DNS rewrite for internal clients to resolve hostname via adguard home and unbound

[jata]

Hi All,

Setup is that I have duckdns as my DDNS service and have got this all working ssl encrypted via letsencrypt so that I can access Home Assistant on my network locally and remotely on https://host.duckdns.org:<port>

The last step (for efficiency really) is to get my DNS config to resolve host.duckdns to the hostname/IP of my Home Assistant server for clients on my local network. I'm using adguard home with unbound as the upstream DNS server. I think I am close but not sure how to confirm... It might already be working.

Any guidance/assistance welcomed!


Additional info below...

Config for the DNS server in Adguard is as follows - this is from the unbound config that adguard uses

127.0.0.1:5335 ## This is unbound
[//100.168.192.in-addr.arpa/lan/local/]192.168.100.1:53 ## I think this is resolving local IP/names

below is how DNS is setup in Adguard

 

[drinkingbird]

Hi All,

Setup is that I have duckdns as my DDNS service and have got this all working ssl encrypted via letsencrypt so that I can access Home Assistant on my network locally and remotely on https://host.duckdns.org:<port>

The last step (for efficiency really) is to get my DNS config to resolve host.duckdns to the hostname/IP of my Home Assistant server for clients on my local network. I'm using adguard home with unbound as the upstream DNS server. I think I am close but not sure how to confirm... It might already be working.

Any guidance/assistance welcomed!


Additional info below...

Config for the DNS server in Adguard is as follows - this is from the unbound config that adguard uses

127.0.0.1:5335 ## This is unbound
[//100.168.192.in-addr.arpa/lan/local/]192.168.100.1:53 ## I think this is resolving local IP/names

below is how DNS is setup in Adguard

View attachment 50275

If you lookup host.duckdns.org it should give your WAN IP and work via NAT loopback, but that is not as efficient.

Just look up host or host.[whatever lan domain name you've configured in the asus] to get the local IP.

Why do you have 192.168.100.1 in there - that is the management IP of most cable modems.

 

[jata]

If you lookup host.duckdns.org it should give your WAN IP and work via NAT loopback, but that is not as efficient.

correct - that is what I am doing and it's working. I want a more efficient solution.

FYI - 192.168.100.xxx is my local network subnet (changed from 192.168.50.xxx many years ago)

I know the local host IP of the HA server. I just want to do a redirect for local dns queries for https://host.duckdns.org:<port>

Is doing this in dnsmasq an option?

hosts:
- host: xxxxx.duckdns.org:<port>
ip: 192.168.100.xx

 

[drinkingbird]

correct - that is what I am doing and it's working. I want a more efficient solution.

FYI - 192.168.100.xxx is my local network subnet (changed from 192.168.50.xxx many years ago)

I know the local host IP of the HA server. I just want to do a redirect for local dns queries for https://host.duckdns.org:<port>

Is doing this in dnsmasq an option?

hosts:
- host: xxxxx.duckdns.org:<port>
ip: 192.168.100.xx

Well you've got a couple options. If you don't care to ever resolve that domain to the external IP, just go to the asus LAN and set duckdns.org as your local domain name. That should keep the queries served locally. As long as you have a DHCP reservation for that host using the "xxxx" before duckdns.org then it should work fine. I guess if you ever had to access someone else's duckdns.org domain that may be an issue.

Option 2 is to use a different domain/hostname for local lookups but sounds like you want to have the same domain when you're home and away?

Option 3 is to create a script (dnsmasq.postconf) to tell DNSMASQ to add a host entry for it pointing to your 192.168 IP. I'm not positive but I think you may also have to tell it not to forward that domain upstream, which sort of accomplishes the same as option 1 if so.

There may be some options in adguard/unbound, not sure, I don't use that, the above is just for the basic DNSMASQ built into the router.

Typically NAT loopback is fine as long as it isn't huge bandwidth, what issues are you having with it?

Note you would not specify any port in DNSMASQ. DNS does nothing with ports. The port doesn't matter on the LAN, there are no port forwarding rules etc.

 

[jata]

Thanks so much for the info and help @drinkingbird - very good to know the options!

NAT loopback working fine and the other/advanced options I don't think are needed for me - If it ain't broke don't fix it!

I thought this would be a simple add a line in the config for either Adguard or unbound.

 

[Martineau]

Thanks so much for the info and help @drinkingbird - very good to know the options!

NAT loopback working fine and the other/advanced options I don't think are needed for me - If it ain't broke don't fix it!

I thought this would be a simple add a line in the config for either Adguard or unbound.

Unbound is capable of supporting Split-horizon DNS using its Tags and Views feature based on source IP (or even interface) but interpretation of 'simple' for the necessary config directives for Unbound will vary for each individual.

Not sure if this is relevant/information is useful?

 

[jata]

Unbound is capable of supporting Split-horizon DNS using its Tags and Views feature based on source IP (or even interface) but interpretation of 'simple' for the necessary config directives for Unbound will vary for each individual.

Not sure if this is relevant/information is useful?

Thanks. I think I’m chasing unicorns here! My setup is working fine.

I will post back here if I find anything helpful.

 

[jata]

Just a little update on this mini-project...

Looks like it is possible (and easy) to create DNS rewrite rules inside of the Adguard Home (GUI - Filters - DNS Rewrites).

I added a rule for my-domain.duckdns.org - this is way too broad (I think) - but I tried it anyway and the rule redirected all lan requests back to the local IP I specified. I don't want this as I have other services/config that use my DDNS

However, after setting this up I see some much more granular rewrites in the adguard log with the format: _<port>._https.my-domain.duckdns.org

I deleted the original rule and added a new rewrite rule with a more targeted format of: _<port>._https.my-domain.duckdns.org and this is working.

Not seeing a load of rewrites in the logs though. Most of the DNS queries that Home Assistant is generating are using my-domain.duckdns.org so I think this is all a bit pointless. haha

 

[drinkingbird]

Just a little update on this mini-project...

Looks like it is possible (and easy) to create DNS rewrite rules inside of the Adguard Home (GUI - Filters - DNS Rewrites).

I added a rule for my-domain.duckdns.org - this is way too broad (I think) - but I tried it anyway and the rule redirected all lan requests back to the local IP I specified. I don't want this as I have other services/config that use my DDNS

However, after setting this up I see some much more granular rewrites in the adguard log with the format: _<port>._https.my-domain.duckdns.org

I deleted the original rule and added a new rewrite rule with a more targeted format of: _<port>._https.my-domain.duckdns.org and this is working.

Not seeing a load of rewrites in the logs though. Most of the DNS queries that Home Assistant is generating are using my-domain.duckdns.org so I think this is all a bit pointless. haha

Not familiar with the adguard architecture but I wonder if that is really buying you anything, sending it through that system then back. I guess it is just a DNS lookup so not a big deal. But if you want it as clean as possible, setting up a dnsmasq.postconf script is fairly easy so the router DNS just handles it directly.

Why not make a host.my-domain.duckdns.org at duckdns which is a CNAME to your main domain, so that takes care of the internet part, then on your asus make an A record for the same thing pointing to 192.168.x.x. That way you aren't impacting the whole domain, just the one host. I'm assuming duckdns lets you have cnames.

 

[jata]

Not familiar with the adguard architecture but I wonder if that is really buying you anything, sending it through that system then back. I guess it is just a DNS lookup so not a big deal. But if you want it as clean as possible, setting up a dnsmasq.postconf script is fairly easy so the router DNS just handles it directly.

Why not make a host.my-domain.duckdns.org at duckdns which is a CNAME to your main domain, so that takes care of the internet part, then on your asus make an A record for the same thing pointing to 192.168.x.x. That way you aren't impacting the whole domain, just the one host. I'm assuming duckdns lets you have cnames.

Thanks for coming back to help. I have solved this - along the lines you have suggested - and was just about to post here.

 

[jata]

I have solved the rewrite issue by doing the following. In summary, it will work better to use a host for the my-domain.duckdns.org. I have used ha.my-domain.duckdns.org but anything should work.

I did not need to create a CNAME record as DNS was returning my WAN IP for any host.mydomain.duckdns that i tried

Here are the steps.

1. create a new ssl certificate with wildcard enabled (this was not the default for the docker letsencrypt tool)
2. change home assistant config to use new certificate and setup to use ha.my-domain.duckdns.org

Once all this is done and working, just go to adguard GUI and change the DNS rewrite rule to ha.my-domain.duckdns.org

 

[drinkingbird]

I have solved the rewrite issue by doing the following. In summary, it will work better to use a host for the my-domain.duckdns.org. I have used ha.my-domain.duckdns.org but anything should work.

I did not need to create a CNAME record as DNS was returning my WAN IP for any host.mydomain.duckdns that i tried

Here are the steps.

1. create a new ssl certificate with wildcard enabled (this was not the default for the docker letsencrypt tool)
2. change home assistant config to use new certificate and setup to use ha.my-domain.duckdns.org

Once all this is done and working, just go to adguard GUI and change the DNS rewrite rule to ha.my-domain.duckdns.org

Duckdns must have wildcard enabled by default - it varies by DDNS provider (some don't support it at all). I have it turned off on mine as I don't want people getting my home IP by just looking up anything for my home domain, so I actually update blah.mydomain.com as my main DDNS IP, and mydomain.com returns no IP. Only I know/use "blah". Don't have a need for multiple hosts so no cnames in my case, and wildcard disabled. A bit over paranoid, not that big of a concern. Occasionally when I need to give someone access to something, I'll toss up a temporary CNAME.

Some secure apps won't like a certificate with wildcard, they want everything specifically spelled out in the SAN field, but as long as home assistant is ok with it, that's the most flexible.

 

[jata]

thanks again @drinkingbird - I have chased a unicorn and caught it! I see that I have probably identified another unicorn to chase/find... To limit the footprint of my ddns setup.

Although not a huge number of DNS requests impacted, there is a decent difference in the response time now i have the rewrite setup and working well.

For info/comparison:
DNS Rewrites: 0.1 - 0.2 ms (yes decimal correct)
DNS cached (unbound): 1 ms
DNS non-cached: 100-1000 ms - depending on client and request type

However - being honest - quite a high number of the DNS the queries were being handled by my unbound cache so i doubt this exercise will result in significant real world improvements.