how best to handle DNS on firewalled home network?

2007-11-15 Thread Jonathan Thornburg 
I'm setting up a home firewall, intended to (try to) protect "client"
machines (mostly family members' MS-Windoze laptops) from misc internet
threats.  I have a couple of questions about how best to handle DNS
on/through the firewall:

The firewall runs 4.2-stable, and has 2 network interfaces, one for the
inside (protected) network, and one to talk to the Big Bad Internet.
More precisely, the outside interface goes to an ISP-supplied ADSL
modem/router box, which gives out addresses & DNS-server-addresses
via DHCP.  The firewall uses pf (with "scrub in all") to NAT traffic
between the interfaces; its ruleset blocks everything except for
connections initiated by inside machines.

My plan is to have the firewall run its own dhcpd on its inside interface,
giving out private client addresses in the 192.168.0.0/16 address range.
(This way clients can be kept at the same MS-Windoze "configure everything
automagically" DHCP settings they would use elsewhere.)

The purpose of this message is to ask for advice on how to handle
DNS on the firewall.  I can see two basic options:
(a) When the firewall boots, after the outside network is configured
(via /etc/rc running dhclient) a shell/grep/perl script on the
firewall copies the DNS server addresses from /etc/resolv.conf
into /etc/dhcpd.conf, and only then does the firewall start its
dhcpd on the inside interface.  dhcpd will then hand out the
(ISP-provided) DNS server addresses to clients at the same time
it gives them their local addresses, causing the clients to
directly query my ISP's DNS servers.
(b) The firewall's dhcpd is configured to tell clients that the
firewall itself is a DNS server.  The firewall also runs a DNS
proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent).
Clients then query the firewall as a DNS server, and the firewall
(i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's
DNS servers as needed, and (via the DNS proxy) passes the results
back to clients.

(b) looks a bit harder to set up on the firewall (I need to configure
the DNS proxy whereas (a) just has to allow DNS traffic in /etc/pf.conf).
On the other hand, (b) also looks a bit more secure, because only
OpenBSD's resolver(3) routines are exposed to the outside world, not
the clients' resolvers.  For the same reason, I suspect (b) might also
be a little less vulnerable to DNS cache-poisoning attacks.

Questions:
* Are there other (significant) advantages/disadvantages of (a) vs (b)
  that I haven't thought of?
* Are there other design options that I haven't thought of?
* What do other people do about DNS in firewalled home networks?

thanks for any advice, wisdom, tips-n-tricks, etc,

-- 
-- Jonathan Thornburg (remove -animal to reply) <[EMAIL PROTECTED]>
   School of Mathematics, U of Southampton, England
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread Frank Bax 

Jonathan Thornburg wrote:

My plan is to have the firewall run its own dhcpd on its inside interface,
giving out private client addresses in the 192.168.0.0/16 address range.
(This way clients can be kept at the same MS-Windoze "configure everything
automagically" DHCP settings they would use elsewhere.)



The OpenBSD router/firewall on my home network uses only dhcpd and 
named; a few pf rules to allow some port forwarding; and ipcheck to 
monitor dynamic ip address.  dhcpd tells clients OpenBSD is name-server.

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread L. V. Lammert 
On Thu, 15 Nov 2007, Daniel Melameth wrote:

> On 11/15/07, Jonathan Thornburg <[EMAIL PROTECTED]> wrote:
> > (a) When the firewall boots, after the outside network is configured
> >(via /etc/rc running dhclient) a shell/grep/perl script on the
> >firewall copies the DNS server addresses from /etc/resolv.conf
> >into /etc/dhcpd.conf, and only then does the firewall start its
> >dhcpd on the inside interface.  dhcpd will then hand out the
> >(ISP-provided) DNS server addresses to clients at the same time
> >it gives them their local addresses, causing the clients to
> >directly query my ISP's DNS servers.

It's generally a bad thing to use public addresses for Windoze machines
(expecially of the Windoze variety), .. so it would be much better to use
offnet addersses internally.

Should not be a problem using the ISPs DNS servers, however, .. they won't
change.

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread Stuart Henderson 
On 2007/11/15 17:02, Jonathan Thornburg wrote:
> (b) The firewall's dhcpd is configured to tell clients that the
> firewall itself is a DNS server.

I find ISP DNS servers to give enough trouble that I always do this,
even if it means not benefitting from their cache.

>  The firewall also runs a DNS proxy (eg /usr/ports/net/totd or
> /usr/ports/www/squid,transparent).

Squid isn't a DNS proxy (though if you only want web browser
access for clients, they don't strictly speaking need DNS, they
could just proxy all their requests through a normal  squid).

totd is a special DNS proxy for ipv6-only clients behind a nat-pt
gateway.

I'd just use the built-in named - to use it as a resolver for local
subnets you don't need to configure it, just enable it in rc.conf.local

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread Daniel Melameth 
On 11/15/07, Jonathan Thornburg <[EMAIL PROTECTED]> wrote:
> I'm setting up a home firewall, intended to (try to) protect "client"
> machines (mostly family members' MS-Windoze laptops) from misc internet
> threats.  I have a couple of questions about how best to handle DNS
> on/through the firewall:
>
> The purpose of this message is to ask for advice on how to handle
> DNS on the firewall.  I can see two basic options:
> (a) When the firewall boots, after the outside network is configured
>(via /etc/rc running dhclient) a shell/grep/perl script on the
>firewall copies the DNS server addresses from /etc/resolv.conf
>into /etc/dhcpd.conf, and only then does the firewall start its
>dhcpd on the inside interface.  dhcpd will then hand out the
>(ISP-provided) DNS server addresses to clients at the same time
>it gives them their local addresses, causing the clients to
>directly query my ISP's DNS servers.
> (b) The firewall's dhcpd is configured to tell clients that the
>firewall itself is a DNS server.  The firewall also runs a DNS
>proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent).
>Clients then query the firewall as a DNS server, and the firewall
>(i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's
>DNS servers as needed, and (via the DNS proxy) passes the results
>back to clients.
>
> (b) looks a bit harder to set up on the firewall (I need to configure
> the DNS proxy whereas (a) just has to allow DNS traffic in /etc/pf.conf).
> On the other hand, (b) also looks a bit more secure, because only
> OpenBSD's resolver(3) routines are exposed to the outside world, not
> the clients' resolvers.  For the same reason, I suspect (b) might also
> be a little less vulnerable to DNS cache-poisoning attacks.
>
> Questions:
> * Are there other (significant) advantages/disadvantages of (a) vs (b)
>  that I haven't thought of?
> * Are there other design options that I haven't thought of?
> * What do other people do about DNS in firewalled home networks?

Even for a small network, I like having an internal zone for the local
LAN--so I'd setup named with a master internal zone--and, by default,
named will also query the root servers and act as cache for your local
clients.  However, if you don't want named querying the root servers,
you can configure your ISP's name servers as forwarders.

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread knitti 
On 11/15/07, Jonathan Thornburg <[EMAIL PROTECTED]> wrote:
> I'm setting up a home firewall, intended to (try to) protect "client"
> machines (mostly family members' MS-Windoze laptops) from misc internet
> threats.  I have a couple of questions about how best to handle DNS
> on/through the firewall:

just use named in caching mode (should work out of the box) and forget
your isp's name servers. it costs next to nothing performance-wise and
works relly well. a soekris 4501 firewall (100MHz/ 64 MB RAM) does handle
a DSL-type connection (4 MBit) including dhcpd, named and ntpd very
well.

--knitti

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread Darrin Chandler 
On Thu, Nov 15, 2007 at 08:00:22PM +0100, knitti wrote:
> just use named in caching mode (should work out of the box) and forget
> your isp's name servers. it costs next to nothing performance-wise and
> works relly well. a soekris 4501 firewall (100MHz/ 64 MB RAM) does handle
> a DSL-type connection (4 MBit) including dhcpd, named and ntpd very
> well.

This is what I do. My direct upstream name servers are not reliable
enough. Using caching DNS makes my home network much happier.

On the firewall/router, it's nice to use "supersede domain-name-servers
127.0.0.1;" in dhclient.conf, so the router itself gets the same
benefit.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: how best to handle DNS on firewalled home network?

2007-11-15 Thread evo 

Jonathan Thornburg wrote:

The purpose of this message is to ask for advice on how to handle
DNS on the firewall.  I can see two basic options:
(a) When the firewall boots, after the outside network is configured
(via /etc/rc running dhclient) a shell/grep/perl script on the
firewall copies the DNS server addresses from /etc/resolv.conf
into /etc/dhcpd.conf, and only then does the firewall start its
dhcpd on the inside interface.  dhcpd will then hand out the
(ISP-provided) DNS server addresses to clients at the same time
it gives them their local addresses, causing the clients to
directly query my ISP's DNS servers.
(b) The firewall's dhcpd is configured to tell clients that the
firewall itself is a DNS server.  The firewall also runs a DNS
proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent).
Clients then query the firewall as a DNS server, and the firewall
(i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's
DNS servers as needed, and (via the DNS proxy) passes the results
back to clients.
  
My home router runs minimum-configured named, serving as the only DNS 
server for internal windows machines and using opendns.com nameservers 
as forwarders. Internal boxes get their IP addresses and address of DNS 
server from dhcpd running on the router.


Also router runs (of course!) PF in "block in/pass out" manner plus some 
port forwarding for p2p networks, and SQUID for http caching. Pretty simple.

Re: how best to handle DNS on firewalled home network?

2007-11-19 Thread Jonathan Thornburg 
In message ,
I wrote:
> I'm setting up a home firewall, intended to (try to) protect "client"
> machines (mostly family members' MS-Windoze laptops) from misc internet
> threats.
[[...]]
> My plan is to have the firewall run its own dhcpd on its inside interface,
[[...]]
> The purpose of this message is to ask for advice on how to handle
> DNS on the firewall.  I can see two basic options:
> (a) [[firewall gives out outside DNS server addresses to inside
> machines via dhcp]]
> (b) [[firewall tells inside machines that the
> firewall itself is a DNS server; firewall runs a DNS proxy to
> pass DNS requests on to outside DNS servers]]

I'd like to thank the many people who responded, both on the list and
by private E-mail.  Here's a synopsis of the replies:
* Opinion was unanimous that (b) is more secure, and generally better.
* OpenBSD's named will work fine as my "DNS proxy" (more accurately,
  recursive resolver) on the firewall; it should need very little
  configuration to do this, quite possibly just  named_flags=""  in
  /etc/rc.conf.local
* Several people mentioned that having the firewall's named *cacheing*
  DNS entries will also improved reliability (since ISP nameservers are
  often flakey).  One person also mentioned that s/he uses uses opendns.com
  instead of ISP nameservers.

Again, my thanks to all who responded.

ciao,

-- 
-- Jonathan Thornburg (remove -animal to reply) <[EMAIL PROTECTED]>
   School of Mathematics, U of Southampton, England
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

Re: how best to handle DNS on firewalled home network?

2007-11-19 Thread Stuart Henderson 
On 2007/11/19 23:46, Jonathan Thornburg wrote:
>   One person also mentioned that s/he uses uses opendns.com
>   instead of ISP nameservers.

N.B. by default they will return a positive response for non-
existent domains (for typo correction) and bogus responses to
provide warnings about phishing sites etc.

This might be acceptable (or maybe beneficial) for web browsers,
but can be a problem for other hosts (e.g. mail servers). You can
disable this per-IP-address if you create an account with them.