Ctrl+K

DNS e DHCP

DNS e DHCP#

NethSecurity può fornire servizi DNS e DHCP a ogni rete locale. Questa sezione è divisa in 5 schede:

  • DHCP

  • Lease statici

  • Lease dinamici

  • DNS

  • Record DNS

DHCP#

Questa sezione consente di abilitare e gestire un server DHCP per ogni rete locale configurata nel tuo NethSecurity. Ogni interfaccia locale è dotata di una scheda in cui è possibile abilitare il servizio facendo clic sul pulsante Modifica.

Campi disponibili:

  • Abilita DHCP: abilita/disabilita il servizio

  • Inizio intervallo IP: primo indirizzo IP dell’intervallo DHCP

  • Fine intervallo IP: ultimo indirizzo IP dell’intervallo DHCP

  • Lease time : lease time (default 1 ora)

Impostazioni avanzate

Force DHCP server start

Upon startup, the DHCP server checks if there are other DHCP servers on the network. With this option disabled, the DHCP server won’t be activated if another one is detected on the network. If the force option is enabled, the DHCP server will be started even if there are other DHCP servers within the network.

DHCP option

È possibile dichiarare opzioni DHCP molto specifiche cercando il campo da configurare (ad esempio, DNS trasmessi ai client, indirizzo IP del server TFTP, ecc.) e specificando quindi il valore. Il valore può anche essere una lista di valori separati da virgola.

Esempio per sovrascrivere i server DNS trasmessi ai client con 2 server:

  • Opzione selezionata: dns-server

  • Valore: 1.1.1.1, 8.8.8.8

Lease statici#

I lease statici assegnano indirizzi IP stabili e nomi host simbolici ai client DHCP. L’host è identificato dal suo indirizzo MAC, a cui viene assegnato un indirizzo IP fisso e fornito con un nome host simbolico per un riconoscimento facile.

Clicca sul pulsante Aggiungi prenotazione per aggiungere un lease statico per un dispositivo.

Campi disponibili:

  • Nome host: Nome host associato all’indirizzo IP

  • Indirizzo IP: Indirizzo IP da assegnare all’indirizzo MAC specificato. L’indirizzo IP deve trovarsi all’interno dell’intervallo DHCP.

  • Indirizzo MAC: Indirizzo MAC del dispositivo per cui si desidera effettuare la reservation.

  • Nome Riservation: Campo opzionale, liberamente configurabile

Lease dinamici#

I lease dinamici rappresentano gli indirizzi IP attualmente in uso e sono stati assegnati ai dispositivi nella rete. Questa scheda mostra tutti i lease attivi al momento.

DNS#

Il sistema risolverà i nomi host e di dominio utilizzando query DNS a server DNS esterni.

Campi disponibili:

  • DNS forwarding servers: Click the button Add DNS Server to specify the desired upstream DNS, you can add more servers, each one is individually managed.

  • DNS Domain : Insert the the local DNS domain, ensuring that queries for this domain are always resolved locally.

  • Log DNS queries: enable it if you want all the DNS queries to be logged by the system.

Forwarding servers#

This section explains how to configure upstream DNS servers for your system. You can use this to either:

  • Specify a single upstream DNS server: enter the IP address of the desired server in the dedicated field

  • Set up domain-specific DNS servers: this allows you to route queries for specific domains to different servers.

Domain-specific DNS servers#

To use a custom DNS server for a specific domain, use the following syntax:

/DOMAIN/IP_ADDRESS#PORT

where:

  • IP_ADDRESS: specify the IP address of the desired server

  • PORT: append the desired port (after the IP address using # character).

The PORT value is optional so usually the configuration appears just like:

/DOMAIN/IP_ADDRESS

These are the main supported options:

  • Empty domain (//): matches unqualified names (without dots).

  • Specific domain (/google.com/): matches the exact domain and all its subdomains (e.g., google.com, www.google.com, drive.google.com…).

  • Wildcard domain (*google.com/): matches any domain containing «google.com» (e.g., google.com, www.google.com, supergoogle.com).

Examples:

  • Send all queries for «google.com» and its subdomains to 1.2.3.4: /google.com/1.2.3.4

  • Send all unqualified names (e.g., «localhost») to 10.0.0.1 and everything else to standard servers: //10.0.0.1

  • Send queries for domain «ad.nethserver.org» and its subdomains to 192.168.1.1 and everything else to standard servers: /ad.nethserver.org/192.168.1.1

More specific domains take precedence over less specific domains, so for a configuration like this:

  • /google.com/1.2.3.4

  • /www.google.com/2.3.4.5

NethSecurity will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5

This is true also for wildcards: if both specific and wildcard domains are defined for the same pattern, the specific one takes precedence (e.g., having /google.com/ and /*google.com/ : the first will handle google.com and www.google.com, the wildcard will handle supergoogle.com.

Record DNS#

The system can handle local DNS records. When the server performs a DNS lookup, first it will search inside local DNS records. If no local record is found, an external DNS query will be done.

Nota

Local DNS records will always override records from external DNS servers.

Click the button Add DNS record to add a new DNS hostname.

Campi disponibili:

  • Hostname : DNS hostname

  • IP address : IP address associated to hostname

  • Name : optional field

  • Wildcard DNS record: enable it if you want this answer for any subdomain you haven’t already defined

DNS Rebind Protection#

DNS Rebind Protection is a security feature that safeguards against DNS rebinding attacks. It blocks the use of private IP ranges by public domains, preventing malicious websites from manipulating browsers to make unauthorized requests to local network devices.

DNS Rebind Protection is enabled by default on NethSecurity and usually does not have operational repercussions. In the presence of split DNS, resolving public domains with internal resources, rebind protection may lead to resolution issues. In such scenarios, potential problems can be found in the log (/var/log/messages), where lines similar to these may appear:

Sep 21 13:09:36 fw1 dnsmasq[1]: possible DNS-rebind attack detected: ad.nethesis.it

Nota

To ensure maximum compatibility and prevent malfunctions in migrated installations using the dedicated tool from NethServer 7.9, DNS Rebind Protection is disabled, ensuring the same behavior as the previous version.

How to fix DNS rebind protection issues#

You can easily fix any of these issues from the CLI.

Solution 1: Whitelist the domain

Put the specific domain in a whitelist (suggested):

uci add_list dhcp.@dnsmasq[0].rebind_domain="nethesis.it"

then commit and restart:

uci commit dhcp
/etc/init.d/dnsmasq restart

Solution 2: disable the DNS protection

Completely disable DNS rebind protection using these commands:

uci set dhcp.@dnsmasq[0].rebind_protection='0'
uci commit dhcp
/etc/init.d/dnsmasq restart

How to enable DNS rebind protection#

If you have previously disabled rebind protection or if your configuration comes from a migration and you wish to enable rebind protection, it is recommended to also activate the rebind_localhost parameter. This setting takes effect exclusively when rebind protection is enabled and permits upstream responses from 127.0.0.0/8, essential for DNS-based blacklist services. Execute these commands:

uci set dhcp.@dnsmasq[0].rebind_protection='1'
uci set dhcp.@dnsmasq[0].rebind_localhost='1'
uci commit dhcp
/etc/init.d/dnsmasq restart
Contenuti