[Dnsmasq-discuss] Domain Forwarding on OpenWrt/Dnsmasq
simon at thekelleys.org.uk
Sat Dec 23 12:35:22 GMT 2006
Christopher Parker wrote:
> I'm trying to make dnsmasq on my WRT54G (OpenWrt Whiterussian RC5)
> forward domain names from the router to machines "behind" the router.
> Here's an example of my setup:
> "router" is the OpenWrt machine, providing DHCP to the 192.168.1.x
> network. It has an IP of 192.168.1.1
> "machine" is a client machine behind the router. It gets its IP
> address via DHCP from dnsmasq on the wrt.
> I have an external DNS server pointing "router.example.com" to the
> router's static WAN IP. I also have machine.example.com pointing to
> that same IP. I want dnsmasq to "forward" machine.example.com to the
> client machine.
> What I have so far is working, but only from inside the 192.168.1.x
> network. From the outside, machine.example.com points to the router's
> info page instead of the client machine.
> Here's my /etc/hosts, pretty straightforward:
> 127.0.0.1 localhost OpenWrt
> 192.168.1.1 router
> 192.168.1.2 machine # forces pseudo-static IP address for client machine
> Here's my dnsmasq.conf, sans comments:
> The only thing I can think of is changing the local line to say
> local=/example.com/. Right now, if I ping another machine from inside
> the network, the hostname for that machine shows up as machine.lan.
> Would this be my problem (part of the default OpenWrt install)?
If I've understood you correctly, then I think you need to step back a
bit, and consider the larger problem. What you are trying to do: use a
server behind a NAT router, is fairly common, but you cannot do it using
DNS tricks only. There's only one IP, the router's WAN IP, which gets
packets from the global internet to your box. No matter what you do to
DNS, the names will be resolved to that IP in the end, and turn up at
The normal way to do this is port-forwarding: you tell network subsystem
on the router to treat packets which are sent to the router's global IP
address and a certain port (or ports) specially. Instead of receiving
the packets, it changes their destination field to the (192.168,...) IP
address of the internal machine, and sends them to that machine over the
The magic to do this looks like this, which forwards port 8080 on the
router to port 80 on 192.168.1.2
iptables -t nat -D PREROUTING -p tcp --destination-port 8080 \
-j DNAT --to-destination 192.168.1.2:80
If you run that command on the router, then you will be able to access
the webserver on 192.168.1.2 as
It's also possible to forward port 80 on the router to port 80 on the
server, but be careful: that might also forward port 80 when accessing
the router from the internal network, blocking access to the router
I just re-read you message, and I see that you are using OpenWRT: that
almost certainly has a config page to set up port-forwarding, so you
won't need to run iptables commands directly: just fill in the web-form.
More information about the Dnsmasq-discuss