[GH-ISSUE #3] Feature Request: Add DNS Query Result in Rules #2

New issue

Closed

opened 2026-03-14 08:24:33 +03:00 by kerem · 7 comments

kerem commented 2026-03-14 08:24:33 +03:00

Owner

Copy link

Originally created by @ztheory on GitHub (Mar 5, 2022).
Original GitHub issue: https://github.com/andrewbadge/DNSRoaming/issues/3

Originally assigned to: @andrewbadge on GitHub.

Firstly, thank you for making this excellent application.

Use Case

An organization wants to use DHCP-delegated DNS servers when the device is on prem, but use the configured DNS servers (Quad9/Cloudflare/etc) when off-prem.

Using the LAN IP address/range or ping rules to determine if the device is on prem will not work in all cases, since the same IP address/range or pingable IP address may also exist on foreign networks. If the organization uses 192.168.0.0/24, and so does a foreign network, this would make DNSRoaming undesirably use the DHCP-delegated DNS servers if set in the rules.

In addition, the WAN IP address may be different in some cases, such as:

• Multiple offices
• Dynamic IP address (small business with residential-grade connection)
• Organization's VPN egress IP is different than on-prem.
• Load balancing outbound connections between multiple ISPs or IPs.

This means managing more rules.

Feature Request

In this situation, a DNS query sent to the DHCP-delegated DNS servers would be definitive. An organization could create an entry in the local forwarder, such as "amionprem.local".

• If NXDOMAIN, then DNSRoaming uses the configured DNS servers
• If NOERROR, then DNSRoaming uses the DHCP-delegated DNS servers

This implementation might require a prerequisite: upon service stop or system shutdown/sleep, reset DNS to use the DHCP-delegated DNS servers. On service start/wakeup, the DNS query could then be executed to determine if it's on prem or not when executing the ruleset and before changing to Quad9/Cloudflare/etc. This is likely required, because if the DHCP-delegated DNS servers are not restored upon Service stop or system shutdown/sleep, and if Quad9/Cloudflare/etc is already present, then the query would not be sent to the local DNS forwarder.

Hope this makes sense!

Originally created by @ztheory on GitHub (Mar 5, 2022). Original GitHub issue: https://github.com/andrewbadge/DNSRoaming/issues/3 Originally assigned to: @andrewbadge on GitHub. Firstly, thank you for making this excellent application. ### Use Case An organization wants to use DHCP-delegated DNS servers when the device is on prem, but use the configured DNS servers (Quad9/Cloudflare/etc) when off-prem. Using the LAN IP address/range or ping rules to determine if the device is on prem will not work in all cases, since the same IP address/range or pingable IP address may also exist on foreign networks. If the organization uses 192.168.0.0/24, and so does a foreign network, this would make DNSRoaming undesirably use the DHCP-delegated DNS servers if set in the rules. In addition, the WAN IP address may be different in some cases, such as: * Multiple offices * Dynamic IP address (small business with residential-grade connection) * Organization's VPN egress IP is different than on-prem. * Load balancing outbound connections between multiple ISPs or IPs. This means managing more rules. ### Feature Request In this situation, a DNS query sent to the DHCP-delegated DNS servers would be definitive. An organization could create an entry in the local forwarder, such as "amionprem.local". * If ```NXDOMAIN```, then DNSRoaming uses the configured DNS servers * If ```NOERROR```, then DNSRoaming uses the DHCP-delegated DNS servers This implementation might require a prerequisite: upon service stop or system shutdown/sleep, reset DNS to use the DHCP-delegated DNS servers. On service start/wakeup, the DNS query could then be executed to determine if it's on prem or not when executing the ruleset and before changing to Quad9/Cloudflare/etc. This is likely required, because if the DHCP-delegated DNS servers are not restored upon Service stop or system shutdown/sleep, and if Quad9/Cloudflare/etc is already present, then the query would not be sent to the local DNS forwarder. Hope this makes sense!

kerem 2026-03-14 08:24:33 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-03-14 08:24:49 +03:00

Author

Owner

Copy link

@andrewbadge commented on GitHub (Mar 6, 2022):

Hi ztheory,

Thanks for the feedback.

I've been using a Cloud Print service named "Printix" recently (which is awesome BTW) and they identify networks using the Gateway IP and Gateway MAC Address. Do you think this would be helpful method to simplify your network detection?

I'll also look at your "NXDOMAIN" method you've suggested. Validating a CNAME or A record could potentially work just as well? ie. it might save having to create a local zone for this one purpose.

RE: the service start/stop issue
Potentially a configurable delay might be necessary after the "network change" event occurs. Some PCs and Firewalls seem to take a while to return a DHCP answer.

Regards,
Andrew

<!-- gh-comment-id:1059909895 --> @andrewbadge commented on GitHub (Mar 6, 2022): Hi ztheory, Thanks for the feedback. I've been using a Cloud Print service named "Printix" recently (which is awesome BTW) and they identify networks using the Gateway IP and Gateway MAC Address. Do you think this would be helpful method to simplify your network detection? I'll also look at your "NXDOMAIN" method you've suggested. Validating a CNAME or A record could potentially work just as well? ie. it might save having to create a local zone for this one purpose. RE: the service start/stop issue Potentially a configurable delay might be necessary after the "network change" event occurs. Some PCs and Firewalls seem to take a while to return a DHCP answer. Regards, Andrew

kerem commented 2026-03-14 08:24:54 +03:00

Author

Owner

Copy link

@ztheory commented on GitHub (Mar 6, 2022):

I've been using a Cloud Print service named "Printix" recently (which is awesome BTW) and they identify networks using the Gateway IP and Gateway MAC Address. Do you think this would be helpful method to simplify your network detection?

That would be more accurate than specifying a local IP or range to trigger on-prem, but again the variance of multiple networks, differing VPN gateways, multiple offices, etc, creeps in. However, this might make the initial deployment more difficult and error-prone as compared to the DNS query method. If someone forgets one of the gateway IP/MAC pairs, then pushes out the application, suddenly no one can resolve local DNS until an update is pushed or requires manual intervention. If the gateway device is changed internally, then another update.

I'll also look at your "NXDOMAIN" method you've suggested. Validating a CNAME or A record could potentially work just as well? ie. it might save having to create a local zone for this one purpose.

I would imagine that being able to specify the FQDN in the application would be ideal, rather than having a hard-coded FQDN required by the application, so they don't have to create a specific zone or record for this solution, but rather, just use an existing FQDN that is specific to their local network. Yes, this is essentially resource record validation, NXDOMAIN or NOERROR are just the relevant response codes, which is probably simpler than implementing a request FQDN (some.fqdn.local), then actually checking for the response data (192.168.1.44). In this case, we only care if the record exists, as opposed to the value of the record response.

<!-- gh-comment-id:1059911917 --> @ztheory commented on GitHub (Mar 6, 2022): > I've been using a Cloud Print service named "Printix" recently (which is awesome BTW) and they identify networks using the Gateway IP and Gateway MAC Address. Do you think this would be helpful method to simplify your network detection? That would be more accurate than specifying a local IP or range to trigger on-prem, but again the variance of multiple networks, differing VPN gateways, multiple offices, etc, creeps in. However, this might make the initial deployment more difficult and error-prone as compared to the DNS query method. If someone forgets one of the gateway IP/MAC pairs, then pushes out the application, suddenly no one can resolve local DNS until an update is pushed or requires manual intervention. If the gateway device is changed internally, then another update. > I'll also look at your "NXDOMAIN" method you've suggested. Validating a CNAME or A record could potentially work just as well? ie. it might save having to create a local zone for this one purpose. I would imagine that being able to specify the FQDN in the application would be ideal, rather than having a hard-coded FQDN required by the application, so they don't have to create a specific zone or record for this solution, but rather, just use an existing FQDN that is specific to their local network. Yes, this is essentially resource record validation, ```NXDOMAIN``` or ```NOERROR``` are just the relevant response codes, which is probably simpler than implementing a request FQDN (some.fqdn.local), then actually checking for the response data (192.168.1.44). In this case, we only care if the record exists, as opposed to the value of the record response.

kerem commented 2026-03-14 08:25:00 +03:00

Author

Owner

Copy link

@andrewbadge commented on GitHub (Mar 6, 2022):

Thanks. Let me have a look.
I think as a result the rule form might need to be redesigned. Its going to get a little busy.

<!-- gh-comment-id:1060045771 --> @andrewbadge commented on GitHub (Mar 6, 2022): Thanks. Let me have a look. I think as a result the rule form might need to be redesigned. Its going to get a little busy.

kerem commented 2026-03-14 08:25:05 +03:00

Author

Owner

Copy link

@andrewbadge commented on GitHub (Mar 7, 2022):

Hi Zack,

I've been thinking about the NXDOMAIN validation. The only way this would work is if the interface is reset to DHCP after each change event then the validation is done. We'd need a pause to handle the response time of the DHCP which can vary; or some validation that the DNS values did reset.
Once the interface is back to DHCP, then we can safely perform validation. It seems a bit ugly. Have I got this wrong?

Example that won't work:

1. [Interface Event] -> Connect Home Wifi
2. Check for validation domain/cname (DNS Set to Home DHCP)
3. Validation returns NXDOMAIN -> Set DNS to Quad9
4. [Interface Event] -> Connect to Work Network
5. Check for validation domain/cname (DNS Set to static/Quad9)
6. Validation returns NXDOMAIN as DNS is still Quad9

How it could work:

1. [Interface Event] -> Connect Home Wifi
2. DNS Roaming Resets Interface to DHCP
3. Waits for DHCP to Settle (5 seconds?)
4. Check for validation domain/cname (DNS Set to Home DHCP)
5. Validation returns NXDOMAIN -> Set DNS to Quad9
6. [Interface Event] -> Connect to Work Network
7. DNS Roaming Resets Interface to DHCP
8. Waits for DHCP to Settle (5 seconds?)
9. Check for validation domain/cname
10. Validation returns NOERROR -> Set Work DNS

<!-- gh-comment-id:1060409815 --> @andrewbadge commented on GitHub (Mar 7, 2022): Hi Zack, I've been thinking about the NXDOMAIN validation. The only way this would work is if the interface is reset to DHCP after each change event then the validation is done. We'd need a pause to handle the response time of the DHCP which can vary; or some validation that the DNS values did reset. Once the interface is back to DHCP, then we can safely perform validation. It seems a bit ugly. Have I got this wrong? Example that won't work: 1. [Interface Event] -> Connect Home Wifi 2. Check for validation domain/cname (DNS Set to Home DHCP) 3. Validation returns NXDOMAIN -> Set DNS to Quad9 4. [Interface Event] -> Connect to Work Network 5. Check for validation domain/cname (DNS Set to static/Quad9) 6. Validation returns NXDOMAIN as DNS is still Quad9 How it could work: 1. [Interface Event] -> Connect Home Wifi 2. **DNS Roaming Resets Interface to DHCP** 3. **Waits for DHCP to Settle (5 seconds?)** 4. Check for validation domain/cname (DNS Set to Home DHCP) 5. Validation returns NXDOMAIN -> Set DNS to Quad9 6. [Interface Event] -> Connect to Work Network 7. **DNS Roaming Resets Interface to DHCP** 8. **Waits for DHCP to Settle (5 seconds?)** 9. Check for validation domain/cname 10. Validation returns NOERROR -> Set Work DNS

kerem commented 2026-03-14 08:25:10 +03:00

Author

Owner

Copy link

@andrewbadge commented on GitHub (Mar 12, 2022):

Hi Zack,

I think I've solved the question by specifying the DNS server to query in the rule. This avoid having to rely on the network or DHCP to reset then perform the query.

Can you have a look at the build and let me know if this is what you were expecting?

Service and Client:
https://github.com/andrewbadge/DNSRoaming/tree/main/Source/DNS%20Roaming%20Installer%20-%20Service%20and%20Client/bin/Release

Service Only:
https://github.com/andrewbadge/DNSRoaming/tree/main/Source/DNS%20Roaming%20Installer%20-%20Service%20only/bin/Release

NB: its not a release (to avoid people auto-updating to this version) until I've gotten more feedback.

<!-- gh-comment-id:1065844193 --> @andrewbadge commented on GitHub (Mar 12, 2022): Hi Zack, I think I've solved the question by specifying the DNS server to query in the rule. This avoid having to rely on the network or DHCP to reset then perform the query.  Can you have a look at the build and let me know if this is what you were expecting? Service and Client: https://github.com/andrewbadge/DNSRoaming/tree/main/Source/DNS%20Roaming%20Installer%20-%20Service%20and%20Client/bin/Release Service Only: https://github.com/andrewbadge/DNSRoaming/tree/main/Source/DNS%20Roaming%20Installer%20-%20Service%20only/bin/Release NB: its not a release (to avoid people auto-updating to this version) until I've gotten more feedback.

kerem commented 2026-03-14 08:25:15 +03:00

Author

Owner

Copy link

@andrewbadge commented on GitHub (Mar 20, 2022):

Hi Zack, Did you have any feedback on the new build? Did it do what you expected?
Thanks
Andrew

<!-- gh-comment-id:1073167093 --> @andrewbadge commented on GitHub (Mar 20, 2022): Hi Zack, Did you have any feedback on the new build? Did it do what you expected? Thanks Andrew

kerem commented 2026-03-14 08:25:20 +03:00

Author

Owner

Copy link

@andrewbadge commented on GitHub (Mar 26, 2022):

Hi Zack, I'm going to close this issue as I'm assuming the new build does what you need. Let me know if you have further suggestions or ideas. Thanks Andrew

<!-- gh-comment-id:1079610442 --> @andrewbadge commented on GitHub (Mar 26, 2022): Hi Zack, I'm going to close this issue as I'm assuming the new build does what you need. Let me know if you have further suggestions or ideas. Thanks Andrew

kerem referenced this issue 2026-03-14 08:25:27 +03:00

[PR #2] [MERGED] Update README.md #4

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

add-license-1

v1.4.0.2

v1.4.0.1

v1.3.0.5

v1.3.0.2

v1.3.0.1

v1.3.0.0

v1.2.0.1

v1.2.0.0

v1.1.0.5

v1.1.0.4

v1.1.0.3

v1.1.0.1

v1.1.0.2

v1.1.0.0

Latest

Beta18

Beta17

Beta16

Beta15

Beta14

Beta12

Beta11

Beta10

Beta9

Beta8

Beta6

Beta5

Beta4

Beta3

Beta2

Beta

Labels

Clear labels   

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/DNSRoaming#2

No description provided.