0

Using EDNS0 to identify my nodes in custom DNS server

Hi everyone,

I have a bit of a technical conundrum on my side: I am not a professional networking engineer but for some reason or another I am now in this rabbit hole of making my own DNS server in my k8s to handle various paths of updates based on ingress config (some tailscale stuff, some cloudflare stuff, but also exposes port :53 with DNS mapping for some internal configurations).

I have managed to sniff what dnsmasq does when CPE ID is added to the configuration for the reason of correctly routing the DNS queries in NextDNS, so that's all fine: my forwarder for all other cases (which are not statically mapped in my DNS server) work perfectly. Basically, I figured out how I can add extra EDNS0 "extra" to send the CPE ID in a way that NextDNS accepts and applies my configurations - and I can see now my device popping up in the DNS logs on NextDNS!

But, here comes now my question, is there any way to construct a UDP DNS query that will send... something... (I guess another EDNS0 extra?) that will identify my device in NextDNS logs? UDP is the only one that I can make at this time, since Golang library I am using supports only those.

Is that even possible? Is there some other way that I can do when constructing UDP query so I see my dns server as a device in the listing of recognized devices in DNS logs on NextDNS?

Kind Regards & thanks for help

5 replies

null
    • Failsafe
    • 4 days ago
    • Reported - view

    I would love to offer some help here, but I'm pretty confused at the moment as to what you are conveying. You said:

     said:
    and I can see now my device popping up in the DNS logs on NextDNS!

     But then follow up with this:

     said:
    is there any way to construct a UDP DNS query that will send... something... (I guess another EDNS0 extra?) that will identify my device in NextDNS logs?

    The two sound contradictory. Are you saying your k8s DNS server is successfully communicating with NextDNS over DoH or DoT and providing client names via EDNS0, but is not identifying itself as a device in NextDNS logs?

    Hopefully some clarification can get this ironed out and we'll see what we can figure out. 😎 

    • Milan_Aleksic
    • 4 days ago
    • Reported - view

    Hi Mark!

    I am successfully using an extra in my forwarded query to refer to my NextDNS... identifier (I guess that's what you call that shirt unique string that identifies the target configuration which is something like a391735 -which I just invented now as an example?). WhatI mean by saying that is that I can verify that my NextDNS configuration is applied (for example if I blocked some annoying website on my nextdns configuration I can verify that I am getting correct information back from nextDNS, meaning my a391735 is correct). So this part is fine I believe.

    But, I don't know how to get my machine name attached to my queries, so that I can identify my service "kube-home-dns" as the source of the query. That's what I can't figure out. Maybe it's even impossible without actually using more advanced approaches as DoH? I would just like to understand the mechanism at play that alows NextDNS to figure out the originating device doing the queries - it seems like a nice to have in my case?

    Thanks a lot for jumping in and trying to help :)

      • Failsafe
      • 3 days ago
      • Reported - view

       Ah, okay! I'm following closer now! Thanks for clearing that up for me.

      Let's for example say your profile ID is 'ab1337'. With NextDNS, you can include a client name in the URL (obviously has to be URL encoded) for the endpoint, like in the case of "Milan's Cool Tablet":

      https://dns.nextdns.io/ab1337/Milan%27s%20Cool%20Tablet

      Not sure if you're GO savvy, but that's the language in which the NextDNS CLI is written. When a DNS query is sent upstream via DoH, they instead include the device's name, IP,  model, etc. within the HTTPS header for the POST instead of in the URL string itself. See here:

      https://github.com/nextdns/nextdns/blob/a575d7afc94f93dd92584e54158ac1af87d9cd14/resolver/doh.go#L97-L108

      DoT is a little trickier in the domain name syntax as to send "Milan Cool Tablet" to our fictitious NextDNS profile would look like having to establish the connection in this way (spaces are sent as double dashes `--`):

      Milan--Cool--Tablet-ab1337.dns.nextdns.io

      So going back to the start, and yes, I should have asked this before... is dnsmasq actually what you're using on you k8s DNS service to establish the connection to NextDNS?

      • Milan_Aleksic
      • 6 hrs ago
      • Reported - view

      Hi Mark, thanks for your response. I have hoped I could use `github.com/miekg/dns`, but it seems that they support only UDP so even the last one just doesn't work for the dns client Exchange calls in that library,

      Indeed all the approaches I see are using alternatives and I will definitely create an approach that uses HTTPS endpoint (just like in the code you suggested). I had hoped I could use UDP since it is "the lowest common denominator". I tried even using CPEID as `kube-home-dns-ab1337` but that doesn't work neither (I mean I do get UDP response, but my configuration is not taken into action, which means that it is not parsed correctly by NextDNS server).

      In case UDP DNS query can't be done I can just choose to implement that approach or just "leave it as is" for now since the queries don't really have to be specified.

      Thanks for the chat and ideas; if you do know how to use UDP and avoid the HTTPS stuff please share, otherwise, as I said, I'll just probably go with the approach as in their Go client

    • NextDNs
    • 2 hrs ago
    • Reported - view

    You can pass device IP for identification using DNS0 subnet with a /32 or /128. Our resolver will interpret this as a client identification. You can’t pass names over UDP. I’d recommend using our CLI for your use case.

Login to reply

Content aside

  • 2 hrs agoLast active
  • 5Replies
  • 66Views
  • 3 Following