New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Interesting subject, I would also like to know more info about this, i asked before but ended up hiring someone. Still attempting to do it correctly myself would save me money for the next customer.
I forgot to notice that a DNS reverse proxy is not a HTTP reverse proxy. so please avoid from posting information about Nginx configurations, That's not what I am searching for.
What do you want to achieve?
DNS Load Balancing? then you might want to check out dnsdist.org.
NGINX can be used as a Layer 4 proxy for TCP and UDP traffic, and even has a specific article on how you can use
stream { }to reverse proxy DNS traffic.In a previous role, we used this to protect a relatively popular DNS service from a large scale DDOS by proxying the nameservers via some "mitigators" with a lot of connectivity. (Was only temporary)
Not the prettiest solution, and it's a bit lossy, but it works...
https://www.nginx.com/blog/load-balancing-dns-traffic-nginx-plus/
https://nginx.org/en/docs/stream/ngx_stream_core_module.html
I know you said you dont want Nginx but you can use Nginx to load balance things that aren't HTTP too.
DNS queries are usually UDP, so this might be useful:
https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#upstream
This article gives an example of using Nginx UDP reverse proxying for load balancing DNS - https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/#udpLB
Edit: looks like @leyton beat me to it by a few seconds
Knot also has a DNS proxy module.
I did something similar with sniproxy and bind.
https://halesec.com/2017/01/02/building-your-own-dns-proxy-part-1.html
You can try dnsdist which is designed for DNS purposes
I will make it more clear, I am trying to mask a website IP address using my DNS server, which is also called DNS Reverse proxy (If I am right).
Is there any way to accomplish this? I know I can do that by HTTP reverse proxy but this is not what I am searching for.
Thank you everyone! I am so grateful for your time and advice.
This looks interesting from the comments i found this:
https://www.knot-dns.cz/docs/2.4/html/installation.html
Nope. You cant just deliver a "false" ip over DNS to mask the "real" ip. The IP has to be the "real" one or your website wont be available at all.
What you could do is a cloudflare -ish setup where you deliver a "real" reachable ip and on this very ip (server) you have a reverse proxy (can be on the dns server), nginx, to mask the original server ip.
Btw your example is not very good - an ip(v4) has only 4 "blocks" separated by a dot...
Yes I know about the IPv4 haha, I took the photo from Cloudflare and modified it.
You can see it from here: https://www.cloudflare.com/learning/dns/glossary/reverse-dns/
Also, I found this from Cloudflare open source: https://github.com/StalkR/dns-reverse-proxy
Just write it yourself, it's 100 lines of code in Golang. Or looks like someone already did it for you: https://github.com/StalkR/dns-reverse-proxy
Edit: no that seems to do something else. let me search some more...
Edit2: actually yeah like datanoise said all you need is DNS server that always returns the same IP.
This looks like what you'd setup to "hide" your site behind an HTTP(s) reverse proxy: DNS server IP stays the same, but the ip of the "A RECORD" it gives is the one of the (http/s) reverse proxy.
DNS reverse proxy would be you query a specific server (DNS level) and it queries your "hidden" DNS server and gives back the request to the client. (A slave with an hidden master would be more efficient.)
@datanoise although the HTTP proxy part would need to be a transparent proxy that reads the domain name off of the request line. Which means it won't work for HTTPS connections (unlike a normal HTTP proxy where browser sends CONNECT line). But yeah no way around that.
Edit: or maybe just need SNI proxy for the HTTPS connections.
Yes, this is the only easy way I could find using VestaCP panel or CentOS Web Panel since you can modifiy your DNS and Nginx templates.
And for automatic configuration you need modify the source code of those panels.
You can see my post here:
https://forum.vestacp.com/viewtopic.php?f=18&t=18853
Anyways, It's really cool project to work on
I don't get it, you seem to be asking for something completely different in that link. For what you asked in that link, you don't need any DNS server, you just need to add a proxy_pass line to nginx template, like you said.
Maybe you should clarify what the goal is instead of specifically how you want to achieve it.
Sorry for the confusion, I am asking if it's possible to do the same thing with DNS server and Nginx proxy_pass by DNS reverse proxy only and how, or it must be include HTTP reverse proxy.
From Cloudflare open source page, they give this for example: https://github.com/StalkR/dns-reverse-proxy without any use of http reverse.
You can find more open source examples here: https://cloudflare.github.io/
for the dns reverse proxy:
if you want to also mask/change your web server's IP address, then you need kind of nginx proxy_pass on the 'fake' server. in this case you can just make your real dns server response the IP address of your 'front facing' server
What about simple port 53 forwarding? You can use something like rinetd.
Really interesting. I am going to check this out. thanks!
DNS reverse proxy would only make sense if you wanted to hide your DNS server, which isn't really useful for any use case compared to having a DNS provider that acts as slaves to and pulls AXFRs from another DNS server you edit records on.
What it sounds like you really want, like others have noted, is some kind of reverse-proxy for the services DNS would be pointing to