RP-AC55, as media bridge, blocks DNS (and possibly http) queries to local DNS server connected to it - iptables, dnsmasq

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Annetiteg

New Around Here
Hi,

I have following network <-wifi-> RP-AC55 (as media bridge) <-eth-> switch <-eth-> raspberry pi2 and desktops. That worked perfectly (domoticz, samba, DLNA, transmission... on pi2, accessible remotely if needed) until I decided to add the local DNS server dnsmasq on the pi2. Thus I configured the DNS fields of the DHCP server config with pi2 IP address. This is propagated well as ipconfig /all and /etc/resolv.conf show me

I thought it was transparent like CPL, but not:
* devices connected to the switch will use the pi2 local DNS server (checked with tcpdump on the devices and systemctl status dnsmasq on pi2 and tcpdump). Especially they can now resolve local addresses manually set in //etc//hosts or //etc//dnsmasq.conf of pi2
* devices connected to router on wifi or on another ethernet port get answers to their queries. But clearly it does not come from the local DNS server. So they can't resolve local address. Well, weird, every xx minutes, I have like 30 seconds where queries go to local DNS server
* if I move the local DNS server just behind the router and not RP-AC55, all wifi and ethernet connected devices can use it. But devices on the switch can't.

So obviously RP-AC55 is to be blamed. Thanks to the ssh access, I have seen that it listens on ports 53 and 80 (OK, there is a config web page at repeater.asus.com, this is expected), that dnsmasq is also running and that iptables seem to redirect all queries to it. Here is output of “iptables -t nat -L PREROUTING”:

Target prot opt source destination

DNAT tcp -- anywhere 10.0.0.1 tcp dpt:www to:192.168.2.105:80
DNAT tcp -- anywhere 192.168.1.1 tcp dpt:www to:192.168.2.105:80
DNAT udp -- anywhere anywhere udp dpt:domain to:192.168.2.105:53 -> any DNS query goes to dnsmasq
DNAT udp -- anywhere anywhere udp dpt:domain to:192.168.2.105:18018 -> ?


So I understand all port 53 queries passing through RP-AC55 go to local port 53 thus dnsmasq. Dnsmasq.conf points to a specific resolv-file, which contains the address of the real local DNS server (because this address has been set in DHCP server config). Still dnsmasq does not seem to forward this to the local DNS server. But I don’t know if you can pass a query through several local DNS servers (with the risk of a loop)

I removed the 2 last iptables rules. No luck. I have set DNS addresses manually to try to get a forward. No luck. I killed dnsmasq. But redirection to local port 53 still happens… and times out because there is nobody there to listen

My work-around is to use RP-AC55 as local DNS server. I filled dnsmasq.conf (could also be //etc//hosts) with the local resolutions (xxx.tutu names). This is really a work-around as all these files are in fact in a RAM disk and erased at each boot or “service restart_dnsmasq” (currently I kill dnsmasq then “nohup dnsmasq –log-async” does not erase them. Sorry...)

Help !
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top