[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  "'sylikc'" <sylikc at gmail dot com>
 Subject:  RE: [m0n0wall] Different DHCP DNS Server list per Interface
 Date:  Fri, 10 Sep 2004 17:44:48 -0400
AFAIK: If the m0n0 has DNS forwarding ON, the DHCP will give out the
interface's IP as the DNS (LAN IP from DHCP on LAN interface, DMZ IP from
DHCP on DMZ interface, etc.). If DNS forwarding is OFF, the DHCP will give
out the DNS from General Setup to clients. If DNS override is enabled the
DHCP will still give out the DNS configured in the General Setup (or DNS
Forwarder if enabled - Quote from General Setup: "If this option is set [DNS
list overridden by WAN], m0n0wall will use DNS servers assigned by a
DHCP/PPP server on WAN for its own purposes (including the DNS forwarder).
They [WAN supplied DNS] will not be assigned to DHCP and PPTP VPN clients,

My DHCP/DNS config On my tri-interface m0n0 (WAN, LAN, LAN2) in a nut shell:
On my m0n0 DNS is supplied by ISP via DHCP, DNS forwarding is enabled, WAN
DNS override is enabled. DHCP is enabled for the LAN2 interface only.
On my SERVER uses the m0n0's LAN IP as a forwarder for the its DNS services.

On my LAN the client machines get IP from DHCP on my SERVER and use the
On my LAN2 the client machines get IP from DHCP on the m0n0 and use the
m0n0's LAN2 IP as DNS.

The DNS forwarder on my m0n0 does not know anything about my DNS on my LAN.

If you want your LAN clients to use the DNS *other than* the DNS forwarder
on the m0n0 you should:
Have the m0n0 use your ISP supplied DNS in General Setup - with DNS
forwarder enabled.
Run a separate DHCP for your LAN and supply your DNS on the DMZ.
You may need to apply rules to allow traffic to and from the DNS on the DMZ.

The DHCP for the "untrusted" should give out the IP of the "untrusted"
interface as DNS (this will be the m0n0 DNS forwarder).

Does any of this make any sense or is it too late on a Friday afternoon to
make sense (it is past beer-thirty)?

James W. McKeand

-----Original Message-----
From: sylikc [mailto:sylikc at gmail dot com] 
Sent: Friday, September 10, 2004 1:28 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Different DHCP DNS Server list per Interface


I've been running m0n0wall for awhile and I was wondering if there is some
way (official patch or unofficial quickfix) to make DHCP assign different
DNS servers per interface.

I am interested in getting that functionality mostly for security reasons.
I don't want a host on OPT2(my untrusted public subnet) to be able to use
the standard DNS used inside my LAN and can resolve the IPs of all my hosts.
Not that OPT2 can connect to LAN anyway, but security through obscurity is a
good thing anyway.

The other reason I would like to use different DNS Server per interface
assigned through DHCP is in the following scenario:

I have a quad Interface m0n0 box (DMZ,LAN,WAN,Untrusted)...
DNS Forwarding is ON, but Allow DNS server list to be overridden by DHCP/PPP
on WAN is OFF I have my DNS server on the DMZ.
Untrusted hosts have limited access to the internet and cannot hit the
DMZ/LAN LAN hosts can go anywhere.
m0n0 hands out the DNS server IP on the DMZ...

I must now punch a hole in the FW for untrusted hosts to use the DNS server
in the DMZ (otherwise it can't resolve anything), although I'd prefer to be
able to have just the UNTRUSTED interface use my ISP's DNS, while the LAN
hosts use the DMZ DNS Server.

Any ideas?


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch