Securing my own DNS in isolated LAN - router config advise (Solution)

Markster

Senior Member
Background:

I have my local LAN setup with 2 isolated segments. Main LAN is on br0 and secure LAN on br100. I wrote a tutorial how I have accomplished that here . In the secure LAN I have a main computer and Synology NAS. Devices on secure LAN cannot communicate with any devices in main LAN and vice versa except certain ports I have allowed between br0 and br100 to access NAS applications.
I have been running Unbound DNS on the router (RT-AC86U) for 2+ years with extensive config for RPZ using it for adblocking and more.

New Architecture Goals.

I have decided that it will be better and more secure to run Unbound DNS in a secure LAN on my NAS in a docker container.
I have already configured and running Unbound working properly on my NAS in secure LAN.

The main reasons for this change is that

1. I can build unbound from the source myself

2. My Synology NAS has better processor and more memory for caching

3. Isolating DNS in secure LAN segment, I have better control


I want to configure my router so that all clients on main LAN (br0) will be forced to use my DNS located in secure LAN (br100). As for my the secure LAN, I will configure DNS manually. With the new architecture I am hoping to also minimize additional custom code that I had when running unbound DNS on the router.


Question:

What is the best way to configure the router for this scenario? I don’t exactly know what is happening behind the scenes and how dnsmasq is set when I configure the following

1. DNS IP under WAN only

2. LAN DNS fields

If I only use router GUI and set the WAN DNS, would dnsmasq recognize new DNS and setup appropriate iptables rules or would I need to manually add additional rules to forward the DNS queries to my unbound in secure LAN?
 

eibgrad

Part of the Furniture
Admittedly, DNS configuration is a VERY complex subject. There are so many chefs in the kitchen, it makes it difficult to understand. Between the router itself and how it uses DNS, and the LAN clients and how they use it, plus things like DoT/DoH and how and where it's configured, and browsers that now want to do their own DNS, and VPNs that reconfigure DNS too, it can be overwhelming.

So anyone explaining DNS to you (myself included) can only provide a general overview. The only way to know w/ 100% accuracy is to know as much detail about how you're presently configured, and by examining the various data structures and config files. And even then, it's best to confirm the results by dumping connection tracking to see what DNS is being used and where it's going in terms of network interfaces.

With that caveat …

The router itself does NOT use DNSMasq. The only thing the router uses are the DNS servers configured on the WAN, whether those are pulled from the ISP (Connect to DNS Server automatically = Yes), or your preferred custom DNS servers (Connect to DNS Server automatically = No). These DNS servers are stored in /tmp/etc/resolv.conf.

By default, your LAN clients use DNSMasq (e.g., 192.168.1.1) as a local DNS proxy. DNSMasq's public DNS servers are stored in /tmp/resolv.dnsmasq, which is always initialized by whatever it finds in /tmp/etc/resolv.conf. By using DNSMasq, you gain the benefits of hiding/managing the public DNS servers in use, plus other features (local name resolution, caching, ad blocking, etc.).

Now let's suppose you instead want the LAN clients to use your own local DNS server @ 192.168.1.100 (the specific DNS server is unimportant, Unbound or whatever you like).

You can override the default (DNSMasq) w/ your preferred custom DNS server(s) in the LAN's DHCP server configuration. Just realize that by doing so, you lose whatever features DNSMasq normally provides to those LAN clients. Also, this has NO EFFECT on the router itself. The router continues to use the DNS servers configured on the WAN.

Note: Make sure you also set "Advertise router's IP in addition to user-specified DNS" to No.

Could you also force the router to use the local DNS server (192.168.1.100)? Yes. With a custom DNS server of 192.168.1.100 on the WAN. As always, that ends up in /tmp/etc/resolv.conf, which then ends up in /tmp/resolv.dnsmasq. If you then allow the DHCP server for the LAN clients to continue using DNSMasq (192.168.1.1), those LAN clients now have local name resolution and all the other benefits of DNSMasq, while their public DNS queries are routed to the DNS server @ 192.168.1.100.

IOW, w/ the proper configuration, you can retain the benefits of DNSMasq and the other local DNS server, both at the same time. Or you can just assign 192.168.1.100 on the WAN and DHCP server, and DNSMasq will never be relevant again (in fact, you could disable its DNS server w/ the following directive (requires a /jffs/configs/dnsmasq.conf.add file).

Code:
port=0

At least then you'd know there's no way DNSMasq could be active for DNS purposes, only DHCP.

Notice NONE of this involves routing, firewall rules, etc. It's all based on how you configure DNS through the GUI, which then affects various configuration files.

Of course, things can get much more complicated if you start to include DoT (Stubby), VPNs, etc. But for the simple purposes of choosing a different local DNS server, it's not that bad.
 

Markster

Senior Member
Thank you @eibgrad for your response. I was hopping you would. I always appreciate your feedback and advise. As you mentioned, I do want to retain DNSMASQ DHCP capabilities for all my local clients and only want to re-point all clients DNS queries to new DNS server.

I will try the following

1. "Advertise router's IP in addition to user-specified DNS" to No - this is alredy set to No
2. Set my DNS IP under LAN DHCP/DNS section
3. bring down local Unbound
4. set port=0 in /jffs/configs/dnsmasq.conf.add
5. restart dnsmasq

I will report back with the results in a day. I have to do this after hours as to not affect our "work form home" activities.

At this moment I can ssh to the router and test new DNS with eg: dig cnn.com @192.168.150.10 and get a proper response. I like the fact that we are doing little changes and most of the config is through GUI.
This is what I was aiming for.
 

Markster

Senior Member
Update.

I had a chance over lunch to test it and unfortunatly it did not work. I am on 384 firmware.
I could only tested briefly and had to restore to start "remote work". But here are the results.
I need to think more about it.

All setting here are printed after I took down local unbound DNS and restarted dnsmasq.

Once done and DHCP->LAN set to new DNS server IP if I try to perform dig command I get
;; communications error to 127.0.0.1#53: connection refused

At this point all wireless clients cannot connect.

cat /tmp/resolv.dnsmasq
server=1.1.1.1
server=1.0.0.1

cat /etc/resolv.conf
nameserver 127.0.0.1

cat /etc/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=home.lan
expand-hosts
dhcp-range=lan,192.168.50.2,192.168.50.62,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,6,192.168.150.10
dhcp-option=lan,15,home.lan
dhcp-option=lan,252,"\n"
dhcp-option=lan,42,0.0.0.0
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1280
port=0
 

eibgrad

Part of the Furniture
Why is the WAN's DNS config file (/etc/resolv.conf) pointing to the loopback address (127.0.0.1)?

1.1.1.1 and 1.0.0.1 should be configured on the WAN and end up in /etc/resolv.conf. That gets copied to /tmp/resolv.dnsmasq for the benefit of DNSMasq's DNS server, but you've disable it w/ the port=0 directive (which is fine, I'm just explaining the process of events).

P.S. I assume you meant 386.4, NOT 384
 
Last edited:

Markster

Senior Member
Sorry you are correct 386.4. My config is nothing special - I got only Skynet and Unbound DNS.
Unbound does not change these setting, only sets Port=0 and some other dnsmasq.conf fields.
/etc/resolv.conf is set by the firmware code, its read-only. Something firmware is not doing, make me wonder if this is a bug.

Under Tools I have "Wan: Use local caching DNS server as system resolver (default: No)" set to Yes.
Would that make a difference?
 

eibgrad

Part of the Furniture
Under Tools I have "Wan: Use local caching DNS server as system resolver (default: No)" set to Yes.
Would that make a difference?

Sounds like it's referring to having the WAN use DNSMasq. But of course you've disabled it w/ port=0! You either have to point the WAN directly to the new local DNS server and set that option to No, or else leave it set to Yes but remove the port=0 directive.

This is exactly what I meant by too many chefs in the kitchen! It's a never ending web of things that mess w/ the DNS config that complicates things. It's ridiculous frankly.

P.S. I didn't even know that option existed under Tools! LOL
 

Markster

Senior Member
Now I relize what you said about "so many chefs in the kitchen". Between all different posibilities for DNS settings ( I counted 5), that makes it 25 combinations.

1. WAN DNS
2. LAN DNS
3. dnsmasq config with dnsmasq.postconf
4. Tools/Other Settings/Wan:local caching
5. DNS Filter

I am not saying that these settings/cong do not work, but the number of possible combinations has BAD potential. If a user gets it wrong, you are tossed and you loose access to the router. No GUI or ssh. YOU ARE LOCKED OUT. Its like walking a landmine field :(

Which is insaine if you ask me. What DNS settings have to do with accessing your router admin page or ssh with IP address? Nothing. At the very least if you did a bad config you could fix it if you had access.

For all who are whatching this thread this is a warrning. Do not play with these combinations unless you have a good and deep knowleadge what all possible combinations can wreck on the router - any 25, you pick.

I don't have a spare lab router to possibly test all 25 combinations so for now this will have to rest until I can spare some time to figure this out. But, I feel that this DNS combinations are way to many, and this resulted in unchained code/firmware that has a potential to make your router locked out.

Obviously, watching how many people have read this thread there is an interest to look into this scenario.
Which combination works? Your guess is good as mine. We just don't know - and that is the truth.

If anyone, anyone figures this out please post a wiki page on Merlin site and share.
 

eibgrad

Part of the Furniture
Oh, I discovered another little gem the other day.

Turns out ASUS *quietly* decided in 386.4 to statically bind the WAN's DNS servers to the WAN! IOW, if you dump the routing table (ip route), you'll see static routes for those DNS servers.

That created a problem for a user on another thread who wanted to configure his WAN w/ a DNS server configured on his OpenVPN client (10.8.0.1). It's to his own OpenVPN server running on a VPS. I told him that might cause problems since the router wouldn't have access to DNS until the OpenVPN client was established. Nonetheless, he decided to continue w/ that configuration. But it didn't work because ASUS bound 10.8.0.1 to the WAN!!!

It's NOT that you can't eventually work around such issues (and I have no clue why ASUS did this), but it's just another example of all the DNS manipulation that's happening on the router. Just when you think you'd figured it out, along comes something else that's messing w/ it. I'm sure this recent change by ASUS is going to lead to more problems down the road.

That's why when users have DNS issues, it's so difficult for those of us providing tech support to provide quick, simple answers.
 
Last edited:

eibgrad

Part of the Furniture
P.S. Remember, the VPNs manipulate DNS too. And we have DoT on the WAN affecting DNS behavior too. Add those to your list.
 

Markster

Senior Member
I m not giving up yet but need more time to experiment with different settings to really find out how it all can work.
 

Markster

Senior Member
In the case of static binding WAN DNS servers to WAN ( i m on the bridged router) what would that do, if I set up my local DNS running on NAS, leave dnsmasq untouched, no DNS Filter and LAN DNS empty?
 

eibgrad

Part of the Furniture
In the case of static binding WAN DNS servers to WAN ( i m on the bridged router) what would that do, if I set up my local DNS running on NAS, leave dnsmasq untouched, no DNS Filter and LAN DNS empty?

A bridged configuration on the router (e.g., AP mode) doesn't have a WAN, so it's irrelevant. And it doesn't provide a DHCP server either, or even offer a firewall. It's nothing more than wireless switch. All your DNS at that point is a function of your primary router (whatever that is) and its WAN and DHCP server configurations.
 

Markster

Senior Member
As I was trying the config yestarday I noticed that if I left Tools/Other/Wan:local caching set to "No" all dns resolution was done by the WAN DNS servers. I will try to perform the following:

1. Disable dnsmasq.postconf so to leave dnsmasq config at default
2. bring local unbound down
3. Specify WAN DNS1 as my NAS DNS @192.168.50.200
4. Leave WAN DNS2 as is jsu in case
5. Set Tools/Other/Wan:local caching to "No"
6. Keep DNS Filter disabled

I would expect from this config set that all DNS resolutions would be done by my DNS.
I will report back with the results.
 

Markster

Senior Member
Solution:

Here are the steps and configuration that I have put in place that worked for me. Keep in mind that I have a simple config with existing Skynet and local Unbound DNS. My goal is to move local Unbound to Synology NAS Docker conatiner and use that as my network DNS server.

In order to disable unbound on the router perform the following steps:
1. chmod -x /opt/etc/init.d/S61Unbound
2. chmod -x /jffs/scripts/dnsmasq.postconf
3. run unbound-control stop.
4. run service restart_dnsmasq

Now, second part is to use router web admin pages.
1. Tools/Other/WAN Use local caching -> No
2. WAN DNS1 -> Set this IP to yous NAS IP
3. LAN DNS Filter -> Off
4. WAN Forward local domain queries to upsream DNS -> Yes

Testing with ssh.
1. run dig cnn.com and you should get a response from your NAS Docker DNS
2. reboot the router, you can run command reboot from ssh
3. Use your other network devices and validate that you have access and your DNS received from DHCP is the router IP.

When confirmed that all is working you can remove all local Unbound files from the system. Now, you have the router doing its job as router, and separate DNS running on Synology docker. One thing to point out here about the Unbound running in a docker is that you should use docker host network and not bridge network since Unbound is randomizing ports when performing external queries. This is great for security on Unbound but it will not work if you use bridge network.

Warrning:
DNS Filter does not work in this config.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top