IP address renumbering Lua script for PowerDNS Recursor.
Unbound-Views and the Knot-Resolver renumber module.
Problem: Redirection and Reflection
Quoting from the OpenBSD pf FAQ:
Often, redirection rules are used to forward incoming connections from the Internet to a local server with a private address in the internal network or LAN, as in:
server = 192.168.1.40
pass in on $ext_if proto tcp from any to $ext_if port 80
rdr-to $server port 80But when the redirection rule is tested from a client on the LAN, it doesn't work.
Solution: Split-Horizon DNS
Quoting again from the OpenBSD pf FAQ:
It's possible to configure DNS servers to answer queries from local hosts differently than external queries so that local clients will receive the internal server's address during name resolution. They will then connect directly to the local server, and the firewall isn't involved at all. This reduces local traffic since packets don't have to be sent through the firewall.
PowerDNS-renumber implements the Split-Horizon DNS solution with a Lua script for the excellent PowerDNS Recursor.
PowerDNS-renumber Split-Horizon is configured inside the renumber.lua script itself:
local nets = {}
nets['10.16.169'] = newNetmask('172.16.169.0/25')
nets['10.168.42'] = newNetmask('192.168.42.128/25')With the above example config, if a lookup resolves to 172.16.169.69
then 10.16.169.69 will be returned. Or if a lookup resolves to
192.168.42.222 then 10.168.42.222 will be returned.
Renumbering multiple subnets as in the above example can be used to force LAN to LAN traffic via a VPN tunnel connecting those LANs.
- Install PowerDNS Recursor.
- Install renumber.lua in PowerDNS Recursor's configuration folder.
- Edit
recursor.conflua-dns-script setting to point to renumber.lua. e.g.lua-dns-script=/etc/pdns/renumber.lua - Edit renumber.lua with the destination subnet prefix as the
netsdict keynets['pr.ef.ix']with an aproposnewNetmask()CIDR assigned reflecting your network config. - Configure
pf(or the firewall of your choice) to portforward the redirects. - Restart PowerDNS Recursor.
- Profit!!!
See the UNLICENSE.