Jeff Boyce
2016-02-24 17:22:38 UTC
Greetings –
Issue:
I am hosting an instance of OwnCloud on a company server located within
our local lan.Internal clients access it by name using
“cloud.local.lan”.External clients access it by name using
“cloud.companydomain.com”.One of the features of OwnCloud is being able
to provide direct links to documents within the OwnCloud server to
others outside of our company.OwnCloud provides internal clients with a
link referencing “cloud.local.lan”; however, if this link is provided to
an external client it will not work because it is referencing our
internal lan name.Our internal staff can not use our external domain
name (cloud.companydomain.com) to access the OwnCloud
server.(Specifically, they receive the pfSense 501 page referencing
Potential DNS Rebind attack detected.I initially took this issue to the
pfSense forum, and have been advised that setting up a Split DNS
configuration would solve my issue.)
My Objective:
I would like to have our internal clients use the external domain name
(cloud.companydomain.com) to access our OwnCloud instance.Then the
document links that OwnCloud generates would work for anyone we provide
them to outside of our company.
My network configuration:
Internet ---> pfSense ---> Switch
|
---> DNSmasq box
|
---> OwnCloud box
pfSense box (192.168.112.11)
External IP xx.yy.zz.18
Network gateway and firewall
1:1 NAT providing 4 public IPs to internal servers
Uses ISP DNS server aa.bb.cc.1
ISP DNS server aa.bb.cc.2
Google DNS server 8.8.8.8
DNSmasq box (192.168.112.51)
DNS and DHCP server for lan
Gives LAN clients
DNS server 192.168.112.51
Default Gateway 192.168.112.11
OwnCloud box (192.168.112.53)
External IP xx.yy.zz.21
companydomain.com
Physical box hosted by outside provider
zone file for companydomain.com
If Split DNS is what I need, then I am assuming that I would have to
implement it on my DNSmasq server.I am logically thinking that when an
internal client puts cloud.companydomain.com in a browser, there is a
way that it can be resolved internally from the DNSmasq box to return
the OwnCloud login page, rather than needing to go out through the
gateway to be resolved (which results in the pfSense rebinding attack
detection).
I have searched the mail archives for some guidance and usually end up
back at this thread
https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg09705.html.I
am unable to implement this solution, as some features are not in my
version of DNSmasq (specifically host-record).So I am still uncertain
how to implement something that reaches my goal.My DNSmasq box is CentOS
6.7 running DNSmasq 2.48-14.el6.The host-record feature is only
available since 2.64.
I am looking for a simple description for implementing something in
DNSmasq that addresses my objective listed above, so pointers to other
how-to’s are appreciated.
I am not sure what additional information anyone might need to assist me
with this issue, but let me know if anything else is needed.Thanks.
Jeff
Issue:
I am hosting an instance of OwnCloud on a company server located within
our local lan.Internal clients access it by name using
“cloud.local.lan”.External clients access it by name using
“cloud.companydomain.com”.One of the features of OwnCloud is being able
to provide direct links to documents within the OwnCloud server to
others outside of our company.OwnCloud provides internal clients with a
link referencing “cloud.local.lan”; however, if this link is provided to
an external client it will not work because it is referencing our
internal lan name.Our internal staff can not use our external domain
name (cloud.companydomain.com) to access the OwnCloud
server.(Specifically, they receive the pfSense 501 page referencing
Potential DNS Rebind attack detected.I initially took this issue to the
pfSense forum, and have been advised that setting up a Split DNS
configuration would solve my issue.)
My Objective:
I would like to have our internal clients use the external domain name
(cloud.companydomain.com) to access our OwnCloud instance.Then the
document links that OwnCloud generates would work for anyone we provide
them to outside of our company.
My network configuration:
Internet ---> pfSense ---> Switch
|
---> DNSmasq box
|
---> OwnCloud box
pfSense box (192.168.112.11)
External IP xx.yy.zz.18
Network gateway and firewall
1:1 NAT providing 4 public IPs to internal servers
Uses ISP DNS server aa.bb.cc.1
ISP DNS server aa.bb.cc.2
Google DNS server 8.8.8.8
DNSmasq box (192.168.112.51)
DNS and DHCP server for lan
Gives LAN clients
DNS server 192.168.112.51
Default Gateway 192.168.112.11
OwnCloud box (192.168.112.53)
External IP xx.yy.zz.21
companydomain.com
Physical box hosted by outside provider
zone file for companydomain.com
If Split DNS is what I need, then I am assuming that I would have to
implement it on my DNSmasq server.I am logically thinking that when an
internal client puts cloud.companydomain.com in a browser, there is a
way that it can be resolved internally from the DNSmasq box to return
the OwnCloud login page, rather than needing to go out through the
gateway to be resolved (which results in the pfSense rebinding attack
detection).
I have searched the mail archives for some guidance and usually end up
back at this thread
https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg09705.html.I
am unable to implement this solution, as some features are not in my
version of DNSmasq (specifically host-record).So I am still uncertain
how to implement something that reaches my goal.My DNSmasq box is CentOS
6.7 running DNSmasq 2.48-14.el6.The host-record feature is only
available since 2.64.
I am looking for a simple description for implementing something in
DNSmasq that addresses my objective listed above, so pointers to other
how-to’s are appreciated.
I am not sure what additional information anyone might need to assist me
with this issue, but let me know if anything else is needed.Thanks.
Jeff
--
Jeff Boyce
Meridian Environmental
www.meridianenv.com
Jeff Boyce
Meridian Environmental
www.meridianenv.com