Need Help With DNS/DNSMasq Config

[djtech2k]

I have had a setup on my Asus AC68U running RMerlin 376.47 and it has worked. I carried the idea over from DD-WRT that I used in the past. It just suddenly stopped working and i cannot figure out why or how to fix it.

I have a local Windows server DNS server that I use for my home "domain". It has all my "internal" name resolution. I need my router to forward all "domain.local" name resolution requests to my 2 DNS servers. All other DNS requests should go outbound.

In my /jffs/config, I have a file a "dnsmasq.conf.add" with 2 entries in it like this: "server=/domain.local/10.0.0.2".

It used to work great, but not now. When I run nslookup from a computer to another computer in my local domain, I get "cannot find" from the router as the name server.

Any ideas?

 

[djtech2k]

I also checked and I do not have the Parental Controls turned on.

 

[djtech2k]

I have seen a few threads like this but most were old. They were discussing local dns resolution by a dns server and forwarding unknown names to the upstream DNS. Those threads were old so I could not find one that would resolve my situation.

 

[RMerlin]

Asus now adds the following line, which might possibly conflict with your setup:

local=/lostrealm.lan/

(or whatever the local domain you have configured on the router).

You might need to remove that line using a postconf script.

 

[djtech2k]

Ok, so here is the content of my dnsmasq.conf:

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
min-port=4096
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
domain=domain.local
expand-hosts
bogus-priv
local=/domain.local/
no-negcache
cache-size=1500
dhcp-range=lan,10.0.0.20,10.0.0.85,255.255.255.0,86400s
dhcp-option=lan,3,10.0.0.1
dhcp-option=lan,15,domain.local
dhcp-option=lan,44,0.0.0.0
dhcp-option=lan,252,"\n"
dhcp-lease-max=253
dhcp-authoritative
quiet-dhcp
server=/domain.local/10.0.0.253
server=/domain.local/10.0.0.254

What do you think I should do? I have been thinking about upgrading to the newest version, but am a bit scared to do it since I have never done it on this firmware before.

 

[djtech2k]

Just following your recommendation, I created a dnsmasq.postconf script in my /jffs/scripts dir. Here is what I put in it:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "local=/lab.home/" "" $CONFIG

Now, in my dnsmasq.conf file, there is an empty line right after "bogus-priv". After a reboot, it looks like I am getting some local DNS resolution on some clients. When I try nslookup from the router, nothing local is resolved as it is only looking at my ISP DNS servers.

Is that normal? Should I leave it this way? Not sure if the blank line in the dnsmasq.conf is ok or not.

 

[RMerlin]

Now, in my dnsmasq.conf file, there is an empty line right after "bogus-priv". After a reboot, it looks like I am getting some local DNS resolution on some clients. When I try nslookup from the router, nothing local is resolved as it is only looking at my ISP DNS servers.

Is that normal? Should I leave it this way? Not sure if the blank line in the dnsmasq.conf is ok or not.

This is normal. Unless you change the DNS on the WAN page, your router will use what's provided by your ISP, and will have no way of knowing which nameserver is authoritative for your local domain.

 

[djtech2k]

I know this is an old thread, but suddenly my setup is not working.

I haven't changed anything. I still have my internal domain in the dnsmasq.conf so that any dns query for my local domain will be directed to my intranet domain controllers. Now all of a sudden, if I query something on my domain from the router, it says bad host. It used to work. My clients point to the router as the primary, so now all my clients cannot resolve internal domain names.

I noticed this when a client resolves an old IP for another DNS entry. I validated my internal DNS has the new IP, but when my client queries my router (which should redirect to my internal DNS), it comes back with an old IP.

I tried to post my config, but the website is blocking it through cloudflare.

Any ideas why it stopped working or how to fix it?

 

[Fitz Mutch]

Any ideas why it stopped working or how to fix it?

I had a similar problem on Windows 10. In a Windows command prompt, type:

ipconfig /flushdns

Alternatively, you can permanently disable the DNS Client service on Windows. Use the Service Control Manager to set the startup mode of the service to Disabled. It's described as follows:

"The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start."​

 

[sfx2000]

Asus now adds the following line, which might possibly conflict with your setup:

local=/lostrealm.lan/

(or whatever the local domain you have configured on the router).

You might need to remove that line using a postconf script.

RMerlin raises a very good point - when reviewing the OP's original post, he used a reserved top level domain (TLD) which is .local

server=/domain.local/10.0.0.253
server=/domain.local/10.0.0.254

RMerlin's mention above is more correct, which his TLD for local is .lan - which is not only appropriate, but highly recommended, as it's not a TLD that goes outside - e.g. dnsmasq won't forward .lan requests upstream (at least it shouldn't)...

The risk here is the stanza in the dnsmasq.conf for local - let's say we have somecustomdomain.someddnsprovider.com (or .net, .org, or other public TLD) - one can get into a situation depending on other items (VPN for example) where lookups can go upstream when they're not desired - resulting in potential DNS leaks and the like (out of the box, Asus has done some good things to prevent this, but once people go under the hood, the risk is indeed there).

Little tip - run Avahi/Bonjour inside the local area network - it works really well, so hostame becomes hostname.local, and it will resolve internally.

External Services - this is best handled via DNS, and most DDNS providers will update based on IP changes from the ddns client in the router (or desktop app, etc) - and then edit the DNS record accordingly for services that are public facing...

 

[djtech2k]

Thanks for the replies.

I have cleared dns client cache many times. Its not that.

My domain is local only, so it will not try to go outside for resolution. I do have a postconf script to replace that "local" setting. This thing has been working great for a long time. Now all of a sudden its not. I have not changed anything.

For some reason, the router is not passing traffic for my local domain to my local DNS servers.

I will try to post my settings this way since the forum won't allow it.

 

[sfx2000]

For some reason, the router is not passing traffic for my local domain to my local DNS servers.

This might be related to the hairpin issue that others have reported - Asus made some changes that broke things there... (in a good way perhaps)

 

[ColinTaylor]

but when my client queries my router (which should redirect to my internal DNS), it comes back with an old IP.

If you're getting an old IP address, and it's not coming from 10.0.0.254, then it sounds like dnsmasq has cached the entry. Restarting the router or dnsmasq followed by the clients should fix it.

If that doesn't fix it then I'd suggest there is a misconfiguration on the client or DNS servers. Presumably the device with the "new" IP address has its network interface manually configured as well as having a static entry on 10.0.0.254's DNS server?

If nothing has changed on the router then it must be something else.

 

[djtech2k]

I agree that it definitely sounds like a cache issue. The internal DNS server has the correct IP. I flushed the DNS client cache on all clients that were returning a old IP.

My setup was done so that all DNS clients point to the router as its primary DNS server, when then the router would forward all internal requests to 1 of the 2 internal DNS servers. Well it has worked for years and suddenly stopped. For the time being, I stopped the clients from pointing to the router and now point it to one of my internal DNS servers. It works, but I do not like it because if that single DNS server goes down, nothing in my house will get name resolution. I liked using the router as primary because it was a more direct way to get public name resolution and it would direct internal domain requests to both my internal servers. I'd like to get back to that, but I cannot figure it out yet.

 

[ColinTaylor]

So you're saying that if you issue the following command on one of the client PC's you get an answer from the router with the old IP address, yes?

nslookup thehostname.lab.home

But the following command gives you the new address, yes?

nslookup thehostname.lab.home 10.10.10.254

 

[djtech2k]

When the problem started happening, I removed the router from the primary DNS server in the dhcp config and used one of my internal DNS servers. That made everything work now, but it does make 100% reliant on the single DNS server.

I now put the router back as the first DNS server in the dhcp config. It is working, but I have not tried changing an IP yet to see if name resolution works.

One thing I think is important to note is that when I SSH to the router, I do NOT get name resolution for any of my internal names. I expected the router to know to forward requests to my internal DNS, but maybe I am wrong.

So to sum up, I am back to my original config and it seems to work, but I need to test if a client changes IP, will it continue to work? I will post back my test result.

 

[djtech2k]

Ok I have some test results. I moved back to my original config. I forced a DHCP client to get a new IP. Now when I go to another DHCP client and do nslookup Target_Name, the router is the nameserver and it returns an old IP. So the new IP is NOT retrieved by the router as the nameserver.

I checked my DNS servers and they have the correct IP.

So I cannot figure out why the router is not pulling the updated IP from my DNS servers.

Any ideas?

 

[ColinTaylor]

So I cannot figure out why the router is not pulling the updated IP from my DNS servers.

I'd guess it's because the router has no way of knowing that the IP on the DNS server has changed and the TTL hasn't expired yet. As I said before, restart the router (or otherwise flush dnsmasq's cache) and see if you then get the new IP address.

 

[djtech2k]

I restarted dnsmasq and it didn't change. I then restarted the router and still no change. It's just strange. It is like it's cached in the router somehow, but it used to work great.

 

[ColinTaylor]

When you do your "nslookup Target_Name" are you using the fully qualified domain name?

Do you have a Linux machine you can issue a "dig" command from, or are you Windows only?