nebula
nebula copied to clipboard
slackhq
Control over client DNS servers
It's be great if, on connection to a nebula mesh, the DNS servers of the client could be modified. Specifically, not to the DNS server served by Nebula, as this just serves the hostnames of the other nodes from the lighthouse.
I'm imagining this working much like the DNS key in a wireguard config (man page for reference). On connection, the DNS servers the client uses are modified based on those specified in the client config. These settings would not be pushed down by the lighthouse (although perhaps they could / should be?). On disconnect, these settings would be restored to the system default.
For versatility, I don't think these DNS servers should be constrained to nodes.
It's possible to achieve this currently by wrapping the nebula command and using resolvconf on Linux, but this is far from being both universal, and cross-platform. Doing a custom solution on mobile is especially difficult!
I can guess one use case, but may I ask why, explicitly? Other than using one of the nodes/hosts as a DNS server, how else could this be helpful?
p.s.: I love your blog
Does there have to be another reason? Overriding DNS can have a number of different uses to a number of different people, depends on what they want to do.
My prime use cases is being able to route specific domains over the VPN rather than the public internet, which is I suspect the main use case. Especially useful if the public route is to go via a proxy or gateway, a la this.
this would be awesome!
My favorite personal use case would be:
- set DNS setting on the lighthouse to a node on the network running a pi-hole
- in pi hole add the lighthouse DNS server as a source
This would allow one to easily get tracker blocking + name resolution for all nodes. Bonus points if this would also be supported on the nebula ios/android app to get those benefits while on cellular.
Do I understand right, that if I connect my clients with nebula, I am not able anymore to use my pi-hole? I just found out about Nebula and was really excited to try it, but if I can't use pi-hole then anymore, it is unusable.
@HyperCriSiS this is different. So long as your pihole is still accessible by the new routes created by Nebula, then it'll "just work" with no impact at all.
This issue is about specifically changing the DNS server used whilst connected to Nebula, which isn't what you're talking about. You can always change it manually, but there's currently no automated way of doing it.
+1
I wanted to do what @LennyPenny suggested. I actually set up set up a Nebula network this week including a Raspberry Pi (on my local network), iPhone, laptop, and an AWS instance as the lighthouse. I was able to access the Pi Hole config from my phone via the private IP address of the PiHole in the nebula network. I was also able to ssh into the Pi while I was away from my house (which was super cool). Then I went to set the DNS server on my phone in the nebula config and didn't find a place for it. Then I did some searching and came across this issue.
So then I researched WireGuard and set up a WireGuard network. The advantage of Nebula over WireGuard is I can easily get a direct connection to my Raspberry Pi from my phone because the lighthouse node coordinates this. With WireGuard all the traffic needs to route through the AWS server because there's not an easy way to get a direct connection when both peers are behind a NAT (https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/). It's probably nearly impossible to set up on my phone without writing a new client app. But I am able to set the DNS server on my phone with WireGuard. So that won out for what I was try to achieve.
The Nebula network was considerably easier to get set up given it's more centralized nature, all the certs are signed by the same CA. Whereas with WireGuard, you need to update the server every time you want to add another peer on the network.
All that to say if there was a way to set the DNS server on the config, that would be super cool. Especially on mobile since there's no way as a user I can update my DNS server when I'm on cellular and if I'm on WiFi I need to update it for every WiFi network I join.
Is there a way on an iphone to modify the dns servers? I would have thought that apple would have that locked down. I have at my house with my computers implemented the lighthouse dns and use it to lookup machine addresses. However that requires me to add entries with the resolvectl command to tell my computers to query *.schaefermesh.neb address at the dns server on the lighthouse. Any regular dns wouldn't know and thus I would have thought apple (or google for that matter) wouldn't allow you to redirect dns queries to a private dns server as they couldn't track/sell info about the dns lookup.
On Sat, Apr 16, 2022 at 10:27 AM Bill Covert @.***> wrote:
+1
I wanted to do what @LennyPenny https://github.com/LennyPenny suggested. I actually set up set up a Nebula network this week including a Raspberry Pi (on my local network), iPhone, laptop, and an AWS instance as the lighthouse. I was able to access the Pi Hole config from my phone via the private IP address of the PiHole in the nebula network. I was also able to ssh into the Pi while I was away from my house (which was super cool). Then I went to set the DNS server on my phone in the nebula config and didn't find a place for it. Then I did some searching and came across this issue.
So then I researched WireGuard and set up a WireGuard network. The advantage of Nebula over WireGuard is I can easily get a direct connection to my Raspberry Pi from my phone because the lighthouse node coordinates this. With WireGuard all the traffic needs to route through the AWS server because there's not an easy way to get a direct connection when both peers are behind a NAT ( https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/). It's probably nearly impossible to set up on my phone without writing a new client app. But I am able to set the DNS server on my phone with WireGuard. So that won out for what I was try to achieve.
The Nebula network was considerably easier to get set up given it's more centralized nature, all the certs are signed by the same CA. Whereas with WireGuard, you need to update the server every time you want to add another peer on the network.
All that to say if there was a way to set the DNS server on the config, that would be super cool. Especially on mobile since there's no way as a user I can update my DNS server when I'm on cellular and if I'm on WiFi I need to update it for every WiFi network I join.
— Reply to this email directly, view it on GitHub https://github.com/slackhq/nebula/issues/318#issuecomment-1100688659, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIK3CW7NWZ5YC5OD5YYXH2DVFLL43ANCNFSM4SYNQTWQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Is there a way on an iphone to modify the dns servers? I would have thought that apple would have that locked down.
There are other apps that do it (I think zerotier and wireguard support this). It's probably just a matter of entitlements and review.
Other than using one of the nodes/hosts as a DNS server, how else could this be helpful?
Actually most "reasonable VPN software" is providing that because it will permit you access to a previously unreachable DNS server with different/more knowledge (e. g. the names belonging to the inner structure of a private network). It's something many larger entities require...
+1 Any progress in the decision process wether to put that on the road map?
