Does not match SRV requests with wildcard rules #32

cormacrelf · 2017-12-03T08:52:48Z

Use case: sending only Active Directory requests through a VPN tunnel. Active Directory uses SRV records to direct clients to the kerberos and LDAP services (which aren't necessarily all on the same machine). Rules.cfg:

[
  {
    "Pattern": "^(.*)\\.ad\\.contoso\\.com$",
    "NameServer": "10.0.123.10"
  }
]

The pattern match seems to be run only on A or AAAA requests. The following illustrates the problem:

# from WSL because dig >> nslookup

dig A some-computer.ad.contoso.com @127.0.0.1
# returns A record resolved from 10.0.123.10 [good]

dig SRV _ldap._tcp.ad.contoso.com @10.0.123.10
# 10.0.123.10 returns correct SRV records [as expected]

dig SRV _ldap._tcp.ad.contoso.com @127.0.0.1
# resolves using DefaultNameServer, no answer. [should have matched pattern]

There is a very bad workaround, which is to set DefaultNameServer to the nameserver which should resolve the SRV requests and have a "*" rule before the pattern above sending most requests to the real default one... except then every non-contoso.com SRV request would fail when the VPN is disconnected.

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does not match SRV requests with wildcard rules #32

Does not match SRV requests with wildcard rules #32

cormacrelf commented Dec 3, 2017

Does not match SRV requests with wildcard rules #32

Does not match SRV requests with wildcard rules #32

Comments

cormacrelf commented Dec 3, 2017