatico

Very slow DNS lookup unless using Google/Cloudflare

I’m setting up WiFi for a new Win 10 laptop and the DNS lookup is abysmally slow, on the order of seconds when it doesn’t time out. However if I manually change the DNS provider to either 1.1.1.1 or 8.8.8.8 everything loads lightning fast. Likewise punching in the IP directly for a website loads it quickly too.

Is this a symptom of any particular problem? Other devices (phones, game consoles) on the same network don’t have this issue at all, just the laptop.

submitted by /u/xXx_THYME_LOOPER_xXx
[link] [comments]

Powered by WPeMatico

Layman Needs Help Understanding (privacy) Implications of Self-Hosted DNS server

Hi everyone.

tl;dr What are the pros and cons of hosting your own DNS server via unbound (for the purposes of privacy)?

*****

I am concerned that there may be misinformation being spread about self-hosting (not for a website) your own DNS sever. Please help me to clear up my own confusion/point me to what I need to learn to begin to understand and discern for myself.

I frequent subreddits such as r/pihole, r/privacytoolsIO, r/privacy, and r/theprivacymachine. Occasionally people recommend self-hosting your own DNS server on your LAN for the purpose of not giving your internet history to recursive DNS servers (think CloudFlare, Google, Quad9, NextDNS, etc.) and minimizing the requests that you’re sending out by having a local cache.

Here is the usual recommended setup: Unbound with DNSSEC and a cache. They recommend not forwarding requests to recursive DNS servers, however, wouldn’t this make my network traffic stand out more than if I had discerningly picked a handful of privacy-respecting recursive DNS servers in my Unbound configuration? Additionally, the only guide I have found that has included properly setting up TLS certificates has been this one: https://www.ctrl.blog/entry/unbound-tls-forwarding.html

I am currently using the following setup: https://docs.pi-hole.net/guides/unbound/

*****

Based on my reading so far I think I should be using:

****

Please help an ignorant layman learn to understand this for himself, so I can take my own threat model and understand fully what I’m doing here.

submitted by /u/DavidJAntifacebook
[link] [comments]

Powered by WPeMatico

Should I have the same DNS entries with my domain registrar and on the hosting server?

I’m migrating away from shared hosting and had a question about configuring my new set-up.

I’ve transferred the domain to Google Domains. I’m using their name servers. And, I’ve moved the DNS records over as well.

And, I’ve transferred the site to a VPS at Upcloud. I have an option to add some DNS entries (A and CNAME–but not TXT) to the server as well.

Do I want to create the same A and CNAME on the Upcloud server that I use at Google Domains? Or do I leave them blank at the Upcloud server since they’re already included at Google Domains?

Any insight or context would be appreciated.

Thanks!

submitted by /u/chriscasemart
[link] [comments]

Powered by WPeMatico