#StackBounty: #domain-name-system #vpn Resolving one interface's (wlan0) request using DNS in another interface's (VPN) network

Bounty: 100

What I am trying to accomplish:

I have a WireGuard reverse VPN Setup that does not route my traffic, but lets me connect to my raspberry pi from within the Internet using a public server as "bridge".

I installed pihole on the raspberry pi. Now, I want to use the pi as DNS (over WireGuard) while sending the actual HTTP request from my actual device.

Basically, I want it to work like this:

192.168.0.x (wlan0@localhost) requests an URL. The DNS @192.168.66.z (pihole) resolves the URL and sends the IP back to 192.168.66.y (wg0@localhost). This answer is then used to send the HTTP request from 192.168.0.x (wlan0@localhost).

What I’ve tried:

Obviously, I have tried to enter the pi’s VPN-IP into NetworkManager. This has given me some headache as my Ubuntu (5.4.0-42-generic #46~18.04.1-Ubuntu) was always falling back to its default DNS (what I did not want even if the VPN DNS worked). I found a workaround provided by user2427436 on a SO thread here.

What the issue is:

While I can force the DNS to use (without falling back to the routers/default DNS), I cannot manage to use the pihole as DNS. I can connect to the pi via tunnel (eg HTTP, SSH,..), and the Port 53 (for DNS) is opened in the firewall. I still cannot resolve any domainnames. Also, checking journalctl -xe on the pi does not show any hint that the device tried to connect/resolve.

I would really like to understand why this is not working and how it is supposed to work. I feel like I am missing something on how DNS works.

What would be the correct logfile to check here? Do you have any suggestions what I should try next?

EDIT:

DNS is setup per network device. Does my wlan0 device @192.168.0.024 know about the wg0 device and it’s address space @192.168.66.024? May this be the cause of the problem, that I try to resolve a request from wlan0 using a DNS over wg0?
If yes, how would I solve this?


Get this bounty!!!

#StackBounty: #domain-name-system #vpn Resolving one interface's (wlan0) request using DNS in another interface's (VPN) network

Bounty: 100

What I am trying to accomplish:

I have a WireGuard reverse VPN Setup that does not route my traffic, but lets me connect to my raspberry pi from within the Internet using a public server as "bridge".

I installed pihole on the raspberry pi. Now, I want to use the pi as DNS (over WireGuard) while sending the actual HTTP request from my actual device.

Basically, I want it to work like this:

192.168.0.x (wlan0@localhost) requests an URL. The DNS @192.168.66.z (pihole) resolves the URL and sends the IP back to 192.168.66.y (wg0@localhost). This answer is then used to send the HTTP request from 192.168.0.x (wlan0@localhost).

What I’ve tried:

Obviously, I have tried to enter the pi’s VPN-IP into NetworkManager. This has given me some headache as my Ubuntu (5.4.0-42-generic #46~18.04.1-Ubuntu) was always falling back to its default DNS (what I did not want even if the VPN DNS worked). I found a workaround provided by user2427436 on a SO thread here.

What the issue is:

While I can force the DNS to use (without falling back to the routers/default DNS), I cannot manage to use the pihole as DNS. I can connect to the pi via tunnel (eg HTTP, SSH,..), and the Port 53 (for DNS) is opened in the firewall. I still cannot resolve any domainnames. Also, checking journalctl -xe on the pi does not show any hint that the device tried to connect/resolve.

I would really like to understand why this is not working and how it is supposed to work. I feel like I am missing something on how DNS works.

What would be the correct logfile to check here? Do you have any suggestions what I should try next?

EDIT:

DNS is setup per network device. Does my wlan0 device @192.168.0.024 know about the wg0 device and it’s address space @192.168.66.024? May this be the cause of the problem, that I try to resolve a request from wlan0 using a DNS over wg0?
If yes, how would I solve this?


Get this bounty!!!

#StackBounty: #domain-name-system #openvpn #internal-dns #dns-zone #amazon-route53 Fix Failed DNS Lookups Caching on VPN

Bounty: 50

I have an OpenVPN instance on AWS I’m using to control access to admin tools. I have an internal Route53 zone and a BIND instance which OpenVPN sets as the client DNS. Everything works great, except than whenever I open my laptop if I have a dashboard open to grafana.mydomain.com it attempts to resolve to the public Route53 zone and fails since this record is only in the private zone. When the VPN connects a moment later the previous failure remains cached for 5 minutes.

Is there any way to fix this behavior (without modifying the client machine)? Something like clearing the DNS cache on connect to the VPN or reduce the time the missed lookups are cached for?


Get this bounty!!!

#StackBounty: #domain-name-system #dkim #zimbra #amavis #opendkim SOLVED: Amavis and dkim signature on incoming mails: header.s ignored

Bounty: 50

I am a little bit confused with how amavis process incoming mails. The Postfix service on my Zimbra server is configured to sign outgoing mails. And it works like a charm.

Problem is mails sent to internal users (and only them, no issue with external accounts, for example @gmail.com or @yahoo.com) are flagged as spam because DKIM signature cannot be verified. More specifically, it seems Amavis does not consider the header.s value in the DKIM signature.

Example to Gmail:

DKIM-Filter: OpenDKIM Filter v2.10.3 mail.ex-nihilo-paris.com 636C223C01CC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ex-nihilo-paris.com; s=8C71BBE2-C332-11E9-A36C-DE544AB689B7; t=1580832669; bh=+8TrrJmLcnxZUkZjdCmVbHB/ELJheHXsjUMg3GrWHqc=; h=Date:From:To:Message-ID:MIME-Version; b=h7/jOP1CAaWZnmmW6RKB6T8CHGUzJHUOSjUquv4jIFnb38SRlduYNXlp98ATeuYnV
     6Xtb09vzosri6rDyuB85hc4TJJMP93P2ZXtbALWXaR+x9G6ycua52kv4mKs0/GHfzb
     7wjycWfjpi0kHB/8uMMX4SQioH7utZiNB9sezwyGLloSyC/kxvvXZTeuJlGZ0VHmzk
     PRVT6p8aaNQ0rU4ZbmnQ2du5PPUjLEtVUhg7PYPbNbMVKChUwtPDH3vgMS3viMaSX8
     9/5/SLXNie2yZWhtpCFsgOfRkcX+IhjqQBUmu+LqA6sPRMp9FaI7+PrHgiZLspLtRS
     LRn6b35fwL96A==

and result :

Authentication-Results: mx.google.com;
       dkim=pass header.i=@ex-nihilo-paris.com header.s=8C71BBE2-C332-11E9-A36C-DE544AB689B7 header.b=HkbYPmX3;
       spf=pass (google.com: domain of maxime.marais@ex-nihilo-paris.com designates 51.255.78.216 as permitted sender) smtp.mailfrom=maxime.marais@ex-nihilo-paris.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ex-nihilo-paris.com

Example to own domain (ex-nihilo-paris.com)

DKIM-Filter: OpenDKIM Filter v2.10.3 mail.ex-nihilo-paris.com 60A8B23C01CC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ex-nihilo-paris.com;
    s=8C71BBE2-C332-11E9-A36C-DE544AB689B7; t=1580832824;
    bh=mRe5m4ERroqig5SN9KgSkkokS8uGjSACBaxYiIwgUbI=;
    h=Date:From:To:Message-ID:MIME-Version;
    b=c3/mSOn+gwlSHYBoiUkujtj2MaE6EOOJ1ZMPt8oQ8HidainYgRKK6VJ+O8n/HS0iV
     8HMAYsgQSpSEDdPJyAPqJsAM9WDrXdWjm2/4BjgQBFt7iRVX8q4e7vkPMkdbHwCnKg
     KRlmOJrLFpNMcpGcm8yvAyR9jLW4HWcAqGJc+3D7bOrTAKhtTw8Eufvk6JxX7eAuKq
     Im++CKj5f+hvBHea64nNQWgebfPWhGseFn/cqCtR+Qhroq7n9xUWByjMf0507pUeDE
     MMwRrVgpiDyeixmbiy5GQgsrDxsJyQtoLniCRLuIYiih6gmCuJTsx/7t8n8ZdSfAVv
     B+UDRgdYHpqbQ==

and result :

Authentication-Results: mail.ex-nihilo-paris.com (amavisd-new); dkim=neutral
    reason="invalid (public key: DNS error: no nameservers)"
    header.d=ex-nihilo-paris.com

It looks like the server may not be able to resolve the domain to fetch the DKIM key.

Obviously, the DKIM entry exists on our DNS (Google resolves it, for instance)

It’s set as follow :

8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com.

v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwInGpqmCeO/FWpRsbF8gmSTTj62G98wtjzbWP5UGo6aL4d9184+Orauio8cdhuY0aBJXDzvifHCWm/0xlmxXHjjBZBWgvphiZZMLUONdXkwT+hsZjM2Lj3gtClN4bKiUG2FmT7j8O5A21BJU5m0eIymRYV6yEnmLag3YEeOGP6tr24kCbnUqDvtEmGczgZwFnJbYUfPKPLp6WTlImey/5JPiJj0mwVHBGa0dmCR5Q4mMTmS4Po6f0NlAuppWSWUrgRipEjRgXF3r850i+2U/yB1lPkSWrLIHoYW9jyr+ErtiCBIGmzjJ93eK4y7SBpd4npcjq0wYlmxe+GokCU0FEQIDAQAB

Any idea why Amavis could not resolve the host?

EDIT:

I checked bind activity on the local server by logging queries and I can see the txt record for 8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com being actually requested.

Also, $ host -t txt 8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com returns the expected result.

Thus, “DNS error: no nameservers” may be a wrong error message.


Get this bounty!!!

#StackBounty: #domain-name-system #dkim #zimbra #amavis #opendkim Amavis and dkim signature on incoming mails: header.s ignored

Bounty: 50

I am a little bit confused with how amavis process incoming mails. The Postfix service on my Zimbra server is configured to sign outgoing mails. And it works like a charm.

Problem is mails sent to internal users (and only them, no issue with external accounts, for example @gmail.com or @yahoo.com) are flagged as spam because DKIM signature cannot be verified. More specifically, it seems Amavis does not consider the header.s value in the DKIM signature.

Example to Gmail:

DKIM-Filter: OpenDKIM Filter v2.10.3 mail.ex-nihilo-paris.com 636C223C01CC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ex-nihilo-paris.com; s=8C71BBE2-C332-11E9-A36C-DE544AB689B7; t=1580832669; bh=+8TrrJmLcnxZUkZjdCmVbHB/ELJheHXsjUMg3GrWHqc=; h=Date:From:To:Message-ID:MIME-Version; b=h7/jOP1CAaWZnmmW6RKB6T8CHGUzJHUOSjUquv4jIFnb38SRlduYNXlp98ATeuYnV
     6Xtb09vzosri6rDyuB85hc4TJJMP93P2ZXtbALWXaR+x9G6ycua52kv4mKs0/GHfzb
     7wjycWfjpi0kHB/8uMMX4SQioH7utZiNB9sezwyGLloSyC/kxvvXZTeuJlGZ0VHmzk
     PRVT6p8aaNQ0rU4ZbmnQ2du5PPUjLEtVUhg7PYPbNbMVKChUwtPDH3vgMS3viMaSX8
     9/5/SLXNie2yZWhtpCFsgOfRkcX+IhjqQBUmu+LqA6sPRMp9FaI7+PrHgiZLspLtRS
     LRn6b35fwL96A==

and result :

Authentication-Results: mx.google.com;
       dkim=pass header.i=@ex-nihilo-paris.com header.s=8C71BBE2-C332-11E9-A36C-DE544AB689B7 header.b=HkbYPmX3;
       spf=pass (google.com: domain of maxime.marais@ex-nihilo-paris.com designates 51.255.78.216 as permitted sender) smtp.mailfrom=maxime.marais@ex-nihilo-paris.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ex-nihilo-paris.com

Example to own domain (ex-nihilo-paris.com)

DKIM-Filter: OpenDKIM Filter v2.10.3 mail.ex-nihilo-paris.com 60A8B23C01CC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ex-nihilo-paris.com;
    s=8C71BBE2-C332-11E9-A36C-DE544AB689B7; t=1580832824;
    bh=mRe5m4ERroqig5SN9KgSkkokS8uGjSACBaxYiIwgUbI=;
    h=Date:From:To:Message-ID:MIME-Version;
    b=c3/mSOn+gwlSHYBoiUkujtj2MaE6EOOJ1ZMPt8oQ8HidainYgRKK6VJ+O8n/HS0iV
     8HMAYsgQSpSEDdPJyAPqJsAM9WDrXdWjm2/4BjgQBFt7iRVX8q4e7vkPMkdbHwCnKg
     KRlmOJrLFpNMcpGcm8yvAyR9jLW4HWcAqGJc+3D7bOrTAKhtTw8Eufvk6JxX7eAuKq
     Im++CKj5f+hvBHea64nNQWgebfPWhGseFn/cqCtR+Qhroq7n9xUWByjMf0507pUeDE
     MMwRrVgpiDyeixmbiy5GQgsrDxsJyQtoLniCRLuIYiih6gmCuJTsx/7t8n8ZdSfAVv
     B+UDRgdYHpqbQ==

and result :

Authentication-Results: mail.ex-nihilo-paris.com (amavisd-new); dkim=neutral
    reason="invalid (public key: DNS error: no nameservers)"
    header.d=ex-nihilo-paris.com

It looks like the server may not be able to resolve the domain to fetch the DKIM key.

Obviously, the DKIM entry exists on our DNS (Google resolves it, for instance)

It’s set as follow :

8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com.

v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwInGpqmCeO/FWpRsbF8gmSTTj62G98wtjzbWP5UGo6aL4d9184+Orauio8cdhuY0aBJXDzvifHCWm/0xlmxXHjjBZBWgvphiZZMLUONdXkwT+hsZjM2Lj3gtClN4bKiUG2FmT7j8O5A21BJU5m0eIymRYV6yEnmLag3YEeOGP6tr24kCbnUqDvtEmGczgZwFnJbYUfPKPLp6WTlImey/5JPiJj0mwVHBGa0dmCR5Q4mMTmS4Po6f0NlAuppWSWUrgRipEjRgXF3r850i+2U/yB1lPkSWrLIHoYW9jyr+ErtiCBIGmzjJ93eK4y7SBpd4npcjq0wYlmxe+GokCU0FEQIDAQAB

Any idea why Amavis could not resolve the host?

EDIT:

I checked bind activity on the local server by logging queries and I can see the txt record for 8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com being actually requested.

Also, $ host -t txt 8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com returns the expected result.

Thus, “DNS error: no nameservers” may be a wrong error message.


Get this bounty!!!

#StackBounty: #linux #domain-name-system #bind Caching, forwarding Bind 9.9.4 server works for weeks, suddenly SERVFAIL on all queries …

Bounty: 50

I have bind 9.9.5 running on two servers (CentOS 6 and 7), for caching and forwarding DNS queries for a mail server. The servers run fine for weeks, then suddenly respond to all queries with SERVFAIL. The first time it happened, both servers started failing on the same day. Now, a week later, it happened again, but only on one server. Restarting named makes the problem go away.

Here is the important bits of /etc/named.conf (full file with irrelevant bits here):

acl "trusted" {
    localhost;
    localnets;
    10.128.0.0/9;
};
options {
    listen-on port 53 { 127.0.0.1; 10.128.0.0/9; };
    listen-on-v6 port 53 { ::1; };
    directory               "/var/named";
    dump-file               "/var/named/data/cache_dump.db";
    statistics-file         "/var/named/data/named_stats.txt";
    memstatistics-file      "/var/named/data/named_mem_stats.txt";
    bindkeys-file           "/etc/named.iscdlv.key";
    managed-keys-directory  "/var/named/dynamic";
    auth-nxdomain no;
    version "asdf";

    dnssec-enable       yes;
    dnssec-validation   yes;
    dnssec-lookaside    auto;

    recursion yes;
    forward only;
    forwarders { 169.254.169.254; };

    allow-query     { trusted; };
    allow-recursion { trusted; };
};

When the server is in a failing state, a dig query response:

[q@oak3] dig @10.128.0.9 apple.com a

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @10.128.0.9 apple.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44811
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apple.com.         IN  A

;; Query time: 3 msec
;; SERVER: 10.128.0.9#53(10.128.0.9)
;; WHEN: Fri Mar 15 19:22:06 2019
;; MSG SIZE  rcvd: 27

These log entries appear:

==> /var/named/chroot/var/log/queries.log <==
15-Mar-2019 19:22:06.983 client 10.128.0.4#55092 (apple.com): query: apple.com IN A + (10.128.0.9)

==> /var/named/chroot/var/log/dnssec.log <==
15-Mar-2019 19:22:06.984 validating apple.com/A: bad cache hit (com/DS)

==> /var/named/chroot/var/log/lame-servers.log <==
15-Mar-2019 19:22:06.984 broken trust chain resolving 'apple.com/A/IN': 169.254.169.254#53

After restarting named, running the same query (dig @10.128.0.9 apple.com a) responds correctly, and there are no errors in the log.

There is nothing relevant logged at the time that queries began failing under /var/logs. The server hasn’t rebooted recently, no updates were installed recently.

Is there any issue with my configuration? What may cause a normally-functioning bind server to suddenly start failing?


Get this bounty!!!

#StackBounty: #domain-name-system #vpn #web-server Windows Server as web server with VPN and DNS resolving incorrectly – options?

Bounty: 50

I originally posted this on the networking site, but have been advised to post here:

I have my own HP Gen8 server running Windows Server 2012 R2.

I’ve worked in I.T all my life but struggle sometimes with networking so wondering what my options are here.

The server does many things, but one aspect of the server is it’s a web server (hosting websites in IIS). It is also a DNS server and runs on a static IP address.

I’d like the server to run constantly on a VPN (I run the PIA client on other devices), however running the VPN on the server causes my external IP address to change, therefore all websites are inaccessible and DNS does not resolve.

What are my options for being able to run a VPN on this box? Another network card? If so, how do I route the traffic? Up to now I’ve had a VM running but that’s a very heavy resource to use for the sake of running a VPN to manage certain tasks. Likewise, setting the VPN on a router would also cause the same issue with the external IP address.

Thanks in advance!


Get this bounty!!!

#StackBounty: #domain-name-system #email #domain #subdomain #cname-record Configure cloudflare subdomains for mailchimp

Bounty: 100

I’ve managed to successfully configure mailchimp with cloudflare (using CNAME and TXT records as advised here: https://bobandedovic.com/blog/technology/how-to-authenticate-a-domain-name-on-mailchimp-using-cloudflare-cname-bypass-solution).

The problem is that I need it to work for subdomains instead (e.g. email.[mydomain].com).

I’m reluctant to just play about with the DNS records until it works since I appreciate the DNS takes time to refresh and I don’t want to have to re-authenticate with mailchimp every time.

Question

Does anybody know how the CNAME and TXT records should look when using subdomains as opposed to just the root?

For example, CNAME is currently:

k1._domainkey (pointing to dkim.mcsv.net)

Should this be:

k1._domainkey.[mySubDomain] instead?

And TXT file is currently:

[myDomain].com (pointing to v=spf1 include:servers.mcsv.net)

Should this be:

[mySubDomain].[myDomain].com instead?

Any help or pointers in the right direction very much appreciated with this one, in desperate need of getting it configured asap.


Get this bounty!!!