Dnsmasq vpn resolve site to site

[kinglevel]

Hello

Trying to get my local dnsmasq to resolve a hostname over vpn, it is located at my off-site B location.
Both sites can connect to each other and works fine, all pings well.

Site A subnet: 10.1.0.0/24 (siteA.example.com)
Site B subnet: 10.2.0.0/24 (siteB.example.com)

hostname and ip to be resolved: pc1 - 10.2.0.11
a random client trying to resolve it on siteA: 10.1.0.33

quick look at my /tmp/resolv.dnsmasq on siteA:

server=xxx.xxx.xxx.xx (isp server adress...)
server=xxx.xxx.xxx.xx (isp server adress...)
server=10.2.0.1
server=/siteB.example.com/10.2.0.1

from the random client, i can do:

nslookup pc1 10.2.0.1
nslookup pc1.siteB.example.com

Name:      pc1
Address 1: 10.2.0.11 pc1.siteB.example.com

so it all works fine when the DNS on siteB is specified...


But it cannot do:

nslookup pc1

it throws me all the way to my ISPs dns server.
So the order of how the nameservers are used with dnsmasq are in play here..

i have tried to play around with how the vpn client uses "Accept DNS configuration" to different levels like relaxed, strict or exclusive..
also made sure dnsmasq also has strict-order enabled...


I am pretty new to configuring this kind of setup.. so any hints would be nice.

cheers

 

[eibgrad]

Normally DNSMasq is configured to NOT send unqualifed hostnames to upstream servers due to the following directive in the DNSMasq config file (/tmp/etc/dnsmasq.conf).

domain-needed

But even if you removed it, the assumption w/ DNS is that every DNS server is equally capable of resolving a DNS name. And if any DNS server returns NXDOMAIN (not found), as far as DNS is concerned, it doesn't exist. It does NOT search other DNS servers.

IOW, you *must* provide a fully qualified domain name if you want this to work. The only time an unqualified name is going to work is if it's known to the local DNS server (i.e., DNSMasq), which usually means via a local hosts file or DHCP.

 

[kinglevel]

Normally DNSMasq is configured to NOT send unqualifed hostnames to upstream servers due to the following directive in the DNSMasq config file (/tmp/etc/dnsmasq.conf).

domain-needed

But even if you removed it, the assumption w/ DNS is that every DNS server is equally capable of resolving a DNS name. And if any DNS server returns NXDOMAIN (not found), as far as DNS is concerned, it doesn't exist. It does NOT search other DNS servers.

IOW, you *must* provide a fully qualified domain name if you want this to work. The only time an unqualified name is going to work is if it's known to the local DNS server (i.e., DNSMasq), which usually means via a local hosts file or DHCP.

perfect answer, makes sense. thx

 

[kinglevel]

Normally DNSMasq is configured to NOT send unqualifed hostnames to upstream servers due to the following directive in the DNSMasq config file (/tmp/etc/dnsmasq.conf).

domain-needed

But even if you removed it, the assumption w/ DNS is that every DNS server is equally capable of resolving a DNS name. And if any DNS server returns NXDOMAIN (not found), as far as DNS is concerned, it doesn't exist. It does NOT search other DNS servers.

IOW, you *must* provide a fully qualified domain name if you want this to work. The only time an unqualified name is going to work is if it's known to the local DNS server (i.e., DNSMasq), which usually means via a local hosts file or DHCP.

ok after some more playing around... and more knowledge gained.
it all works perfectly, accordingly to the domain naming structure that should be used.. but

I have a new problem were "siteA.example.com" refuses to resolve correctly by the clients.
*SSH into the routers, nslookup siteA.example.com, it works as it should, since it looks outbound directly to my ISP dns servers.
*But when the clients asks the routers, the routers do not know where to look for it and resolves as no answer.

I believe the routers tries to resolve it as a local hostname and immediately stops looking for it when there are no local hostnames like it in its scope?

Is it possible to force dnsmasq to force-resolve a single hostname externally?
or is it something else with how the domain name is set up?
is it something with how general dns rules should be considered?

The domain names for the routers is currently set to: siteA.example.com
and it appends the local hostnames correctly to the domain name structure if i try to ping stuff...

For an untrained eye it looks correct.
Hard to know were to start to dig in deep.

 

[kinglevel]

or does it boil down to how domain and local is set in dnsmasq.conf so it knows the depth of where to stop resolve local hostnames?

 

[eibgrad]

I don't know what 'nslookup siteA.example.com' means. Are you just using shorthand, or is this literally your command? Because as written, you're attempting to resolve the domain name, NOT a hostname within that domain.

IOW, give me *precise* examples, ones that ares syntactically correct, so I can evaluate things properly.

 

[kinglevel]

I don't know what 'nslookup siteA.example.com' means. Are you just using shorthand, or is this literally your command? Because as written, you're attempting to resolve the domain name, NOT a hostname within that domain.

IOW, give me *precise* examples, ones that ares syntactically correct, so I can evaluate things properly.

i have a public ip, updated with ddns, that i want to have assigned to siteB.example.com.
It is assigned on a outbound dns server on the internetz and works, but after setting up the domain in the routers, it cannot resolve it anymore.

lets say pc1 in perviously example tries to resolve this:

nslookup siteB.example.com

Server:        10.2.0.1
Address:    10.2.0.1#53

Non-authoritative answer:
*** Can't find siteB.example.com No answer

but it can resolve this and all other domain names:

nslookup server.siteB.example.com

Server:        10.2.0.1
Address:    10.2.0.1#53

Name:   server.siteB.example.com
Address: 10.2.0.11

 

[eibgrad]

When the unqualified domain name is referenced by pc1, it will be sent to 10.2.0.1, like any subdomain of that same domain name, and where there would have to be a DNS record for that domain. Normally the router will NOT resolve its own domain name unless you specifically add a DNS entry (presumably its private IP on the LAN, although I suppose if you have a static public IP on the WAN, that would be another option).

host-record=siteB.example.com,192.168.1.1

But if you prefer its dynamic public IP, perhaps you could instead try adding the following to the DNS server @ 10.2.0.1.

server=/siteB.example.com/8.8.8.8

IOW, force the unqualified name to be resolved by a specific public DNS server. Just so long as any devices in the local hosts file, DHCP, or defined w/ local DNS records (i.e., address or host-record directives) are still resolved locally, by DNSMasq itself. I assume that would be the case, but then I've never tried it.

 

[kinglevel]

When the unqualified domain name is referenced by pc1, it will be sent to 10.2.0.1, like any subdomain of that same domain name, and where there would have to be a DNS record for that domain. Normally the router will NOT resolve its own domain name unless you specifically add a DNS entry (presumably its private IP on the LAN, although I suppose if you have a static public IP on the WAN, that would be another option).

host-record=siteB.example.com,192.168.1.1

But if you prefer its dynamic public IP, perhaps you could instead try adding the following to the DNS server @ 10.2.0.1.

server=/siteB.example.com/8.8.8.8

IOW, force the unqualified name to be resolved by a specific public DNS server. Just so long as any devices in the local hosts file, DHCP, or defined w/ local DNS records (i.e., address or host-record directives) are still resolved locally, by DNSMasq itself. I assume that would be the case, but then I've never tried it.

ok, thanks!
yes thats it, i want it to be resolved on a public server. did not know i could point it directly outbound like that..

if i for example have many many multiple sites, is it possible to use a wildcard or something similar to resolve all names at a certain domain depth?

server=/*.example.com/8.8.8.8

?

or do i really need to add all sites manually in every dns server?

 

[eibgrad]

The following ...

server=/example.com/8.8.8.8

is the functional eqivalent of ...

server=/*.example.com/8.8.8.8

In the first case, the '.' is effectively implied. You would only use * when you wanted to include a partial match on 'example'.

server=/*example.com/8.8.8.8

IOW, this would match something like xxxexample.com, whereas without the *, it would only match example.com exactly, or any subdomains of example.com (e.g., xxx.example.com).

 

[kinglevel]

ok thanks