How to set up local DNS server for network with VLAN's?

[EnthusiastXYZ]

UniFi Dream Machine (non-Pro) here and a network with 2 VLAN's, but only one Raspberry Pi that runs a local DNS server (AdGuard Home, similar to Pi-Hole). Local DNS server is on VLAN-1 along with most clients, but VLAN-2 uses a different subnet and can't reach VLAN-1. How can I make VLAN-2 reach Raspberry Pi (and only Raspberry Pi) on VLAN-1? I think what I need is DNS forwarding, but UDM non-Pro does not offer that.

 

[Deleted member 214115]

This website does well enough to cut and paste (https://social.dnsmadeeasy.com/blog/understanding-dns-forwarding/):

What is DNS Forwarding?
DNS forwarding is the process by which particular sets of DNS queries are handled by a designated server, rather than being handled by the initial server contacted by the client. Usually, all DNS servers that handle address resolution within the network are configured to forward requests for addresses that are outside the network to a dedicated forwarder.



IMO, if the ability is to use the DNS server internally is available, such as me using pfSense or Pi-Hole, then this is the BEST method possible. Encrypting, and all that is nothing but bullshit, for they know what you looked at-its just those in the transit will most likely not. Technically it is a trade-off, and knowing the tradeoff is the key. When to, and not to encrypt. Having a local DNS and cached is much faster, especially if there are more users in the household. You will benefit from the caching of your local server by not having to go out of your local segment too much. You will have a cache at host, then at DNS, if not it is sent out to the roots this way. Forwarding means your inquiry is local host cache, then forwarded to the external server which can be very slow. You can feel/see the difference since the main mechanism of the networking is knowing where to go. Decrease the resolution time and even the transit time, and the networking is faster.

You can also NAT your request with pfSense and Pi-Hole to make sure that you do not have any outside resolving, such as a host that is configure to use its coded DNS, or an compromised system that is programmed to use an external source. It will be forced to use the firewall's DNS by being redirected, and if such a record isn't seeded, then well, it will not go anywhere. And this is why in paragraph two they mention:

"When deciding how to allocate DNS resources on a network it’s important to implement some separation between external and internal Domain Name Services. Having all DNS servers configured to handle both external and internal resolution can impact the performance and security of a network."

pfSense: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
Pi-Hole: https://labzilla.io/blog/force-dns-pihole


The issue with VLAN's is that you segmented the networks. So you have to ask, can the port 53 request go egress and ingress? This video from Lawrence Systems might be very helpful for you:

 

[EnthusiastXYZ]

Yeah, that is how I had it the first time on my old router without any VLAN capabilities. It was great in that regard and I could do the same with UDM if I double-NAT, but double-NAT would've mostly helped with intrusions from outside, not inside. I made specific rules to allow/accept VLAN-2 subnet onto VLAN-1 local DNS server on UDP port 53, but it did not work with Layer-2 isolation. Going with VLAN Layer 2 instead of Double-NAT did empty one of UDM's ethernet ports and last time I checked Raspberry Pies were cheap.

 

[Deleted member 214115]

Just to note, DNS is TCP and UDP, you should always configure for both:

DNS Transport Protocol​

DNS uses the User Datagram Protocol (UDP) on port 53 to serve DNS queries. UDP is preferred because it is fast and has low overhead. A DNS query is a single UDP request from the DNS client followed by a single UDP reply from the server.

If a DNS response is larger than 512 bytes, or if a DNS server is managing tasks like zone transfers (transferring DNS records from primary to secondary DNS server), the Transmission Control Protocol (TCP) is used instead of UDP, to enable data integrity checks.



Oh, BTW I wouldn't have the DNS located on the or a VLAN's. Like the router, I would have it on the LAN proper as it should be with the filtering happening per segment of the VLAN. Only allowing if, and controlling broadcasting are quite the particulars of VLAN'ing. Such as placing your Wi-Fi, and IoT, and such into the segments so they cannot see out and interact much, especially if compromised.

When you have two NAT boundaries it can get hairy with shitty consumer gear. Knowing how to pass through, or allow non-routable is important (q.v. not having a public IP provided). Sometimes, depending on your gear you can filter ACL's and scrubbing instead of having a firewall. Don't really know what you have and such. Just know the first rule: keep it simple. Second rule if everything is proper when simple: Then get complicated.

 

[EnthusiastXYZ]

What about setting local DNS server to run with port isolation? I actually can't figure out how to run port isolation on UDM at all. Enabling port isolation on all ports, including WAN, prevents me from accessing Web GUI and WAN. Is Port isolation a more hardcore type of isolation? Do TCP/UDP port forwarding rules apply to port isolation the same way they apply to VLAN?

 

[EnthusiastXYZ]

Actually, this says that port isolation prevents isolated clients from talking to other isolated clients, but it does not prevent isolated clients from talking to non-isolated clients. This may be exactly what I need

 

[EnthusiastXYZ]

Another issue is that I input local DNS address for WAN DNS IP address that I get via DHCP from ISP. When I explore UDM's files, the DNSMasq file that lists my local DNS server IP address says "Search *ISP*" where *ISP" is my ISP's name! So does that mean I am sort of hosting my DNS server over WAN? I do want my router to use local DNS server to prevent UDM from calling Ubiquiti and sending them telemetry.

 

[Smoblikat]

Is routing enabled between VLANs?

You could create an acl (assuming your switch allows it) that only allows VLAN 2 traffic to reach the server on VLAN 1 for udp/tcp 53 requests. I dont know the ubiquiti syntax, but I think an Aruba/HP command would look like:

permit tcp <SOURCE_VLAN_2> <DNS_SERVER_VLAN_1> eq 53
Deny ip <SOURCE_VLAN_2> <VLAN_1_SUBNET>

That would first permit any VLAN 2 device from requesting DNS from the server on VLAN 1 (this example only shows TCP), and any additional traffic gets denied.

Then just set the VLAN2 machines to use the VLAN1 DNS server like normal.