* Add local DNS forwarder to Windows client @ 2020-11-03 10:31 Yves Goergen 2020-11-10 8:14 ` Tomcsanyi, Domonkos 0 siblings, 1 reply; 11+ messages in thread From: Yves Goergen @ 2020-11-03 10:31 UTC (permalink / raw) To: wireguard Hello, I've already used WireGuard to connect to private networks and it's quite easy once you figure out how to set it up. (Most tutorials are outdated and haven't been updated, new ones haven't been written.) One thing that's really missing however is DNS support. All I can do now is connect to IP addresses. Names are not resolvable on the other side. If I add the "DNS" directive to my client configuration, it replaces the local DNS resolver and *all* lookups go to that server instead. This isn't working either because I'm on two local networks and each has its own local DNS server that can only resolve its own local names (and forward the rest to the internet). Specifying both networks' DNS servers also fails because when resolving a name, one of them is chosen at random (and the other one isn't regarded) and then you won't be able to resolve some of the names some of the time. This is also very frustrating. And it wouldn't scale to multiple active tunnels. The solution I've read about is to set up a local DNS forwarder that can be configured so that it uses multiple servers and queries each of them and returns only a positive response. This way it could query both local LAN DNS servers and for local names, only one of them would resolve the name. This is a bit complicated to do if you're not permanently connected to a VPN, or if you move from one local DHCP network to another (like with a laptop). And it requires additional software, setup and configuration, and probably intensive maintenance and care. All of this makes WireGuard a pretty ugly alternative to OpenVPN where all of this already works. Despite all the disadvantages of OpenVPN. I'm asking if it's possible to integrate such a local DNS forwarder into the Windows client application. I imagine it would start up automatically once the first tunnel is activated. And it would replace the local system's DNS server setting for as long as it's active (like the tunnel-configured DNS server already does). And it would query the original locally configured DNS server and all configured DNS servers for the active tunnels. It would then be able to resolve local names and tunnel-remote names without any additional work on the user end. The user wouldn't have to perform many complex tasks upon activating or deactivating a tunnel. This would make WireGuard be as simple and productive as I believe it was intended to be (but isn't yet). This probably stops working as soon as other VPN software is used in parallel, but the current "DNS" setting has the same limitation, it's better than nothing and most of the time, you only run a single VPN software. Please let me know what you think of it. -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-03 10:31 Add local DNS forwarder to Windows client Yves Goergen @ 2020-11-10 8:14 ` Tomcsanyi, Domonkos 2020-11-10 8:44 ` Der PCFreak [not found] ` <CADJb3qTGhm8a=aAA8_6ZgEHHFyBZyOch_GRBkC1p4yym28fN-Q@mail.gmail.com> 0 siblings, 2 replies; 11+ messages in thread From: Tomcsanyi, Domonkos @ 2020-11-10 8:14 UTC (permalink / raw) To: Yves Goergen; +Cc: wireguard Hello Yves, I am by no means a person with authority to make such a decision, but your usecase seems to be so specific I would not imagine it would make sense to blow up the size and complexity of the Windows wg with a local DNS forwarder. I think it is way better if people just install a local DNS resolver/forwarder on their own. There a ton of choices available, from simply python scripts to large scale servers. You could easily configure any of these to distinguish which DNS server to ask based on the TLD portion of your local domain or whatever other distinguisher you have. Then the only thing you need to do is tell your system (either via wg or by other means) to use the local resolver and the case is solved :). Also I am pretty sure one of the main philosophies behind wg is to be the same as much as possible on all platforms. Adding a DNS resolver would again mean a lot of complications when compared to e.g. the Linux version, since most Linux distributions already feature some kind of a local resolver by default. Cheers, Domi > 09.11.2020 dátummal, 23:46 időpontban Yves Goergen <yves.goergen@gmail.com> írta: > > Hello, > > I've already used WireGuard to connect to private networks and it's > quite easy once you figure out how to set it up. (Most tutorials are > outdated and haven't been updated, new ones haven't been written.) One > thing that's really missing however is DNS support. All I can do now > is connect to IP addresses. Names are not resolvable on the other > side. If I add the "DNS" directive to my client configuration, it > replaces the local DNS resolver and *all* lookups go to that server > instead. This isn't working either because I'm on two local networks > and each has its own local DNS server that can only resolve its own > local names (and forward the rest to the internet). > > Specifying both networks' DNS servers also fails because when > resolving a name, one of them is chosen at random (and the other one > isn't regarded) and then you won't be able to resolve some of the > names some of the time. This is also very frustrating. And it wouldn't > scale to multiple active tunnels. > > The solution I've read about is to set up a local DNS forwarder that > can be configured so that it uses multiple servers and queries each of > them and returns only a positive response. This way it could query > both local LAN DNS servers and for local names, only one of them would > resolve the name. This is a bit complicated to do if you're not > permanently connected to a VPN, or if you move from one local DHCP > network to another (like with a laptop). And it requires additional > software, setup and configuration, and probably intensive maintenance > and care. All of this makes WireGuard a pretty ugly alternative to > OpenVPN where all of this already works. Despite all the disadvantages > of OpenVPN. > > I'm asking if it's possible to integrate such a local DNS forwarder > into the Windows client application. I imagine it would start up > automatically once the first tunnel is activated. And it would replace > the local system's DNS server setting for as long as it's active (like > the tunnel-configured DNS server already does). And it would query the > original locally configured DNS server and all configured DNS servers > for the active tunnels. It would then be able to resolve local names > and tunnel-remote names without any additional work on the user end. > The user wouldn't have to perform many complex tasks upon activating > or deactivating a tunnel. This would make WireGuard be as simple and > productive as I believe it was intended to be (but isn't yet). > > This probably stops working as soon as other VPN software is used in > parallel, but the current "DNS" setting has the same limitation, it's > better than nothing and most of the time, you only run a single VPN > software. > > Please let me know what you think of it. > > -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-10 8:14 ` Tomcsanyi, Domonkos @ 2020-11-10 8:44 ` Der PCFreak 2020-11-10 15:38 ` Yves Goergen [not found] ` <CADJb3qTGhm8a=aAA8_6ZgEHHFyBZyOch_GRBkC1p4yym28fN-Q@mail.gmail.com> 1 sibling, 1 reply; 11+ messages in thread From: Der PCFreak @ 2020-11-10 8:44 UTC (permalink / raw) To: wireguard Hi, concerning local DNS forwarder. I am in an environment where I need to resolve public DNS names to local IPs for specific hosts and additionally public DNS for the rest. In Windows XP it was possible to just stop the DNS cache service and set 2 DNS servers and everything worked. Newer versions of Windows starting with Windows 7 do only connect to the second DNS if connecting (not querying) the first fails. So if your first DNS is up but has no reply for your query, Windows will just add that fqdn to the negative cache and no longer query the DNS for a specific time or until you delete the cache with ipconfig /flushdns. All of the above can be fixed using a local DNS forwarder. I use DeadWood on my machine for years now. https://maradns.samiam.org/deadwood/doc/FAQ.html I just point my DNS to 127.0.0.1 (which is the deadwood service) and configure Deadwood a little bit. It basically let's me exactly specify which hosts to resolve how and can have something similiar to a HOSTS entry, too. As Domi wrote I would encourage you to tryout a local DNS resolver, too. Regards Peter On 10.11.2020 09:14, Tomcsanyi, Domonkos wrote: > Hello Yves, > > I am by no means a person with authority to make such a decision, but your usecase seems to be so specific I would not imagine it would make sense to blow up the size and complexity of the Windows wg with a local DNS forwarder. > I think it is way better if people just install a local DNS resolver/forwarder on their own. There a ton of choices available, from simply python scripts to large scale servers. You could easily configure any of these to distinguish which DNS server to ask based on the TLD portion of your local domain or whatever other distinguisher you have. > Then the only thing you need to do is tell your system (either via wg or by other means) to use the local resolver and the case is solved :). > Also I am pretty sure one of the main philosophies behind wg is to be the same as much as possible on all platforms. Adding a DNS resolver would again mean a lot of complications when compared to e.g. the Linux version, since most Linux distributions already feature some kind of a local resolver by default. > > Cheers, > Domi > > >> 09.11.2020 dátummal, 23:46 időpontban Yves Goergen <yves.goergen@gmail.com> írta: >> >> Hello, >> >> I've already used WireGuard to connect to private networks and it's >> quite easy once you figure out how to set it up. (Most tutorials are >> outdated and haven't been updated, new ones haven't been written.) One >> thing that's really missing however is DNS support. All I can do now >> is connect to IP addresses. Names are not resolvable on the other >> side. If I add the "DNS" directive to my client configuration, it >> replaces the local DNS resolver and *all* lookups go to that server >> instead. This isn't working either because I'm on two local networks >> and each has its own local DNS server that can only resolve its own >> local names (and forward the rest to the internet). >> >> Specifying both networks' DNS servers also fails because when >> resolving a name, one of them is chosen at random (and the other one >> isn't regarded) and then you won't be able to resolve some of the >> names some of the time. This is also very frustrating. And it wouldn't >> scale to multiple active tunnels. >> >> The solution I've read about is to set up a local DNS forwarder that >> can be configured so that it uses multiple servers and queries each of >> them and returns only a positive response. This way it could query >> both local LAN DNS servers and for local names, only one of them would >> resolve the name. This is a bit complicated to do if you're not >> permanently connected to a VPN, or if you move from one local DHCP >> network to another (like with a laptop). And it requires additional >> software, setup and configuration, and probably intensive maintenance >> and care. All of this makes WireGuard a pretty ugly alternative to >> OpenVPN where all of this already works. Despite all the disadvantages >> of OpenVPN. >> >> I'm asking if it's possible to integrate such a local DNS forwarder >> into the Windows client application. I imagine it would start up >> automatically once the first tunnel is activated. And it would replace >> the local system's DNS server setting for as long as it's active (like >> the tunnel-configured DNS server already does). And it would query the >> original locally configured DNS server and all configured DNS servers >> for the active tunnels. It would then be able to resolve local names >> and tunnel-remote names without any additional work on the user end. >> The user wouldn't have to perform many complex tasks upon activating >> or deactivating a tunnel. This would make WireGuard be as simple and >> productive as I believe it was intended to be (but isn't yet). >> >> This probably stops working as soon as other VPN software is used in >> parallel, but the current "DNS" setting has the same limitation, it's >> better than nothing and most of the time, you only run a single VPN >> software. >> >> Please let me know what you think of it. >> >> -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-10 8:44 ` Der PCFreak @ 2020-11-10 15:38 ` Yves Goergen 2020-11-10 16:04 ` Matthias Urlichs ` (2 more replies) 0 siblings, 3 replies; 11+ messages in thread From: Yves Goergen @ 2020-11-10 15:38 UTC (permalink / raw) To: Der PCFreak; +Cc: wireguard I just read through the 'upstream_servers' section of the Deadwood DNS resolver. And it doesn't seem to do what I need. I'll have to specify a fixed DNS server for a fixed name suffix. This is not possible on LANs where there are no suffixes, as I already described. Setting multiple upstreams for the same '.' suffix again results in a lookup in one of them, not both. This is not a solution to my problem. And I still refuse to believe that my problem is exotic. Every home LAN has this. Am Di., 10. Nov. 2020 um 14:06 Uhr schrieb Der PCFreak <mailinglists@pcfreak.de>: > > Hi, > > concerning local DNS forwarder. > > I am in an environment where I need to resolve public DNS names to local > IPs for specific hosts and additionally public DNS for the rest. > In Windows XP it was possible to just stop the DNS cache service and set > 2 DNS servers and everything worked. > Newer versions of Windows starting with Windows 7 do only connect to the > second DNS if connecting (not querying) the first fails. > So if your first DNS is up but has no reply for your query, Windows will > just add that fqdn to the negative cache and no longer > query the DNS for a specific time or until you delete the cache with > ipconfig /flushdns. > > All of the above can be fixed using a local DNS forwarder. > > I use DeadWood on my machine for years now. > https://maradns.samiam.org/deadwood/doc/FAQ.html > > I just point my DNS to 127.0.0.1 (which is the deadwood service) and > configure Deadwood a little bit. It basically let's me > exactly specify which hosts to resolve how and can have something > similiar to a HOSTS entry, too. > > As Domi wrote I would encourage you to tryout a local DNS resolver, too. > > Regards > > Peter > > On 10.11.2020 09:14, Tomcsanyi, Domonkos wrote: > > Hello Yves, > > > > I am by no means a person with authority to make such a decision, but your usecase seems to be so specific I would not imagine it would make sense to blow up the size and complexity of the Windows wg with a local DNS forwarder. > > I think it is way better if people just install a local DNS resolver/forwarder on their own. There a ton of choices available, from simply python scripts to large scale servers. You could easily configure any of these to distinguish which DNS server to ask based on the TLD portion of your local domain or whatever other distinguisher you have. > > Then the only thing you need to do is tell your system (either via wg or by other means) to use the local resolver and the case is solved :). > > Also I am pretty sure one of the main philosophies behind wg is to be the same as much as possible on all platforms. Adding a DNS resolver would again mean a lot of complications when compared to e.g. the Linux version, since most Linux distributions already feature some kind of a local resolver by default. > > > > Cheers, > > Domi > > > > > >> 09.11.2020 dátummal, 23:46 időpontban Yves Goergen <yves.goergen@gmail.com> írta: > >> > >> Hello, > >> > >> I've already used WireGuard to connect to private networks and it's > >> quite easy once you figure out how to set it up. (Most tutorials are > >> outdated and haven't been updated, new ones haven't been written.) One > >> thing that's really missing however is DNS support. All I can do now > >> is connect to IP addresses. Names are not resolvable on the other > >> side. If I add the "DNS" directive to my client configuration, it > >> replaces the local DNS resolver and *all* lookups go to that server > >> instead. This isn't working either because I'm on two local networks > >> and each has its own local DNS server that can only resolve its own > >> local names (and forward the rest to the internet). > >> > >> Specifying both networks' DNS servers also fails because when > >> resolving a name, one of them is chosen at random (and the other one > >> isn't regarded) and then you won't be able to resolve some of the > >> names some of the time. This is also very frustrating. And it wouldn't > >> scale to multiple active tunnels. > >> > >> The solution I've read about is to set up a local DNS forwarder that > >> can be configured so that it uses multiple servers and queries each of > >> them and returns only a positive response. This way it could query > >> both local LAN DNS servers and for local names, only one of them would > >> resolve the name. This is a bit complicated to do if you're not > >> permanently connected to a VPN, or if you move from one local DHCP > >> network to another (like with a laptop). And it requires additional > >> software, setup and configuration, and probably intensive maintenance > >> and care. All of this makes WireGuard a pretty ugly alternative to > >> OpenVPN where all of this already works. Despite all the disadvantages > >> of OpenVPN. > >> > >> I'm asking if it's possible to integrate such a local DNS forwarder > >> into the Windows client application. I imagine it would start up > >> automatically once the first tunnel is activated. And it would replace > >> the local system's DNS server setting for as long as it's active (like > >> the tunnel-configured DNS server already does). And it would query the > >> original locally configured DNS server and all configured DNS servers > >> for the active tunnels. It would then be able to resolve local names > >> and tunnel-remote names without any additional work on the user end. > >> The user wouldn't have to perform many complex tasks upon activating > >> or deactivating a tunnel. This would make WireGuard be as simple and > >> productive as I believe it was intended to be (but isn't yet). > >> > >> This probably stops working as soon as other VPN software is used in > >> parallel, but the current "DNS" setting has the same limitation, it's > >> better than nothing and most of the time, you only run a single VPN > >> software. > >> > >> Please let me know what you think of it. > >> > >> -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-10 15:38 ` Yves Goergen @ 2020-11-10 16:04 ` Matthias Urlichs 2020-11-10 18:08 ` Lech Perczak 2020-11-11 7:36 ` Der PCFreak 2 siblings, 0 replies; 11+ messages in thread From: Matthias Urlichs @ 2020-11-10 16:04 UTC (permalink / raw) To: wireguard [-- Attachment #1.1.1: Type: text/plain, Size: 854 bytes --] On 10.11.20 16:38, Yves Goergen wrote: > This is not a solution to my problem. And I still refuse to believe > that my problem is exotic. Every home LAN has this. Which "every" home LAN has two resolvers, none of them being authoritative? Mine certainly doesn't. > So if your first DNS is up but has no reply for your query, Define "no reply". There's more than one kind of non-reply here. If the no-reply you're talking about is actually a "doesn't exist" reply, then Windows is perfectly correct not to ask anybody else for a second opinion. The net is flooded with stupid (if not to say "terminally brain-dead") DNS queries as it is, ask any DNS provider; no need to add even more of these. Please elucidate why you can't use a fixed prefix like ".home" or ".lan" for these. Cf. RFC 2606. -- -- Matthias Urlichs [-- Attachment #1.1.2: OpenPGP_0x72CF8E5E25B4C293_and_old_rev.asc --] [-- Type: application/pgp-keys, Size: 48415 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 840 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-10 15:38 ` Yves Goergen 2020-11-10 16:04 ` Matthias Urlichs @ 2020-11-10 18:08 ` Lech Perczak 2020-11-15 18:42 ` Yves Goergen 2020-11-11 7:36 ` Der PCFreak 2 siblings, 1 reply; 11+ messages in thread From: Lech Perczak @ 2020-11-10 18:08 UTC (permalink / raw) To: wireguard Hi, Thing is, most home LANs have dedicated gateways doing this. Running a Windows PC as a home router is exotic. It might be easier for you to pick up a cheap router which runs OpenWrt and set up it as gateway running Wireguard and local DNS resolver (dnsmasq) too. And even there, local DNS resolution is not done by Wireguard, but by dnsmasq, and DNS forwarding is simply not in scope of any VPN implementation. Kind regards, Lech W dniu 2020-11-10 o 16:38, Yves Goergen pisze: > I just read through the 'upstream_servers' section of the Deadwood DNS > resolver. And it doesn't seem to do what I need. I'll have to specify > a fixed DNS server for a fixed name suffix. This is not possible on > LANs where there are no suffixes, as I already described. Setting > multiple upstreams for the same '.' suffix again results in a lookup > in one of them, not both. > > This is not a solution to my problem. And I still refuse to believe > that my problem is exotic. Every home LAN has this. > > Am Di., 10. Nov. 2020 um 14:06 Uhr schrieb Der PCFreak > <mailinglists@pcfreak.de>: >> Hi, >> >> concerning local DNS forwarder. >> >> I am in an environment where I need to resolve public DNS names to local >> IPs for specific hosts and additionally public DNS for the rest. >> In Windows XP it was possible to just stop the DNS cache service and set >> 2 DNS servers and everything worked. >> Newer versions of Windows starting with Windows 7 do only connect to the >> second DNS if connecting (not querying) the first fails. >> So if your first DNS is up but has no reply for your query, Windows will >> just add that fqdn to the negative cache and no longer >> query the DNS for a specific time or until you delete the cache with >> ipconfig /flushdns. >> >> All of the above can be fixed using a local DNS forwarder. >> >> I use DeadWood on my machine for years now. >> https://maradns.samiam.org/deadwood/doc/FAQ.html >> >> I just point my DNS to 127.0.0.1 (which is the deadwood service) and >> configure Deadwood a little bit. It basically let's me >> exactly specify which hosts to resolve how and can have something >> similiar to a HOSTS entry, too. >> >> As Domi wrote I would encourage you to tryout a local DNS resolver, too. >> >> Regards >> >> Peter >> >> On 10.11.2020 09:14, Tomcsanyi, Domonkos wrote: >>> Hello Yves, >>> >>> I am by no means a person with authority to make such a decision, but your usecase seems to be so specific I would not imagine it would make sense to blow up the size and complexity of the Windows wg with a local DNS forwarder. >>> I think it is way better if people just install a local DNS resolver/forwarder on their own. There a ton of choices available, from simply python scripts to large scale servers. You could easily configure any of these to distinguish which DNS server to ask based on the TLD portion of your local domain or whatever other distinguisher you have. >>> Then the only thing you need to do is tell your system (either via wg or by other means) to use the local resolver and the case is solved :). >>> Also I am pretty sure one of the main philosophies behind wg is to be the same as much as possible on all platforms. Adding a DNS resolver would again mean a lot of complications when compared to e.g. the Linux version, since most Linux distributions already feature some kind of a local resolver by default. >>> >>> Cheers, >>> Domi >>> >>> >>>> 09.11.2020 dátummal, 23:46 időpontban Yves Goergen <yves.goergen@gmail.com> írta: >>>> >>>> Hello, >>>> >>>> I've already used WireGuard to connect to private networks and it's >>>> quite easy once you figure out how to set it up. (Most tutorials are >>>> outdated and haven't been updated, new ones haven't been written.) One >>>> thing that's really missing however is DNS support. All I can do now >>>> is connect to IP addresses. Names are not resolvable on the other >>>> side. If I add the "DNS" directive to my client configuration, it >>>> replaces the local DNS resolver and *all* lookups go to that server >>>> instead. This isn't working either because I'm on two local networks >>>> and each has its own local DNS server that can only resolve its own >>>> local names (and forward the rest to the internet). >>>> >>>> Specifying both networks' DNS servers also fails because when >>>> resolving a name, one of them is chosen at random (and the other one >>>> isn't regarded) and then you won't be able to resolve some of the >>>> names some of the time. This is also very frustrating. And it wouldn't >>>> scale to multiple active tunnels. >>>> >>>> The solution I've read about is to set up a local DNS forwarder that >>>> can be configured so that it uses multiple servers and queries each of >>>> them and returns only a positive response. This way it could query >>>> both local LAN DNS servers and for local names, only one of them would >>>> resolve the name. This is a bit complicated to do if you're not >>>> permanently connected to a VPN, or if you move from one local DHCP >>>> network to another (like with a laptop). And it requires additional >>>> software, setup and configuration, and probably intensive maintenance >>>> and care. All of this makes WireGuard a pretty ugly alternative to >>>> OpenVPN where all of this already works. Despite all the disadvantages >>>> of OpenVPN. >>>> >>>> I'm asking if it's possible to integrate such a local DNS forwarder >>>> into the Windows client application. I imagine it would start up >>>> automatically once the first tunnel is activated. And it would replace >>>> the local system's DNS server setting for as long as it's active (like >>>> the tunnel-configured DNS server already does). And it would query the >>>> original locally configured DNS server and all configured DNS servers >>>> for the active tunnels. It would then be able to resolve local names >>>> and tunnel-remote names without any additional work on the user end. >>>> The user wouldn't have to perform many complex tasks upon activating >>>> or deactivating a tunnel. This would make WireGuard be as simple and >>>> productive as I believe it was intended to be (but isn't yet). >>>> >>>> This probably stops working as soon as other VPN software is used in >>>> parallel, but the current "DNS" setting has the same limitation, it's >>>> better than nothing and most of the time, you only run a single VPN >>>> software. >>>> >>>> Please let me know what you think of it. >>>> >>>> -Yves -- Pozdrawiam, Lech Perczak lech.perczak@gmail.com Mobile: +48 694 309 185 ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-10 18:08 ` Lech Perczak @ 2020-11-15 18:42 ` Yves Goergen 2020-11-15 21:10 ` Matthias Urlichs 2020-11-15 21:43 ` "Tomcsányi, Domonkos" 0 siblings, 2 replies; 11+ messages in thread From: Yves Goergen @ 2020-11-15 18:42 UTC (permalink / raw) To: Lech Perczak; +Cc: wireguard I still cannot see how the suggested measures solve the root problem. I, too, think of FritzBox or Speedport or EasyBox when I think of a home LAN. These DSL routers are also often used in small offices. So for this part, small offices and private home networks use the same technology. Larger companies surely have more money to spend. The mentioned router models probably make up half of all internet users in Germany. Other models (like TP-Link) don't include a DNS server for DHCP'd local hosts and are almost unusable for home LANs. If you use a router of that kind you have problems before thinking of VPN. None of these networks offer a DNS suffix. And if they do (FritzBox), it's fixed to ".local". Everywhere. I tried to change it but it's not possible, confirmed by AVM support. Now you may want to call LANs managed by a FritzBox unprofessional. And to a certain point I can follow you. But unprofessional or not, it's the reality that a whole lot of people live in. Now and for the foreseeable future. I wouldn't want to spend extra work to set up a different custom-made router in all of my networks just so that the limited WireGuard capabilities solve my problems. Using OpenVPN is a lot easier then. This reality includes host names like "pc1" and "pc2" in one LAN and "pc3" and "pc4" in the other LAN. If I'm in one of these LANs and want to connect to the other, I need name resolution with both routers to be able to use names in the LAN I'm currently in and at the same time names in the LAN I'm connected to. No single existing DNS server could ever do that because the two routers don't know each other. I haven't mentioned public names yet. In this simple scenario, both routers could resolve internet names, but the local router is preferred because it's faster. As far as I understand things, I need this specific solution, and it's almost impossible to built that without tight integration with a WireGuard client: * A local DNS proxy on the tunnel client end * that registers itself as the new default DNS server for as long as a tunnel is active * and forwards all DNS queries to *all* of the connected tunnels' DNS (if specified) and also the previous system's DNS server * and responds with the first positive answer that comes in. * This proxy adapts to all active tunnels and * stops and unregisters when the last tunnel is closed. None of the suggested solutions provide these features. All of them assume that I have host names with a distinguishable name suffix (not the case, not changeable) and that I can reconfigure DNS proxy configuration upon activating and deactivating a tunnel (not practical). While I understand that WireGuard (the tunnel tech) is intended to be simple, I consider this feature necessary on a higher level for normal network operation. Make things as simple as possible, but no simpler! And in this case, it's just a client GUI that already provides several comfort features outside of the core tunnel scope. A DNS proxy would well fit in this. And yes, this causes more network traffic than necessary in an ideal world. But I'm looking for a solution in the existing world, and it's only DNS packets, no OS image downloads. Make it correct, and fast; in that order. -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-15 18:42 ` Yves Goergen @ 2020-11-15 21:10 ` Matthias Urlichs 2020-11-15 21:43 ` "Tomcsányi, Domonkos" 1 sibling, 0 replies; 11+ messages in thread From: Matthias Urlichs @ 2020-11-15 21:10 UTC (permalink / raw) To: wireguard [-- Attachment #1.1.1: Type: text/plain, Size: 920 bytes --] On 15.11.20 19:42, Yves Goergen wrote: > This reality includes host names like "pc1" and "pc2" in one LAN and > "pc3" and "pc4" in the other LAN. So you need a DNS proxy that knows about stripping .one.lan and .two.lan suffixes from your host names before forwarding the request to the requisite DNS server. Or one that asks both and merges the replies. None of this is in any way difficult to code, or indeed specific to Wireguard. Also, why would you want to reconfigure your DNS proxy whenever the tunnel state changes? The proxy either gets an answer or it doesn't (or it gets a ICMP Unreachable back). If not, the tunnel is down, either because the other end is temporarily unreachable or because you tore down the tunnel. No reconfiguration required, simply react to timeouts and ICMPs / EHOSTUNREACH (or whatever the Windows equivalent is) as appropriate. -- -- Matthias Urlichs [-- Attachment #1.1.2: OpenPGP_0x72CF8E5E25B4C293_and_old_rev.asc --] [-- Type: application/pgp-keys, Size: 48415 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 840 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-15 18:42 ` Yves Goergen 2020-11-15 21:10 ` Matthias Urlichs @ 2020-11-15 21:43 ` "Tomcsányi, Domonkos" 1 sibling, 0 replies; 11+ messages in thread From: "Tomcsányi, Domonkos" @ 2020-11-15 21:43 UTC (permalink / raw) To: Yves Goergen; +Cc: Lech Perczak, wireguard Hi Yves, I'm still thinking you should not integrate your DNS so strong with Wireguard. What is the exact issue of setting the DNS parameter of each tunnel to localhost and running your own resolver/forwarder locally? A quick google search shows a ton of options for such software. I really don't want this to feel like an advertisment, but e.g. MaraDNS (with Lua plugin(s) to customize things) or Technitium DNS seems to be a good start. Once you have your DNS resolver set up correctly just use Wireguard to automatically point your machine to the local resolver if a tunnel is up and that's it. Am I not seeing something obvious here? Cheers, Domi > 2020. nov. 15. dátummal, 19:42 időpontban Yves Goergen <yves.goergen@gmail.com> írta: > > I still cannot see how the suggested measures solve the root problem. > > I, too, think of FritzBox or Speedport or EasyBox when I think of a > home LAN. These DSL routers are also often used in small offices. So > for this part, small offices and private home networks use the same > technology. Larger companies surely have more money to spend. The > mentioned router models probably make up half of all internet users in > Germany. Other models (like TP-Link) don't include a DNS server for > DHCP'd local hosts and are almost unusable for home LANs. If you use a > router of that kind you have problems before thinking of VPN. > > None of these networks offer a DNS suffix. And if they do (FritzBox), > it's fixed to ".local". Everywhere. I tried to change it but it's not > possible, confirmed by AVM support. Now you may want to call LANs > managed by a FritzBox unprofessional. And to a certain point I can > follow you. But unprofessional or not, it's the reality that a whole > lot of people live in. Now and for the foreseeable future. I wouldn't > want to spend extra work to set up a different custom-made router in > all of my networks just so that the limited WireGuard capabilities > solve my problems. Using OpenVPN is a lot easier then. > > This reality includes host names like "pc1" and "pc2" in one LAN and > "pc3" and "pc4" in the other LAN. If I'm in one of these LANs and want > to connect to the other, I need name resolution with both routers to > be able to use names in the LAN I'm currently in and at the same time > names in the LAN I'm connected to. No single existing DNS server could > ever do that because the two routers don't know each other. > > I haven't mentioned public names yet. In this simple scenario, both > routers could resolve internet names, but the local router is > preferred because it's faster. > > As far as I understand things, I need this specific solution, and it's > almost impossible to built that without tight integration with a > WireGuard client: > > * A local DNS proxy on the tunnel client end > * that registers itself as the new default DNS server for as long as a > tunnel is active > * and forwards all DNS queries to *all* of the connected tunnels' DNS > (if specified) and also the previous system's DNS server > * and responds with the first positive answer that comes in. > * This proxy adapts to all active tunnels and > * stops and unregisters when the last tunnel is closed. > > None of the suggested solutions provide these features. All of them > assume that I have host names with a distinguishable name suffix (not > the case, not changeable) and that I can reconfigure DNS proxy > configuration upon activating and deactivating a tunnel (not > practical). > > While I understand that WireGuard (the tunnel tech) is intended to be > simple, I consider this feature necessary on a higher level for normal > network operation. Make things as simple as possible, but no simpler! > And in this case, it's just a client GUI that already provides several > comfort features outside of the core tunnel scope. A DNS proxy would > well fit in this. > > And yes, this causes more network traffic than necessary in an ideal > world. But I'm looking for a solution in the existing world, and it's > only DNS packets, no OS image downloads. Make it correct, and fast; in > that order. > > -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Add local DNS forwarder to Windows client 2020-11-10 15:38 ` Yves Goergen 2020-11-10 16:04 ` Matthias Urlichs 2020-11-10 18:08 ` Lech Perczak @ 2020-11-11 7:36 ` Der PCFreak 2 siblings, 0 replies; 11+ messages in thread From: Der PCFreak @ 2020-11-11 7:36 UTC (permalink / raw) To: wireguard Hi, you are wrong! For example, my dwood3rc.txt (only partially) file looks like this: upstream_servers = {} # Initialize dictionary variable upstream_servers["internal."]="192.168.178.1, 192.168.178.2, 192.168.178.3" # local DNS servers for all fqdns.internal upstream_servers["."]="9.9.9.9, 8.8.8.8" # for others Quad Nine, Google, WITRON Firewall root_servers = {} # manual entries (similar to /etc/hosts) # pointing to specific DNS servers for specific hostnames to resolve root_servers["host1.separate.domain."]="10.11.12.13" # resolve host1.separate.domain via DNS 10.11.12.13 bind_address="0.0.0.0" # The IPs allowed to connect and use the cache recursive_acl = "127.0.0.1/16, 192.168.178.0/24" filter_rfc1918 = 0 reject_mx = 0 # please make sure you have 1 empty line at the end of the configuration file So you can exactly do what you told is not possible. Make sure you don't forget the dots "." at the end of the names! - resolve specific hosts via specifix DNS - resolve specific subdomain via specific DNS - resolve all others (.) via upstream server e.g. google DNS So what else you need? Regards Peter On 10.11.2020 16:38, Yves Goergen wrote: > I just read through the 'upstream_servers' section of the Deadwood DNS > resolver. And it doesn't seem to do what I need. I'll have to specify > a fixed DNS server for a fixed name suffix. This is not possible on > LANs where there are no suffixes, as I already described. Setting > multiple upstreams for the same '.' suffix again results in a lookup > in one of them, not both. > > This is not a solution to my problem. And I still refuse to believe > that my problem is exotic. Every home LAN has this. > > Am Di., 10. Nov. 2020 um 14:06 Uhr schrieb Der PCFreak > <mailinglists@pcfreak.de>: >> Hi, >> >> concerning local DNS forwarder. >> >> I am in an environment where I need to resolve public DNS names to local >> IPs for specific hosts and additionally public DNS for the rest. >> In Windows XP it was possible to just stop the DNS cache service and set >> 2 DNS servers and everything worked. >> Newer versions of Windows starting with Windows 7 do only connect to the >> second DNS if connecting (not querying) the first fails. >> So if your first DNS is up but has no reply for your query, Windows will >> just add that fqdn to the negative cache and no longer >> query the DNS for a specific time or until you delete the cache with >> ipconfig /flushdns. >> >> All of the above can be fixed using a local DNS forwarder. >> >> I use DeadWood on my machine for years now. >> https://maradns.samiam.org/deadwood/doc/FAQ.html >> >> I just point my DNS to 127.0.0.1 (which is the deadwood service) and >> configure Deadwood a little bit. It basically let's me >> exactly specify which hosts to resolve how and can have something >> similiar to a HOSTS entry, too. >> >> As Domi wrote I would encourage you to tryout a local DNS resolver, too. >> >> Regards >> >> Peter >> >> On 10.11.2020 09:14, Tomcsanyi, Domonkos wrote: >>> Hello Yves, >>> >>> I am by no means a person with authority to make such a decision, but your usecase seems to be so specific I would not imagine it would make sense to blow up the size and complexity of the Windows wg with a local DNS forwarder. >>> I think it is way better if people just install a local DNS resolver/forwarder on their own. There a ton of choices available, from simply python scripts to large scale servers. You could easily configure any of these to distinguish which DNS server to ask based on the TLD portion of your local domain or whatever other distinguisher you have. >>> Then the only thing you need to do is tell your system (either via wg or by other means) to use the local resolver and the case is solved :). >>> Also I am pretty sure one of the main philosophies behind wg is to be the same as much as possible on all platforms. Adding a DNS resolver would again mean a lot of complications when compared to e.g. the Linux version, since most Linux distributions already feature some kind of a local resolver by default. >>> >>> Cheers, >>> Domi >>> >>> >>>> 09.11.2020 dátummal, 23:46 időpontban Yves Goergen <yves.goergen@gmail.com> írta: >>>> >>>> Hello, >>>> >>>> I've already used WireGuard to connect to private networks and it's >>>> quite easy once you figure out how to set it up. (Most tutorials are >>>> outdated and haven't been updated, new ones haven't been written.) One >>>> thing that's really missing however is DNS support. All I can do now >>>> is connect to IP addresses. Names are not resolvable on the other >>>> side. If I add the "DNS" directive to my client configuration, it >>>> replaces the local DNS resolver and *all* lookups go to that server >>>> instead. This isn't working either because I'm on two local networks >>>> and each has its own local DNS server that can only resolve its own >>>> local names (and forward the rest to the internet). >>>> >>>> Specifying both networks' DNS servers also fails because when >>>> resolving a name, one of them is chosen at random (and the other one >>>> isn't regarded) and then you won't be able to resolve some of the >>>> names some of the time. This is also very frustrating. And it wouldn't >>>> scale to multiple active tunnels. >>>> >>>> The solution I've read about is to set up a local DNS forwarder that >>>> can be configured so that it uses multiple servers and queries each of >>>> them and returns only a positive response. This way it could query >>>> both local LAN DNS servers and for local names, only one of them would >>>> resolve the name. This is a bit complicated to do if you're not >>>> permanently connected to a VPN, or if you move from one local DHCP >>>> network to another (like with a laptop). And it requires additional >>>> software, setup and configuration, and probably intensive maintenance >>>> and care. All of this makes WireGuard a pretty ugly alternative to >>>> OpenVPN where all of this already works. Despite all the disadvantages >>>> of OpenVPN. >>>> >>>> I'm asking if it's possible to integrate such a local DNS forwarder >>>> into the Windows client application. I imagine it would start up >>>> automatically once the first tunnel is activated. And it would replace >>>> the local system's DNS server setting for as long as it's active (like >>>> the tunnel-configured DNS server already does). And it would query the >>>> original locally configured DNS server and all configured DNS servers >>>> for the active tunnels. It would then be able to resolve local names >>>> and tunnel-remote names without any additional work on the user end. >>>> The user wouldn't have to perform many complex tasks upon activating >>>> or deactivating a tunnel. This would make WireGuard be as simple and >>>> productive as I believe it was intended to be (but isn't yet). >>>> >>>> This probably stops working as soon as other VPN software is used in >>>> parallel, but the current "DNS" setting has the same limitation, it's >>>> better than nothing and most of the time, you only run a single VPN >>>> software. >>>> >>>> Please let me know what you think of it. >>>> >>>> -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <CADJb3qTGhm8a=aAA8_6ZgEHHFyBZyOch_GRBkC1p4yym28fN-Q@mail.gmail.com>]
* Fwd: Add local DNS forwarder to Windows client [not found] ` <CADJb3qTGhm8a=aAA8_6ZgEHHFyBZyOch_GRBkC1p4yym28fN-Q@mail.gmail.com> @ 2020-11-10 10:47 ` Yves Goergen 0 siblings, 0 replies; 11+ messages in thread From: Yves Goergen @ 2020-11-10 10:47 UTC (permalink / raw) To: wireguard Oops, Google Mail cannot reply to all including the mailing list? Why can't we have a normal web forum here? ---------- Forwarded message --------- Von: Yves Goergen <yves.goergen@gmail.com> Date: Di., 10. Nov. 2020 um 11:45 Uhr Subject: Re: Add local DNS forwarder to Windows client To: Tomcsanyi, Domonkos <domi@tomcsanyi.net> Hello Domi, It's not quite that simple. I'll have to find a DNS proxy that does what is required to make this scenario work. There is no hostname/domain pattern because all hosts on a LAN have no dot in them, just names alone. And nobody knows what names are valid in a certain network, so all have to be tried. Only one of them should resolve for a local name. All of them might resolve for global names. If all are equal, that's fine. If not, we have a problem anyway. But which DNS servers to query depends on what VPN connections are active. Only the WG client knows that because it's managing the connections/tunnels. A separate DNS proxy would need to query the WG state and also know what DNS servers can be found in each tunnel. This would best be configured in the tunnel configuration. Anything else makes it complicated and error-prone. I really can't imagine why DNS resolution should be very specific. Nobody uses DNS in local networks? Do you access all your LAN machines by their IP address? If not, why would you want to do it over a VPN? This is basically what you're suggesting. Imagine you have tunnels to two separate local networks active. How would you set things up, on Windows or Linux, to resolve local host names from both remote LANs as well as the internet in your default browser? Internet names should prefer the local DNS resolver, not go through any potentially slow VPN. -Yves Am Di., 10. Nov. 2020 um 09:14 Uhr schrieb Tomcsanyi, Domonkos <domi@tomcsanyi.net>: > > Hello Yves, > > I am by no means a person with authority to make such a decision, but your usecase seems to be so specific I would not imagine it would make sense to blow up the size and complexity of the Windows wg with a local DNS forwarder. > I think it is way better if people just install a local DNS resolver/forwarder on their own. There a ton of choices available, from simply python scripts to large scale servers. You could easily configure any of these to distinguish which DNS server to ask based on the TLD portion of your local domain or whatever other distinguisher you have. > Then the only thing you need to do is tell your system (either via wg or by other means) to use the local resolver and the case is solved :). > Also I am pretty sure one of the main philosophies behind wg is to be the same as much as possible on all platforms. Adding a DNS resolver would again mean a lot of complications when compared to e.g. the Linux version, since most Linux distributions already feature some kind of a local resolver by default. > > Cheers, > Domi > > > > 09.11.2020 dátummal, 23:46 időpontban Yves Goergen <yves.goergen@gmail.com> írta: > > > > Hello, > > > > I've already used WireGuard to connect to private networks and it's > > quite easy once you figure out how to set it up. (Most tutorials are > > outdated and haven't been updated, new ones haven't been written.) One > > thing that's really missing however is DNS support. All I can do now > > is connect to IP addresses. Names are not resolvable on the other > > side. If I add the "DNS" directive to my client configuration, it > > replaces the local DNS resolver and *all* lookups go to that server > > instead. This isn't working either because I'm on two local networks > > and each has its own local DNS server that can only resolve its own > > local names (and forward the rest to the internet). > > > > Specifying both networks' DNS servers also fails because when > > resolving a name, one of them is chosen at random (and the other one > > isn't regarded) and then you won't be able to resolve some of the > > names some of the time. This is also very frustrating. And it wouldn't > > scale to multiple active tunnels. > > > > The solution I've read about is to set up a local DNS forwarder that > > can be configured so that it uses multiple servers and queries each of > > them and returns only a positive response. This way it could query > > both local LAN DNS servers and for local names, only one of them would > > resolve the name. This is a bit complicated to do if you're not > > permanently connected to a VPN, or if you move from one local DHCP > > network to another (like with a laptop). And it requires additional > > software, setup and configuration, and probably intensive maintenance > > and care. All of this makes WireGuard a pretty ugly alternative to > > OpenVPN where all of this already works. Despite all the disadvantages > > of OpenVPN. > > > > I'm asking if it's possible to integrate such a local DNS forwarder > > into the Windows client application. I imagine it would start up > > automatically once the first tunnel is activated. And it would replace > > the local system's DNS server setting for as long as it's active (like > > the tunnel-configured DNS server already does). And it would query the > > original locally configured DNS server and all configured DNS servers > > for the active tunnels. It would then be able to resolve local names > > and tunnel-remote names without any additional work on the user end. > > The user wouldn't have to perform many complex tasks upon activating > > or deactivating a tunnel. This would make WireGuard be as simple and > > productive as I believe it was intended to be (but isn't yet). > > > > This probably stops working as soon as other VPN software is used in > > parallel, but the current "DNS" setting has the same limitation, it's > > better than nothing and most of the time, you only run a single VPN > > software. > > > > Please let me know what you think of it. > > > > -Yves ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-11-15 21:43 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-11-03 10:31 Add local DNS forwarder to Windows client Yves Goergen 2020-11-10 8:14 ` Tomcsanyi, Domonkos 2020-11-10 8:44 ` Der PCFreak 2020-11-10 15:38 ` Yves Goergen 2020-11-10 16:04 ` Matthias Urlichs 2020-11-10 18:08 ` Lech Perczak 2020-11-15 18:42 ` Yves Goergen 2020-11-15 21:10 ` Matthias Urlichs 2020-11-15 21:43 ` "Tomcsányi, Domonkos" 2020-11-11 7:36 ` Der PCFreak [not found] ` <CADJb3qTGhm8a=aAA8_6ZgEHHFyBZyOch_GRBkC1p4yym28fN-Q@mail.gmail.com> 2020-11-10 10:47 ` Fwd: " Yves Goergen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).