Intra icon indicating copy to clipboard operation
Intra copied to clipboard
verified publisher icon Jigsaw-Code

Bypass for internal subnets

Open francispeixoto opened this issue 7 years ago • 9 comments

The app shouldn't try to resolve internal subnets using an external DNS server. My local DNS server should pick those up.

francispeixoto avatar May 26 '18 17:05 francispeixoto

Could you give an example of a DNS name that you would not want to resolve using the external DNS server?

bemasc avatar May 29 '18 15:05 bemasc

Don't know if this what was being asked, but kind of related, would be whitelisting specific domains that should go over plain DNS, for private / split horizon domains that should be resolved using the LAN's resolver (e.g. the one configured via DHCP and the like).

ghedo avatar Jun 01 '18 15:06 ghedo

It isn't a question of certain domains that should resolve internally, but requests should hit the lan DHCP assigned DNS for internal resolve before seeking an answer on the web.

francispeixoto avatar Jun 02 '18 20:06 francispeixoto

@francispeixoto That's not easy to do for Intra. For privacy reasons, Intra doesn't disclose DNS queries in cleartext, so we can't send the queries to your LAN's resolver. Also, if Intra gets back different answers from the LAN's resolver and the secure resolver, we have no way of knowing which one is correct.

We might be able to direct queries in "*.local", "*.localhost", and "*.home.arpa" to the local DNS resolver. Would that work for you?

bemasc avatar Jun 11 '18 22:06 bemasc

Setting up wildcard addresses to redirect to the default DNS in advanced settings would be the ideal thing to do IMHO.

andrebrait avatar Jun 12 '18 00:06 andrebrait

You could have a defacto rule that routes private up spaces defined in rfc1918 to the local DNS server instead of intra. Ref: https://tools.ietf.org/html/rfc1918

This is pretty much the standard for private IP allocations. Those ranges aren't assigned on the net.

francispeixoto avatar Jun 12 '18 03:06 francispeixoto

@francispeixoto There's no way to do that. In order to do that the DNS would have to know the IP (which means it would have to send an insecure request to the external DNS anyway) and the fact the external request could reply with such address shouldn't be taken into account.

There's nothing stopping someone from performing a Man-in-the-middle attack on a DNS query and respond to google.com with a 192.168.x.x address (or any of the categor C, Private ones). And also there's no guarantee that the internal DNS would respond to such queries with a private address (technically a network could have any of them and others, like I've seen happen in enterprise networks).

Just having the user define the domain wildcards is both the best, safest and more flexible solution.

andrebrait avatar Jun 12 '18 04:06 andrebrait

(the Google.com example is just an example, I know the idea is to try the internal DNSonly if there's a NXDOMAIN from the external one, but still, there are many things at play here and automatic inference is not something that should be attempted here)

andrebrait avatar Jun 12 '18 04:06 andrebrait

The best way to facilitate this without adding security vulnerabilities would be for Google to allow users to install a DNS-over-HTTPS server for LAN routing. Intra could resolve to LAN and WAN DNS-over-HTTPS servers. I run local DNS servers but I would like to be able to run DNS-over-HTTPS servers.

MaXFalstein avatar Jun 17 '18 14:06 MaXFalstein