ASUS router providing dns resolution on LAN?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

ags

Regular Contributor
I am having a problem with resolving my domain name when on my LAN. This is a problem when a server on my LAN forwards to another service on that same LAN, using the domain name. It's also an issue when accessing a service using https - if the LAN IP address is used, the cert (domain name) is not valid (doesn't match the LAN IP address). At least that's how I understand it to work.

So, is there any way to configure an ASUS router to serve as a local DNS server, to resolve my domain name? I also am behind a routed interface to my ISP (a 1:1 NAT from public IP address to my router (a virtual DMZ device) IP address) and I'm told this is an issue.
 

ColinTaylor

Part of the Furniture
Please give specific examples that demonstrate the problem. Include the domain name configured on the router, the FQDN you are trying to resolve and the output of nslookup.
 

ags

Regular Contributor
Router: ASUS RT-AC88U
Firmware: ASUS stock version 3.0.0.4.385_20631
Settings:
WAN/Internet Connection:
-WAN Connection Type: Static IP
-Enable WAN: Yes
-Enable NAT: Yes
-Enable UPnP: Yes
-IP Address: 192.168.1.254 (all traffic routed by my ISP to my router at this port)
-Subnet Mask: 255.255.255.0
-Default Gateway: 192.158.1.1
-DNS Server1: 192.168.1.1
-DNS Server2: 8.8.8.8
-Authentication: None
-Host Name: (empty, default)
...
LAN/LAN IP:
-Host Name: RT-AC88U-xxxx (default)
-RT-AC88U's Domain Name: (empty, default)
-IP Address: 192.168.2.1
-Subnet Mask: 255.255.255.0
LAN/DHCP Server:
-Enable the DHCP Server: Yes
-RT-AC88U's Domain Name: (empty, default)
-IP Pool, etc all in 192.168.2 network
-Default Gateway: (empty, default)
-DNS Server: (empty, default)-
-WINS Server: (empty, default)
-Enable Manual Assignment: Yes
...list of assigned IP addresses in 192.168.2 network

I have a registered domain name I will call XXX.org, with alias www.XXX.org, on a public IP address. I can see this address using whatismyipaddress.com. I have port forwarding setup so that specific ports are forwarded to devices on my LAN. I keep a valid certificate for devices with a port exposed to the WAN to allow secure connections, using the XXX.org domain name.

Using nslookup on a machine on my LAN with default server (192.168.2.1) I can resolve XXX.org (and www.XXX.org) to the correct public IP address. I can resolve similarly with server 192.168.1.1 and 8.8.8.8.

When outside my LAN (on the internet) I can access https://XXX.org:portYYY).

When on my LAN, I cannot access https://XXX.org:forwardedPortYYY [Error: XXX.org refused to connect]
When on my LAN, I cannot access https://myPublicIPAddress:forwardedPortYYY [Error: myPublicIPAddress refused to connect]
When on my LAN, I can access https://192.168.2.ZZZ:realPortYYY [but I get a warning that the connection is not secure, I presume due the domain name on my cert not matching the private LAN IP address]

I was told, when speaking with my (small, responsive) ISP that not being able to use my domain name for access when on my LAN is due to a "hairpin route", and there are workarounds but they are not simple. I thought that this might be avoided by setting up a DNS server on my LAN (the ASUS router) but this is just a guess.

I did try setting the Domain Name field(s) in the router configuration to my domain name (XXX.org), thinking that might help - but it did not. From further review of the tooltips offered when hovering over the Domain Name fields in ASUS configuration, I then concluded (perhaps incorrectly) that this field is only used for DHCP, transmitted as part of the response packet to the client, and is not used by the router itself for any routing.

I hope this helps. I'm open to other ideas on how to resolve the actual problem (can't access local, secure resources without warnings). I'm not committed to pursuing this domain name solution if there are others.
 

ColinTaylor

Part of the Furniture
To make this work without certificate warnings you would have to implement NAT hairpining on the ISP equipment (that owns the public IP address). Or maybe you could create another certificate associated with the server's local IP address.

Using a custom firmware you could create a hosts file entry on the router that aliased your external DDNS name to your router's WAN address. You then ought to be able to access the server locally but you'd still get the certificate warning.


P.S. It sounds like you resolved your other thread here? If so please mark that as solved with an explanation. Thanks.
 

ags

Regular Contributor
I could ask the ISP to do the NAT hairpinning but I got the impression they know about the issue and are not interested in doing the work.
I didn't know that ASUS routers could support multiple certs (one for public/WAN, one for local/LAN). Is that possible?
 

ColinTaylor

Part of the Furniture
I didn't know that ASUS routers could support multiple certs (one for public/WAN, one for local/LAN). Is that possible?
I was speculating about the certificate on your web server not the router. I don't know whether that's possible, I'm not a web server guy.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top