From Newsgroup: comp.protocols.dns.bind

--0000000000005adbc005a557965c
Content-Type: text/plain; charset="UTF-8"

Hi Folks,

I am seeking solution for our below problem and wanted to know if any open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route
their queries to internal DNS servers. Well, when they are on VPN
definitely queries are then passed through internal DNS server but they
left open when not connected to VPN.

Is there any solution using -

- API by which we can route the queries for user who are on Internet
- Or any client utility which can be installed on user's desktop/laptop
where we can embed our BIND RPZ server and then route the queries to
internal one using NAT?
- Or any other alternative community can suggest?


This is just like Cisco Umbrella or any other Paid DNS firewall solutions
but seeking if we can have any open source option?

Thanks & Regards
Blason R

--0000000000005adbc005a557965c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Folks,</div><div><br></div><div>I am seeking solut= ion for our below problem and wanted to know if any open source option can = help us here?<br></div><div>We have our internal DNS RPZ firewall built on = BIND9. Due to the current situation since all users are working from home w=
e are not able to route their queries to internal DNS servers. Well, when t= hey are on VPN definitely queries are then passed through internal DNS serv=
er but they left open when not connected to VPN.</div><div><br></div><div>I=
s there any solution using -</div><ul><li>API by which we can route the que= ries for user who are on Internet</li><li>Or any client utility which can b=
e installed on user&#39;s desktop/laptop where we can embed our BIND RPZ se= rver and then route the queries to internal one using NAT?</li><li>Or any o= ther alternative community can suggest?</li></ul><div><br></div><div>This i=
s just like Cisco Umbrella or any other Paid DNS firewall solutions but see= king if we can have any open source option?</div><div><br></div><div>Thanks=
&amp; Regards</div><div>Blason R<br></div></div>

--0000000000005adbc005a557965c--
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind



On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind doesrCOt provide an authentication method. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query


Daniel
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

Good idea. It may work. IrCOm using Intra for 1.5 years (with my DNS) and actually didnrCOt try it likely my DoH rCLoldrCY proxy probably doesnrCOt support it.
With nginx it should be possible if these open source clients support it.
For Win/Mac/Linux there should be some open source DoH clients (backup will be using it just in browsers).
Vadim

On May 10, 2020, at 23:26, Daniel Stirnimann <daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind doesrCOt provide an authentication method. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query

Daniel

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

--0000000000004abce705a559aad9
Content-Type: text/plain; charset="UTF-8"

I can do that - But


1. How can I control unauthorized use?
2. Since one its populated over Internet it can be used by any one right?
3. Plus from user end they can change the DNS to avoid protection.


On Mon, May 11, 2020 at 11:01 AM Reindl Harald <h.reindl@thelounge.net>
wrote:

Am 11.05.20 um 06:14 schrieb Blason R:

I am seeking solution for our below problem and wanted to know if any
open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN.

Is there any solution using -

* API by which we can route the queries for user who are on Internet
* Or any client utility which can be installed on user's
desktop/laptop where we can embed our BIND RPZ server and then route
the queries to internal one using NAT?
* Or any other alternative community can suggest?

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done

--0000000000004abce705a559aad9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>I can do that - But</div><div><br></div><ol><li>How c=
an I control unauthorized use?</li><li>Since one its populated over Interne=
t it can be used by any one right?</li><li>Plus from user end they can chan=
ge the DNS to avoid protection.</li></ol></div><br><div class=3D"gmail_quot= e"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11, 2020 at 11:01 AM R= eindl Harald &lt;<a href=3D"mailto:h.reindl@thelounge.net">h.reindl@theloun= ge.net</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"m= argin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left= :1ex"><br>

Am 11.05.20 um 06:14 schrieb Blason R:<br>
&gt; I am seeking solution for our below problem and wanted to know if any<=

&gt; open source option can help us here?<br>
&gt; We have our internal DNS RPZ firewall built on BIND9. Due to the curre= nt<br>
&gt; situation since all users are working from home we are not able to rou= te<br>
&gt; their queries to internal DNS servers. Well, when they are on VPN<br>
&gt; definitely queries are then passed through internal DNS server but the= y<br>
&gt; left open when not connected to VPN.<br>
&gt; <br>
&gt; Is there any solution using -<br>
&gt; <br>
&gt;=C2=A0 =C2=A0* API by which we can route the queries for user who are o=
n Internet<br>
&gt;=C2=A0 =C2=A0* Or any client utility which can be installed on user&#39= ;s<br>
&gt;=C2=A0 =C2=A0 =C2=A0desktop/laptop where we can embed our BIND RPZ serv=
er and then route<br>
&gt;=C2=A0 =C2=A0 =C2=A0the queries to internal one using NAT?<br>
&gt;=C2=A0 =C2=A0* Or any other alternative community can suggest?<br>

when you are in the position to use something like this you can also<br>
tell your users they have to configure their machines for using a public<br=

dns you are hosting and you are done<br>
</blockquote></div>

--0000000000004abce705a559aad9--
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

--00000000000077240305a559bdee
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does=E2=80=99t provide an authentication metho=

d. So in

any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query

Daniel

--00000000000077240305a559bdee
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hmm- Any docs on configuring DOH Proxy? <br></div><br><div=
class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11=
, 2020 at 11:56 AM Daniel Stirnimann &lt;<a href=3D"mailto:daniel.stirniman= n@switch.ch">daniel.stirnimann@switch.ch</a>&gt; wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s= olid rgb(204,204,204);padding-left:1ex"><br>

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:<br>
&gt; The main issue that bind does=E2=80=99t provide an authentication meth= od. So in<br>
&gt; any case you somehow should manage the access to the DNS server vice<b=

&gt; versa it will became open resolver and will be used for DDoS attacks.<=


If you were to use DoH, you could use Basic Authentication. The DoH URL<br>
you could configure on your client systems could be something like this:<br=


<a href=3D"https://username:password@doh.example.com/dns-query" rel=3D"nore= ferrer" target=3D"_blank">https://username:password@doh.example.com/dns-que= ry</a><br>


Daniel<br>
</blockquote></div>

--00000000000077240305a559bdee--
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

--00000000000094f40b05a559ca0a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thats a nice starting point -

https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/

But still looking for any client utility so that users can not shutdown or
can not suspend the service

On Mon, May 11, 2020 at 12:18 PM Blason R <blason16@gmail.com> wrote:

Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does=E2=80=99t provide an authentication meth= od. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query


Daniel

--00000000000094f40b05a559ca0a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thats a nice starting point -</div><div><br></div><di=


<a href=3D"https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/">http= s://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/</a> <br></div><div><= br></div><div>But still looking for any client utility so that users can no=
t shutdown or can not suspend the service<br></div></div><br><div class=3D"= gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11, 2020 at = 12:18 PM Blason R &lt;<a href=3D"mailto:blason16@gmail.com">blason16@gmail.= com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg= in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e= x"><div dir=3D"ltr">Hmm- Any docs on configuring DOH Proxy? <br></div><br><= div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May=
11, 2020 at 11:56 AM Daniel Stirnimann &lt;<a href=3D"mailto:daniel.stirni= mann@switch.ch" target=3D"_blank">daniel.stirnimann@switch.ch</a>&gt; wrote= :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.= 8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:<br>
&gt; The main issue that bind does=E2=80=99t provide an authentication meth= od. So in<br>
&gt; any case you somehow should manage the access to the DNS server vice<b=

&gt; versa it will became open resolver and will be used for DDoS attacks.<=


If you were to use DoH, you could use Basic Authentication. The DoH URL<br>
you could configure on your client systems could be something like this:<br=


<a href=3D"https://username:password@doh.example.com/dns-query" rel=3D"nore= ferrer" target=3D"_blank">https://username:password@doh.example.com/dns-que= ry</a><br>


Daniel<br>
</blockquote></div>
</blockquote></div>

--00000000000094f40b05a559ca0a--
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind



Am 11.05.20 um 06:14 schrieb Blason R:

I am seeking solution for our below problem and wanted to know if any
open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN
definitely queries are then passed through internal DNS server but they
left open when not connected to VPN.

Is there any solution using -

* API by which we can route the queries for user who are on Internet
* Or any client utility which can be installed on user's
desktop/laptop where we can embed our BIND RPZ server and then route
the queries to internal one using NAT?
* Or any other alternative community can suggest?

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done
--- Synchronet 3.21d-Linux NewsLink 1.2