Nebula name resolution for internal services

[FDrebin]

Recently spun up Nebula on a few development hosts in our dev environment, we were successfully able to connect various databases and services across the Nebula network via their Nebula IP's which is awesome, but we also have some web services that terminate at load balancer and we use dns names for them, something like service.internal.ourdomain.com (not reachable via public internet) are unreachable or at least unreachable via its DNS name.

I read somewhere on one of the blogs/tutorials for Nebula setup that resolving internal DNS wasn't possible yet, but I did see in the example config for 1.30 that the lighthouse can act as DNS, is it possible to have the lighthouse act as DNS and be able to point clients of the Nebula network to something like service.internal.ourdomain.com on the Nebula range?

[caguiclajmg]

The internal DNS server has been out for quite some time, just set serve_dns in the config to true and the items under the dns key (which is in the example config).

Lastly, you need to issue certificates with the correct name since the internal DNS server uses this for name resolution.

[FDrebin]

Hey thanks for the reply, so I will need to generate new certificates for service.internal.domain.com correct? And once that's done I can flip on the internal DNS and it should start being able to reach these services via Nebula?

[caguiclajmg]

Correct, you should be able to query the DNS server with that hostname if the certificate name is set up properly (and once that specific node has connected to the lighthouse you're querying at least once).

#110 might also be of interest

[FDrebin]

Hey thanks for that link, yea this is probably going to be trickier then I thought. Our load balancer servers up multiple DNS names for all our services, its really our single termination point for all our web services available.

I will have to poke around with the settings.

[FDrebin]

Hey, so following up with this. If I have multiple services reporting to the same load balancer, would I be able to have Nebula generate multiple DNS names, or have Nebula listen with multiple certificate names?

[caguiclajmg]

Unfortunately certificates can only have one name and certificate-ip pairs are 1:1 so you can't set up multiple certificates per node as a workaround.

nebula/cert/cert.go

Lines 36 to 37 in 480036f

	type NebulaCertificateDetails struct {
	Name string

I was thinking about this the other way as well and needed the multiple name capability so I started to write a patch to support this. Fortunately, it seems the name isn't being used much anywhere except the firewall so this looks somewhat doable.

[FDrebin]

Yes that would be awesome! I am not sure where I would even begin to try and pitch in with some of the "wants" that I have, I would love to be able to install Nebula on a server that provides DNS and simply use that as a one stop shop for resolving internal names and such, and it appears its a want for others as well. Some things are worth the wait.

[caguiclajmg]

If you're interested you can check out my fork with this feature caguiclajmg/nebula:multi_cert_names, just beware that it hasn't been extensively tested and is therefore not suitable for a production environment.

I've been running on a fleet of 20 machines (18 servers and 2 home devices) for about a day now and haven't seen any problems, the DNS resolution seems to be working as well, I can resolve multiple names that point to a single nebula IP.

[FDrebin]

If you're interested you can check out my fork with this feature caguiclajmg/nebula:multi_cert_names,

I will give it a look at sometime this week or weekend, is that the lighthouse providing the DNS resolution via the DNS name for the certiticate correct? So I would just need to generate a certificate with the lighthouse CA for each DNS name I want that IP to respond to, such as ./nebula-cert sign -name "service1.internal.domain.com, service2.internal.domain.com, portal.internal.domain.com" -ip "10.99.0.2/24" or similar correct?

[caguiclajmg]

Yes, correct. Ideally, you would only need to re-issue the certificates with the intended names to use this (no configuration or changes).

That nebula-cert command is on point, just trim the extra spaces in between the commas.

[FDrebin]

And my (hopefully last question bothering you lol), I would only need to build from source for just the lighthouse correct, I wouldn't need to copy the newly built binaries to the other nodes?

Edit : And for say iOS , would I need to go into the configuration of the hosts I have setup a define a public ip or dns name for that host, or is that just left blank and the lighthouse handles the translation if I go to a web browser and type in portal.internal.domain.co, ?

[caguiclajmg]

I wouldn't need to copy the newly built binaries to the other nodes?

Quite a PITA, but unfortunately you need to (i.e. generate new certificates for every node, install the binaries on every node). This fork introduces changes in the protobuf definition of the nebula certificate, without it the nodes would get confused on how to read the multiple names inside the certificate. I suggest having a backup strategy ready since this is basically a backward incompatible change to your setup.

Edit : And for say iOS , would I need to go into the configuration of the hosts I have setup a define a public ip or dns name for that host, or is that just left blank and the lighthouse handles the translation if I go to a web browser and type in portal.internal.domain.co, ?

I have not used the iOS app so I can't say for sure, but if there is a way for you to change the device's DNS servers such that it points to the lighthouse serving the DNS records (warning: the nebula DNS server doesn't do recursive queries); then yes, you should be able to access a node via its internal names defined in the certificate.

[FDrebin]

So I finally fired this up, on iOS I get a certificate signature does not match with the ca.crt that i re-generated using the above pull from your repo. But it did successfully connect on a PC. I am trying now to see if the DNS stuff will work based on certificate name.

[johnmaguire]

So I finally fired this up, on iOS I get a certificate signature does not match with the ca.crt that i re-generated using the above pull from your repo. But it did successfully connect on a PC. I am trying now to see if the DNS stuff will work based on certificate name.

On mobile, I believe you will need to export the public key generated on iOS, then sign it using nebula-cert sign -in-pub and then copy the certificate back to the device (easiest via QR.)

The goal is to avoid moving the private key off of the mobile device itself.

[FDrebin]

Yup, did exactly that like I did when I was using the 1.3.0 build of Nebula, with the dev build from your repo I did the same, imported the ca.crt but it keeps flagging as not valid. Also went ahead and gave the Windows a whirl, for Windows 10 x64 I also receive

PS S:\Nebula> .\nebula.exe -config .\config.yml time="2021-04-20T11:36:46-04:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: proto:0 startPort:0]" time="2021-04-20T11:36:46-04:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: proto:0 startPort:0]" time="2021-04-20T11:36:46-04:00" level=info msg="Firewall started" firewallHash=21716b47a7a140e448077fe66c31b4b42f232e996818d7dd1c6c4991e066dbdb time="2021-04-20T11:36:46-04:00" level=info msg="Main HostMap created" network=10.1.90.3/24 preferredRanges="[]" time="2021-04-20T11:36:46-04:00" level=info msg="UDP hole punching enabled" time="2021-04-20T11:36:46-04:00" level=info msg="Nebula interface is active" build=dev+20210420134215 interface=nebula1 network=10.1.90.3/24 udpAddr="[::]:4242" time="2021-04-20T11:36:46-04:00" level=fatal msg="Activate failed: Failed to find the tap device in registry with specified ComponentId 'tap0901' and InterfaceName 'nebula1', TAP driver may be not installed or you may have specified an interface name that doesn't exist" PS S:\Nebula>

I also tried it on my known working version of Windows 10 where I was successful in using the windows TAP driver before with the 1.3.0 but was unsuccessful with it now. I am using the TAP/TUN driver found here : https://build.openvpn.net/downloads/releases/ , I am using tap-windows-9.24.2-I601-Win10.exe .

On linux (Ubuntu) it does establish a connection, so I am going to spin up a Ubuntu desktop and see if I can reach the host via its dns cert name.

[FDrebin]

Alrighty! Spun up a Ubuntu desktop, was able to get the nebula established to the lighthouse using the ca.crt. I am able to ping across the mesh, the one thing I can not do yet is work out the static map to point "nebula_IP" to ["dns_name"] , although, I believe the lgihthouse having the dns : true set should handle it.

[nettybun]

I'm not able to resolve DNS on Linux or Android. Are there any docs to how this works? Typing the domain name in my browser says the address cannot be found. I take it this doesn't happen automatically? @caguiclajmg when you say "query" how are you instructing your Android/Linux/iOS devices to do that...

The Nebula website says:

... You will not need to make changes to your lighthouse or any other hosts when adding hosts to your network, and existing hosts will be able to find new ones via the lighthouse, automatically.

In Android I only see the lighthouse node. I could add other nodes manually by typing in an IP/host but that doesn't scale... If I type in the IP manually to a browser I'll see in the Nebula logs that the tunnel is live - I see the name of the cert in the app and it is a FQDN. Promising. Still, my browser says "address not found".

[wildardoc]

To resolve DNS query's you will have to add a DNS server to the network. Then you will have to configure it in all of the nodes. Also since these addresses are being assigned and added to the DNS by a DHCP server you will need to add each node to the DNS server. It gets complicated quickly and not much easier then just typing in the address you want to go to or add to a host file.

…

On Sat, 2021-10-23 at 02:32 -0700, Hames wrote: I'm not able to resolve DNS on Linux or Android. Are there any docs to how this works? Typing the domain name in my browser says the address cannot be found. I take it this doesn't happen automatically? @caguiclajmg when you say "query" how are you instructing your Android/Linux/iOS devices to do that... The Nebula website says: > ... You will not need to make changes to your lighthouse or any > other hosts when adding hosts to your network, and existing hosts > will be able to find new ones via the lighthouse, automatically. In Android I only see the lighthouse node. I could add other nodes manually by typing in an IP/host but that doesn't scale... If I type in the IP manually to a browser I'll see in the Nebula logs that the tunnel is live - I see the name of the cert in the app and it is a FQDN. Promising. Still, my browser says "address not found". — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[wildardoc]

Sorry I got confused with a different vpn mesh I started using at work when nebula wouldn't get through all the levels of firewalls. Do you have the serve_dns set to true in the lighthouse config file? # serve_dns optionally starts a dns listener that responds to various queries and can even be # delegated to for resolution serve_dns: true dns: # The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP. host: LIGHTHOUSE_NEB_IP port: 53 # interval is the number of seconds between updates from this node to a lighthouse. # during updates, a node sends information about its current IP addresses to each node. Also you need to setup a resolver. I have a setup script that sets a resolver entry. #!/bin/bash IFS=' ' read -r -a array <<< $(ip route show default) default_device=${array[4]} resolvectl domain $default_device lan ~. sleep 30 resolvectl domain MESH_DEVICE MESH_NAME resolvectl dns MESH_DEVICE LIGHTHOUSE_NEB_IP

…

On Sat, 2021-10-23 at 08:33 -0500, ***@***.*** wrote: To resolve DNS query's you will have to add a DNS server to the network.  Then you will have to configure it in all of the nodes.  Also since these addresses are being assigned and added to the DNS by a DHCP server you will need to add each node to the DNS server. It gets complicated quickly and not much easier then just typing in the address you want to go to or add to a host file. On Sat, 2021-10-23 at 02:32 -0700, Hames wrote: > I'm not able to resolve DNS on Linux or Android. Are there any docs > to how this works? Typing the domain name in my browser says the > address cannot be found. I take it this doesn't happen automatically? > @caguiclajmg when you say "query" how are you instructing your > Android/Linux/iOS devices to do that... > The Nebula website says: > > ... You will not need to make changes to your lighthouse or any > > other hosts when adding hosts to your network, and existing hosts > > will be able to find new ones via the lighthouse, automatically. > In Android I only see the lighthouse node. I could add other nodes > manually by typing in an IP/host but that doesn't scale... If I type > in the IP manually to a browser I'll see in the Nebula logs that the > tunnel is live - I see the name of the cert in the app and it is a > FQDN. Promising. Still, my browser says "address not found". > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub, or unsubscribe. > Triage notifications on the go with GitHub Mobile for iOS or Android.

[wildardoc]

That will work with linux. Specifically I'm using 20.04 and 21.04 in my network. I'm not certain about the resolver for android.

…

On Sat, 2021-10-23 at 08:41 -0500, ***@***.*** wrote: Sorry I got confused with a different vpn mesh I started using at work when nebula wouldn't get through all the levels of firewalls. Do you have the serve_dns set to true in the lighthouse config file?   # serve_dns optionally starts a dns listener that responds to various queries and can even be   # delegated to for resolution   serve_dns: true   dns:     # The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.     host: LIGHTHOUSE_NEB_IP     port: 53   # interval is the number of seconds between updates from this node to a lighthouse.   # during updates, a node sends information about its current IP addresses to each node. Also you need to setup a resolver.  I have a setup script that sets a resolver entry. #!/bin/bash IFS=' ' read -r -a array <<< $(ip route show default) default_device=${array[4]} resolvectl domain $default_device lan ~. sleep 30 resolvectl domain MESH_DEVICE MESH_NAME resolvectl dns MESH_DEVICE LIGHTHOUSE_NEB_IP On Sat, 2021-10-23 at 08:33 -0500, ***@***.*** wrote: > To resolve DNS query's you will have to add a DNS server to the > network.  Then you will have to configure it in all of the nodes.  > Also > since these addresses are being assigned and added to the DNS by a > DHCP > server you will need to add each node to the DNS server. > > It gets complicated quickly and not much easier then just typing in > the > address you want to go to or add to a host file. > > On Sat, 2021-10-23 at 02:32 -0700, Hames wrote: > > I'm not able to resolve DNS on Linux or Android. Are there any > > docs > > to how this works? Typing the domain name in my browser says the > > address cannot be found. I take it this doesn't happen > > automatically? > > @caguiclajmg when you say "query" how are you instructing your > > Android/Linux/iOS devices to do that... > > The Nebula website says: > > > ... You will not need to make changes to your lighthouse or any > > > other hosts when adding hosts to your network, and existing > > > hosts > > > will be able to find new ones via the lighthouse, > > > automatically. > > In Android I only see the lighthouse node. I could add other > > nodes > > manually by typing in an IP/host but that doesn't scale... If I > > type > > in the IP manually to a browser I'll see in the Nebula logs that > > the > > tunnel is live - I see the name of the cert in the app and it is > > a > > FQDN. Promising. Still, my browser says "address not found". > > — > > You are receiving this because you are subscribed to this thread. > > Reply to this email directly, view it on GitHub, or unsubscribe. > > Triage notifications on the go with GitHub Mobile for iOS or > > Android. > >

[caguiclajmg]

@heyheyhello

I'm not able to resolve DNS on Linux or Android. Are there any docs to how this works? Typing the domain name in my browser says the address cannot be found. I take it this doesn't happen automatically? @caguiclajmg when you say "query" how are you instructing your Android/Linux/iOS devices to do that...

The serve_dns option spins up a DNS server on the lighthouse, you just need to point your device to that. I believe stock Android > 9 has the Private DNS option wherein you can set your own recursive nameservers so do that there.

Plethora of ways to do it on Linux depending on your setup (e.g. plain /etc/resolv.conf, dnsmasq/systemd-resolved), simplest way would be adding nameserver MY.LIGHTHOUSE.IP.XXX to /etc/resolv.conf.

The Nebula website says:

... You will not need to make changes to your lighthouse or any other hosts when adding hosts to your network, and existing hosts will be able to find new ones via the lighthouse, automatically.

In Android I only see the lighthouse node. I could add other nodes manually by typing in an IP/host but that doesn't scale... If I type in the IP manually to a browser I'll see in the Nebula logs that the tunnel is live - I see the name of the cert in the app and it is a FQDN. Promising. Still, my browser says "address not found".

Been a while since I used nebula but I do remember one of the maintainers saying that nebula will reply to a DNS query of an FQDN (based on the certifiate) if it knows about it, meaning the lighthouse and that node you're looking up must have talked and exchanged certificates.

[nettybun]

Thank you both for your replies. I had the DNS server running. I guess I was hopeful that a lighthouse would advertise it to connecting clients so the Nebula mobile apps would use it automatically... Unfortunately it seems there's no option to configure DNS for mobile (DefinedNet/mobile_nebula#9) despite it being a feature of other VPN apps and, as that link mentions, the OS-level options to set DNS are broken/non-existent.

@wildardoc You said you were using a different VPN mesh, do you recommend it? I've researched Nebula, Innernet, and Tailscale at this point but anything mobile-friendly is great...

@caguiclajmg Yeah I have no issue on Linux but a lot of my users are on mobile. The Android Private DNS option unfortunately only accepts a hostname not an IP 💢 which is literally the problem I'm trying to solve with Nebula 🙃 So I'd have to buy a domain. It also won't work for all my iOS users since the DNS server is set per-wifi network 💢💢. You said its been a while since you used Nebula, what did you switch to?

I have a feeling the only truly cross-platform approach is to buy a domain and set A records to all my Nebula IPs. Thanks again for the help!

[wildardoc]

An existing dns server would work as long and you manually add the dns entries. This is because the entries are static in a certificate not handed out by an associated dhcp server. We are using zero-tier for work. If I have a use for a personal VPN (I keep thinking of ideas) I'll probably use nebula. I still have a linode with the lighthouse configured even though I'm not connecting to it from anywhere anymore.

…

On Sun, Oct 24, 2021 at 10:55 PM Hames ***@***.***> wrote: Thank you both for your replies. I had the DNS server running. I guess I was hopeful that a lighthouse would advertise it to connecting clients so the Nebula mobile apps would use it automatically... Unfortunately it seems there's no option to configure DNS for mobile (DefinedNet/mobile_nebula#9 <DefinedNet/mobile_nebula#9>) despite it being a feature of other VPN apps and, as that link mentions, the OS-level options to set DNS are broken/non-existent. @wildardoc <https://github.com/wildardoc> You said you were using a different VPN mesh, do you recommend it? I've researched Nebula, Innernet, and Tailscale at this point but anything mobile-friendly is great... @caguiclajmg <https://github.com/caguiclajmg> Yeah I have no issue on Linux but a lot of my users are on mobile. The Android Private DNS option unfortunately only accepts a hostname not an IP 💢 which is literally the problem I'm trying to solve with Nebula 🙃 So I'd have to buy a domain. It also won't work for all my iOS users since the DNS server is set *per-wifi network* 💢💢. You said its been a while since you used Nebula, what did you switch to? I have a feeling the only truly cross-platform approach is to buy a domain and set A records to all my Nebula IPs. Thanks again for the help! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#434 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIK3CW4Q3MXCJ6F622ZDCJLUITIMVANCNFSM42KJZPKA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[wildardoc]

With zero-tier you would have to have a manually configured DNS server and add the entries. On Mon, Oct 25, 2021 at 10:05 AM Robert Schaefer ***@***.***> wrote:

…

An existing dns server would work as long and you manually add the dns entries. This is because the entries are static in a certificate not handed out by an associated dhcp server. We are using zero-tier for work. If I have a use for a personal VPN (I keep thinking of ideas) I'll probably use nebula. I still have a linode with the lighthouse configured even though I'm not connecting to it from anywhere anymore. On Sun, Oct 24, 2021 at 10:55 PM Hames ***@***.***> wrote: > Thank you both for your replies. I had the DNS server running. I guess I > was hopeful that a lighthouse would advertise it to connecting clients so > the Nebula mobile apps would use it automatically... Unfortunately it seems > there's no option to configure DNS for mobile (DefinedNet/mobile_nebula#9 > <DefinedNet/mobile_nebula#9>) despite it being > a feature of other VPN apps and, as that link mentions, the OS-level > options to set DNS are broken/non-existent. > > @wildardoc <https://github.com/wildardoc> You said you were using a > different VPN mesh, do you recommend it? I've researched Nebula, Innernet, > and Tailscale at this point but anything mobile-friendly is great... > > @caguiclajmg <https://github.com/caguiclajmg> Yeah I have no issue on > Linux but a lot of my users are on mobile. The Android Private DNS option > unfortunately only accepts a hostname not an IP 💢 which is literally > the problem I'm trying to solve with Nebula 🙃 So I'd have to buy a > domain. It also won't work for all my iOS users since the DNS server is set *per-wifi > network* 💢💢. You said its been a while since you used Nebula, what did > you switch to? > > I have a feeling the only truly cross-platform approach is to buy a > domain and set A records to all my Nebula IPs. Thanks again for the help! > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#434 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AIK3CW4Q3MXCJ6F622ZDCJLUITIMVANCNFSM42KJZPKA> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > >