[Dnsmasq-discuss] Becoming authoritative DNS for additional netblock

Albert ARIBAUD albert.aribaud at free.fr
Mon Nov 30 13:02:59 GMT 2015


Hello again "A C",

Le Mon, 30 Nov 2015 00:31:28 -0800
A C <agcme at hotmail.com> a écrit:

> On 2015-11-29 23:49, Albert ARIBAUD wrote:
> > Hi again "A C",
> >
> > Le Sun, 29 Nov 2015 23:19:28 -0800
> > A C <agcme at hotmail.com> a écrit:
> >
> >> On 2015-11-29 22:50, Albert ARIBAUD wrote:
> >>> Hi "A C",
> >>>
> >>> Le Sun, 29 Nov 2015 14:08:50 -0800
> >>> A C <agcme at hotmail.com> a écrit:
> >>>
> >>>> Ok, this question is for a much older version of dnsmasq because
> >>>> I haven't been able to update the router firmware to bring in a
> >>>> newer version.  I'm currently using version 2.35
> >>>>
> >>>> My current internal IP space is 10.0.0.0/255.255.0.0 (A Class B
> >>>> subnet of the 10.x.x.x Class A space).   I have a VPN server on
> >>>> the network that I use when I'm away from home.  It uses the
> >>>> 10.100.0.0 network space for the remote clients.
> >>>>
> >>>> What I would like to do is configure dnsmasq on my router to
> >>>> answer authoritatively for any requests about addresses in that
> >>>> 10.100.0.0 network even though the main network is outside that
> >>>> space.  The VPN clients are assigned these extra IPs statically
> >>>> so I would just be adding them to the router's hosts file for
> >>>> dnsmasq to pick up.
> >>>>
> >>>> According to online man pages (the router doesn't have them
> >>>> because of space) there's a rev-server option which appears to be
> >>>> what I want but I can't determine if rev-server is supported in
> >>>> 2.35 or if it's a later addition.
> >>> As per the current manpage, the --rev-server option is just
> >>> syntactic sugar for --server. Therefore, if --rev-server does what
> >>> you need, do does --server, and IIUC, it does not work as a
> >>> "reverse query router". 
> >>>
> >> Hi Albert,
> >>
> >> I did try server but it's not working.  Attempting to resolve a
> >> hostname in the alternate netblock tries to send upstream.
> >>
> >> My current network has my router serving as DNS and DHCP server via
> >> dnsmasq.  The VPN server has dnsmasq running with the goal of being
> >> authoritative for any of the VPN clients (the VPN software can
> >> write to the hosts file on the server as clients come and go).
> >>
> >> My router's configuration has local=/example.com/ (of course I'm
> >> using my real domain but it's not important for this)
> >> I added an additional line server=vpn.example.com/10.0.0.140 (my
> >> vpn server having the address 10.0.0.140)
> > OK, so from the docs, any request for "*.vpn.example.com" will be
> > forwarded to 10.0.0.140. Is that what you want?
> 
> Yes, that's exactly correct.  I want to address the vpn clients as
> <client>.vpn.example.com and I want the vpn server to be the DNS
> server for that subdomain.  The main dnsmasq in the router should
> simply defer to the vpn server.
> 
> >> On the VPN server, I have local=/vpn.example.com/ and the hosts
> >> file is populated by the server, for example:
> >> 10.100.0.10 client1.vpn.example.com
> >>
> >> On the VPN server I can run a DNS query against localhost and
> >> dnsmasq there returns the proper IP address.  However, if I query
> >> using the router as the DNS server, the query actually gets sent
> >> upstream to the ISP and I eventually a failure.
> >>
> >> I also tried server=/0.100.10.in-addr.arpa/10.0.0.140 with no luck
> >> and I also added local=/vpn.example.com/ (so now there are two
> >> local directives) but the end result is that the query is not
> >> forwarded over to the VPN server, it's sent up to the ISP.
> > What is the physical and logical topology of your network, and what
> > are your router's and name server's networking configurations, both
> > in terms of hardware interfaces and of software settings such as IP
> > addresses and netmasks per interface, gateway(s), and routing
> > table(s)?
> >
> 
> The entire private network is 10.0.0.0/16 and all machines are
> attached to the single NAT router.  Everything going on is internal
> only, none of this traffic should exit the private network.
> 
> The main router is 10.0.0.1, the VPN server is 10.0.0.140, all normal
> clients on the network are 10.0.0.0/16.
> VPN clients coming in from the outside receive 10.100.0.0/24 so that
> it falls outside of the internal network (otherwise routing breaks).

That depends on how you set it up, actually, and probably on the size
of the network, but for my (admittedly small) network, VPN connections
are handled by a bridging OpenVPN instance on a TAP device bridged with
a physical interface. Local and VPN clients thus have use the same DHCP
server and therefore coexist in the same subnet, and have access to the
same servers, including the DNS server.

Now, a separated subnet for VPN client works too, as long as the VPN
server does the natting for them -- again, OpenVPN does that normally,
so that no packet on 10.0.*.* should have a source or destination IP of
10.100.*.*.

> There's only one internal interface on the router, eth1, and it's the
> only interface that dnsmasq is listening (conf file says
> interface=eth1) with the same /16 netmask.  The external interface is
> eth0.

Does that mean there is also an eth0 interface on the router?

> The VPN server has only one interface on the network, it's eth0 also
> with /16.  The clients come in via tunnels so they show up on the VPN
> server as tun[] devices and the VPN server takes care to route onto
> the main network.
> 
> The router has four defined routes.  Two of the routes are for the
> outbound external interface and all public IPs.  The other two routes
> are for the internal network and the VPN client network.  Those are
> defined as:
> 
> net 10.100.0.0  gw 10.0.0.140 mask 255.255.255.0 if eth1 (remapping
> gateway to the vpn server for the VPN block)
> net 10.0.0.0 gw * mask 255.255.0.0 if eth1 (default route)
>
> The VPN server also has four routes, two are for its eth0 to the rest
> of the network and the other two are the tun[] interfaces which are
> only visible to connected clients.  The two eth0 routes are the
> default route and the local network:
> 
> net 0.0.0.0 gw 10.0.0.1 mask 0.0.0.0 eth0
> net 10.0.0.0 gw * mask 255.255.0.0 eth0
> 
> Every client on the internal network has DNS defined to be the
> router. None of them are aware of any external DNS (every resolv.conf
> or equivalent is set to 10.0.0.1).  The VPN clients have the same
> configuration pushed to them on connect.  The only device on the
> network aware of additional DNS servers is the router.  Its
> resolv.conf points to the ISP DNS servers.  The IP address is static
> so the entire configuration is static including the DNS servers (no
> live rewriting of resolv.conf).
> 
> All traffic and DNS lookups work for the main network hosts
> (*.example.com) even from the VPN clients.  I can be on a VPN client
> and ask for the IP of device.example.com and get an answer that is in
> the 10.0.0.0/16 block as expected.  Reverse communication (i.e. ping)
> is possible to the VPN client IP addresses so now it's just a matter
> of getting DNS working.  I can manually query the VPN's dnsmasq using
> dig or nslookup for a *.vpn.example.com address from any other network
> machine and get a proper answer.  But if query the router's dnsmasq, I
> get NXDOMAIN.
>
> I am also watching the VPN server's input for DNS packets.  When I
> query the router's dnsmasq, the VPN server is never sent a DNS query
> packet so the router's dnsmasq is not forwarding the request over to
> the VPN server.  I can see the packet when I query direct just not
> when I try to go through the router's dnsmasq.

Can you watch the router's DNS traffic rather than the VPN server's?
Possibly give a tcpdump of a successful and a failed DNS request? I
assume you cannot change how dnsmasq runs on the router but if you can,
then try having it log the successful and failed DNS requests too.
This log might show whether a request is forwarded or cached, for
instance.

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list