[Dnsmasq-discuss] Becoming authoritative DNS for additional netblock

[A C]

On 2015-11-29 23:49, Albert ARIBAUD wrote:
> Hi again "A C",
>
> Le Sun, 29 Nov 2015 23:19:28 -0800
> A C <agcme at hotmail.com> a écrit:
>
>> On 2015-11-29 22:50, Albert ARIBAUD wrote:
>>> Hi "A C",
>>>
>>> Le Sun, 29 Nov 2015 14:08:50 -0800
>>> A C <agcme at hotmail.com> a écrit:
>>>
>>>> Ok, this question is for a much older version of dnsmasq because I
>>>> haven't been able to update the router firmware to bring in a newer
>>>> version.  I'm currently using version 2.35
>>>>
>>>> My current internal IP space is 10.0.0.0/255.255.0.0 (A Class B
>>>> subnet of the 10.x.x.x Class A space).   I have a VPN server on
>>>> the network that I use when I'm away from home.  It uses the
>>>> 10.100.0.0 network space for the remote clients.
>>>>
>>>> What I would like to do is configure dnsmasq on my router to answer
>>>> authoritatively for any requests about addresses in that 10.100.0.0
>>>> network even though the main network is outside that space.  The
>>>> VPN clients are assigned these extra IPs statically so I would
>>>> just be adding them to the router's hosts file for dnsmasq to pick
>>>> up.
>>>>
>>>> According to online man pages (the router doesn't have them
>>>> because of space) there's a rev-server option which appears to be
>>>> what I want but I can't determine if rev-server is supported in
>>>> 2.35 or if it's a later addition.
>>> As per the current manpage, the --rev-server option is just
>>> syntactic sugar for --server. Therefore, if --rev-server does what
>>> you need, do does --server, and IIUC, it does not work as a
>>> "reverse query router". 
>>>
>> Hi Albert,
>>
>> I did try server but it's not working.  Attempting to resolve a
>> hostname in the alternate netblock tries to send upstream.
>>
>> My current network has my router serving as DNS and DHCP server via
>> dnsmasq.  The VPN server has dnsmasq running with the goal of being
>> authoritative for any of the VPN clients (the VPN software can write
>> to the hosts file on the server as clients come and go).
>>
>> My router's configuration has local=/example.com/ (of course I'm using
>> my real domain but it's not important for this)
>> I added an additional line server=vpn.example.com/10.0.0.140 (my vpn
>> server having the address 10.0.0.140)
> OK, so from the docs, any request for "*.vpn.example.com" will be
> forwarded to 10.0.0.140. Is that what you want?

Yes, that's exactly correct.  I want to address the vpn clients as
<client>.vpn.example.com and I want the vpn server to be the DNS server
for that subdomain.  The main dnsmasq in the router should simply defer
to the vpn server.

>> On the VPN server, I have local=/vpn.example.com/ and the hosts file
>> is populated by the server, for example:
>> 10.100.0.10 client1.vpn.example.com
>>
>> On the VPN server I can run a DNS query against localhost and dnsmasq
>> there returns the proper IP address.  However, if I query using the
>> router as the DNS server, the query actually gets sent upstream to the
>> ISP and I eventually a failure.
>>
>> I also tried server=/0.100.10.in-addr.arpa/10.0.0.140 with no luck
>> and I also added local=/vpn.example.com/ (so now there are two local
>> directives) but the end result is that the query is not forwarded over
>> to the VPN server, it's sent up to the ISP.
> What is the physical and logical topology of your network, and what are
> your router's and name server's networking configurations, both in
> terms of hardware interfaces and of software settings such as IP
> addresses and netmasks per interface, gateway(s), and routing table(s)?
>

The entire private network is 10.0.0.0/16 and all machines are attached
to the single NAT router.  Everything going on is internal only, none of
this traffic should exit the private network.

The main router is 10.0.0.1, the VPN server is 10.0.0.140, all normal
clients on the network are 10.0.0.0/16.
VPN clients coming in from the outside receive 10.100.0.0/24 so that it
falls outside of the internal network (otherwise routing breaks).

There's only one internal interface on the router, eth1, and it's the
only interface that dnsmasq is listening (conf file says interface=eth1)
with the same /16 netmask.  The external interface is eth0.

The VPN server has only one interface on the network, it's eth0 also
with /16.  The clients come in via tunnels so they show up on the VPN
server as tun[] devices and the VPN server takes care to route onto the
main network.

The router has four defined routes.  Two of the routes are for the
outbound external interface and all public IPs.  The other two routes
are for the internal network and the VPN client network.  Those are
defined as:

net 10.100.0.0  gw 10.0.0.140 mask 255.255.255.0 if eth1 (remapping
gateway to the vpn server for the VPN block)
net 10.0.0.0 gw * mask 255.255.0.0 if eth1 (default route)

The VPN server also has four routes, two are for its eth0 to the rest of
the network and the other two are the tun[] interfaces which are only
visible to connected clients.  The two eth0 routes are the default route
and the local network:

net 0.0.0.0 gw 10.0.0.1 mask 0.0.0.0 eth0
net 10.0.0.0 gw * mask 255.255.0.0 eth0

Every client on the internal network has DNS defined to be the router. 
None of them are aware of any external DNS (every resolv.conf or
equivalent is set to 10.0.0.1).  The VPN clients have the same
configuration pushed to them on connect.  The only device on the network
aware of additional DNS servers is the router.  Its resolv.conf points
to the ISP DNS servers.  The IP address is static so the entire
configuration is static including the DNS servers (no live rewriting of
resolv.conf).

All traffic and DNS lookups work for the main network hosts
(*.example.com) even from the VPN clients.  I can be on a VPN client and
ask for the IP of device.example.com and get an answer that is in the
10.0.0.0/16 block as expected.  Reverse communication (i.e. ping) is
possible to the VPN client IP addresses so now it's just a matter of
getting DNS working.  I can manually query the VPN's dnsmasq using dig
or nslookup for a *.vpn.example.com address from any other network
machine and get a proper answer.  But if query the router's dnsmasq, I
get NXDOMAIN.

I am also watching the VPN server's input for DNS packets.  When I query
the router's dnsmasq, the VPN server is never sent a DNS query packet so
the router's dnsmasq is not forwarding the request over to the VPN
server.  I can see the packet when I query direct just not when I try to
go through the router's dnsmasq.