We plan to use DNS redirects for our home office domain "homeoffice.com" to our internal DNS servers but it does not work probably due to a misconfiguration in the router which I'm unable to locate.
Problem is no DNS requests for "homeoffice.com" are forwarded from the router to the servers. Another very odd thing is that "# nslookup xxx 192.168.100.1" doesn't work from within the router itself. I've also checked with a packet sniffer and don't see any packets at all which made me suspect there is a missconfiguration somewhere that is causing all this. However, the biggest mystery is why not even the basic tool "nslookup" isn't working!
Any ideas?
Equipment:
ASUS RT-AC66U with v380.70.
DHCP: disabled
Filters: disabled
No VPN servers activated:
Nslookup reports can't resolve 'WS1' even though no requests were sent to the server (confirmed with wireshark)
We plan to use DNS redirects for our home office domain "homeoffice.com" to our internal DNS servers but it does not work probably due to a misconfiguration in the router which I'm unable to locate.
Problem is no DNS requests for "homeoffice.com" are forwarded from the router to the servers. Another very odd thing is that "# nslookup xxx 192.168.100.1" doesn't work from within the router itself. I've also checked with a packet sniffer and don't see any packets at all which made me suspect there is a missconfiguration somewhere that is causing all this. However, the biggest mystery is why not even the basic tool "nslookup" isn't working!
Any ideas?
Equipment:
ASUS RT-AC66U with v380.70.
DHCP: disabled
Filters: disabled
No VPN servers activated:
Nslookup reports can't resolve 'WS1' even though no requests were sent to the server (confirmed with wireshark)
Also if you're using a cable modem, don't use 192.168.100.x on your LAN or you'll never be able access the CM's status/config page.
Why not just hand out your DNS server's IP via DHCP directly to clients, why have them hit the router at all? The router is designed to either respond with local entries or forward the request upstream, my guess is it may not have the proper firewall rules or other configs to redirect it back to the LAN.
Why not just hand out your DNS server's IP via DHCP directly to clients, why have them hit the router at all? The router is designed to either respond with local entries or forward the request upstream, my guess is it may not have the proper firewall rules or other configs to redirect it back to the LAN.
The reason is that we previously had problems performing maintenance on the AD servers currently running dhcp/dns. We want to move these services to the router while still being able to maintain dns requests for the internal domain.
this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers.
I figured out that the domain name setting on the dhcp page that forwards the domain name to the clients also sets dnsmasq "local=/domain name/". Now it makes sense why you need to use dnsmasq.postconf to remove that line.
I tested to remove the domain name from the dhcp page and used dnsmasq in debug mode which clearly showed that also nslookup is affected by the configuration which was kind of a surprise to me. This sets local=/localhost/
This is what I used to get a trace of all dns queries to stderr:
# service stop_dnsmasq
# dnsmasq --no-daemon --log-facility=- --log-queries
Mar 23 14:19:01 dnsmasq[18010]: started, version 2.78 cachesize 1500
Mar 23 14:19:01 dnsmasq[18010]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth DNSSEC loop-detect no-inotify
Mar 23 14:19:01 dnsmasq[18010]: read /etc/hosts - 3 addresses
Mar 23 14:19:01 dnsmasq[18010]: read /etc/hosts.dnsmasq - 0 addresses
Mar 23 14:19:01 dnsmasq[18010]: using local addresses only for domain localhost
Mar 23 14:19:01 dnsmasq[18010]: using nameserver 192.168.100.2#53 for domain homeoffice.com
Mar 23 14:19:01 dnsmasq[18010]: using nameserver 192.168.100.1#53 for domain homeoffice.com
Mar 23 14:19:01 dnsmasq[18010]: using nameserver 1.1.1.1#53
Mar 23 14:19:01 dnsmasq[18010]: using nameserver 1.0.0.1#53
Mar 23 14:19:04 dnsmasq[18010]: forwarded signaler-pa.clients6.google.com to 83.255.255.2
Mar 23 14:19:04 dnsmasq[18010]: forwarded signaler-pa.clients6.google.com to 83.255.255.1
Mar 23 14:19:05 dnsmasq[18010]: query[A] dns.msftncsi.com from 127.0.0.1
Mar 23 14:19:05 dnsmasq[18010]: forwarded dns.msftncsi.com to 83.255.255.2
Mar 23 13:19:05 dnsmasq[18010]: reply dns.msftncsi.com is 131.107.255.255
. . .
Why Is that? We are connected using fiber on the wan port and have always used 192.168.100 as our internal network without problems for several years.
The reason is that we previously had problems performing maintenance on the AD servers currently running dhcp/dns. We want to move these services to the router while still being able to maintain dns requests for the internal domain.
If you're using fiber it isn't an issue right now but if you ever used a cable modem, they have 192.168.100.1 hardcoded in them to access their admin page, by using it on your LAN you'd never be able to reach that. So that's one of those subnets you want to avoid ideally.
I avoid 192 all together, too many things use it for their default. 10.0 or even 172. are much less frequently used and less likely to have a conflict. But if you don't have cable it shouldn't be an issue.
I used to run a DC with DNS running on it without issue, if you're going to use it for AD anyway its going to be running a DNS server. I used to have my DHCP hand out my AD/DNS server as primary and the router as backup. Keep in mind if your clients are pointing to the router they won't be able to dynamically update the AD DNS, but may not be a big deal.
If you set your router to use a sub-domain you should be fine.
For example yourdomain.com runs on your LAN and your router is ext.yourdomain.com or whatever. Of course if your router is doing DHCP, then you need to run a script to tell it to assign yourdomain.com to clients and not ext.
So yeah either way you'll probably need to do the dnsmasq.postconf to modify its default behavior if you want it to work this way. But like I said personally I think the better option is having your AD be your DNS and just have it hand out your router IP as a backup (assuming your AD is doing DHCP which it should be, so that it can update DNS).
Brief feedback after getting a working configuration up and running.
To start with, there was unfortunately no support for "dnsmasq.postconf" in the current firmware release and I couln't bear to install an extra USB drive to accommodate Entware.
Anyhow, after running a bunch of trial-and-error tests and spending a lot of time digging around in the source code, I finally found the reason why me prevlouly attempt didn't work.
It looks like a pretty important piece of info is missing from the dnsmasq documentation, which should state when a statement like "local=/domain/" appears in the config file, all subsequent "server=/domain/" statements are ignored.
This will happen if you specify "Domain Name" (NVRAM "lan_domain") during DHCP config, which causes "local=/domain/" to appear in top of "/tmp/etc/dnsmasq.conf" before all the lines from "/jffs/configs/ dnsmasq.conf.add" have been added thus all subsequent "server=/domain/" statments becomes useless.
One way to get around this is to specify "Forward local domain queries to upstream DNS" (NVRAM "lan_dns_fwd_local") but then DHCP sends opt "WINS Server address" probably due to a bug. This is something we want to avoid since NBT/TCP should be kept disabled in our network
The final solution was to ignore the DHCP GUI "Domain Name" setting and control all DHCP options manually in "/jffs/configs/dnsmasq.conf.add" which gives a complete control of the "server=/domain/" statements to appear before "local=/domain/" which btw is also needed to enable search of the local DHCP database before the query is forwarded to our internal Active Directory DNS.
Below is a working configuration of /jffs/configs/dnsmasq.conf.add. Important that the "Domain Name" field is left empty in the DHCP configuration otherwise this will not work!
#
# Start - /jffs/configs/dnsmasq.conf.add
#
# enable "log-queries" to trace all dns queries to syslog
#log-queries
# forward queries not found in DHCP to Active Directory see "local=/../" down below) server=/homeoffice.com/192.168.100.1
server=/homeoffice.com/192.168.100.2
server=/100.168.192.in-addr.arpa/192.168.100.1
server=/100.168.192.in-addr.arpa/192.168.100.2
# forward non local queries to upstream servers server=1.1.1.1
server=1.0.0.1
# Query local DHCP database first (statement MUST come after "server=/domain/) local=/homeoffice.com/
domain=homeoffice.com,192.168.100.0/24
# do not forward private reverse lookups upstreams bogus-priv
# don't forward A or AAAA queries for single label domains (plain names) upstreams domain-needed
# DHCP option: domain name dhcp-option=lan,15,homeoffice.com
# DHCP option: ip address to domain name server (DNS) dhcp-option=lan,6,192.168.100.254
# DHCP option: NTP server dhcp-option=lan,41,192.168.100.1
# enable "log-queries" to trace all dns queries to syslog
#log-queries
# forward queries not found in DHCP to Active Directory see "local=/../" down below)
server=/homeoffice.com/192.168.100.1
server=/homeoffice.com/192.168.100.2
server=/100.168.192.in-addr.arpa/192.168.100.1
server=/100.168.192.in-addr.arpa/192.168.100.2
# forward non local queries to upstream servers
server=1.1.1.1
server=1.0.0.1
# Query local DHCP database first (statement MUST come after "server=/domain/)
local=/homeoffice.com/
domain=homeoffice.com,192.168.100.0/24
# do not forward private reverse lookups upstreams
bogus-priv
# don't forward A or AAAA queries for single label domains (plain names)
domain-needed
# DHCP option: domain name
dhcp-option=lan,15,homeoffice.com
# DHCP option: ip address to domain name server (DNS)
dhcp-option=lan,6,192.168.100.254
# DHCP option: NTP server
dhcp-option=lan,41,192.168.100.1
What can I say, I've been looking for a workaround without first checking for postconf in the repo. Turns out I've tried using "/jffs/configs/dnsmasq.postconf" instead of "/etc/dnsmasq.conf". Since /etc is not permanent storage I guess I need a startup script to copy or link postconf from /jffs to /etc during boot right?
Anyway, I'll try again with the correct path to dnsmasq.postconf this time!
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
