[Dnsmasq-discuss] Becoming authoritative DNS for additional netblock

A C agcme at hotmail.com
Mon Nov 30 14:43:32 GMT 2015


On 2015-11-30 05:02, Albert ARIBAUD wrote:
> Hello again "A C",
>
> Le Mon, 30 Nov 2015 00:31:28 -0800
> A C <agcme at hotmail.com> a écrit:
>
>> On 2015-11-29 23:49, Albert ARIBAUD wrote:
>>> Hi again "A C",
>>>
>>> Le Sun, 29 Nov 2015 23:19:28 -0800
>>> A C <agcme at hotmail.com> a écrit:
>>>
>>>> On 2015-11-29 22:50, Albert ARIBAUD wrote:
>>>>> Hi "A C",
>>>>>
>>>>> Le Sun, 29 Nov 2015 14:08:50 -0800
>>>>> A C <agcme at hotmail.com> a écrit:
>>>>>
>>>>>> Ok, this question is for a much older version of dnsmasq because
>>>>>> I haven't been able to update the router firmware to bring in a
>>>>>> newer version.  I'm currently using version 2.35
>>>>>>
>>>>>> My current internal IP space is 10.0.0.0/255.255.0.0 (A Class B
>>>>>> subnet of the 10.x.x.x Class A space).   I have a VPN server on
>>>>>> the network that I use when I'm away from home.  It uses the
>>>>>> 10.100.0.0 network space for the remote clients.
>>>>>>
>>>>>> What I would like to do is configure dnsmasq on my router to
>>>>>> answer authoritatively for any requests about addresses in that
>>>>>> 10.100.0.0 network even though the main network is outside that
>>>>>> space.  The VPN clients are assigned these extra IPs statically
>>>>>> so I would just be adding them to the router's hosts file for
>>>>>> dnsmasq to pick up.
>>>>>>
>>>>>> According to online man pages (the router doesn't have them
>>>>>> because of space) there's a rev-server option which appears to be
>>>>>> what I want but I can't determine if rev-server is supported in
>>>>>> 2.35 or if it's a later addition.
>>>>> As per the current manpage, the --rev-server option is just
>>>>> syntactic sugar for --server. Therefore, if --rev-server does what
>>>>> you need, do does --server, and IIUC, it does not work as a
>>>>> "reverse query router". 
>>>>>
>>>> Hi Albert,
>>>>
>>>> I did try server but it's not working.  Attempting to resolve a
>>>> hostname in the alternate netblock tries to send upstream.
>>>>
>>>> My current network has my router serving as DNS and DHCP server via
>>>> dnsmasq.  The VPN server has dnsmasq running with the goal of being
>>>> authoritative for any of the VPN clients (the VPN software can
>>>> write to the hosts file on the server as clients come and go).
>>>>
>>>> My router's configuration has local=/example.com/ (of course I'm
>>>> using my real domain but it's not important for this)
>>>> I added an additional line server=vpn.example.com/10.0.0.140 (my
>>>> vpn server having the address 10.0.0.140)
>>> OK, so from the docs, any request for "*.vpn.example.com" will be
>>> forwarded to 10.0.0.140. Is that what you want?
>> Yes, that's exactly correct.  I want to address the vpn clients as
>> <client>.vpn.example.com and I want the vpn server to be the DNS
>> server for that subdomain.  The main dnsmasq in the router should
>> simply defer to the vpn server.
>>
>>>> On the VPN server, I have local=/vpn.example.com/ and the hosts
>>>> file is populated by the server, for example:
>>>> 10.100.0.10 client1.vpn.example.com
>>>>
>>>> On the VPN server I can run a DNS query against localhost and
>>>> dnsmasq there returns the proper IP address.  However, if I query
>>>> using the router as the DNS server, the query actually gets sent
>>>> upstream to the ISP and I eventually a failure.
>>>>
>>>> I also tried server=/0.100.10.in-addr.arpa/10.0.0.140 with no luck
>>>> and I also added local=/vpn.example.com/ (so now there are two
>>>> local directives) but the end result is that the query is not
>>>> forwarded over to the VPN server, it's sent up to the ISP.
>>> What is the physical and logical topology of your network, and what
>>> are your router's and name server's networking configurations, both
>>> in terms of hardware interfaces and of software settings such as IP
>>> addresses and netmasks per interface, gateway(s), and routing
>>> table(s)?
>>>
>> The entire private network is 10.0.0.0/16 and all machines are
>> attached to the single NAT router.  Everything going on is internal
>> only, none of this traffic should exit the private network.
>>
>> The main router is 10.0.0.1, the VPN server is 10.0.0.140, all normal
>> clients on the network are 10.0.0.0/16.
>> VPN clients coming in from the outside receive 10.100.0.0/24 so that
>> it falls outside of the internal network (otherwise routing breaks).
> That depends on how you set it up, actually, and probably on the size
> of the network, but for my (admittedly small) network, VPN connections
> are handled by a bridging OpenVPN instance on a TAP device bridged with
> a physical interface. Local and VPN clients thus have use the same DHCP
> server and therefore coexist in the same subnet, and have access to the
> same servers, including the DNS server.
>
> Now, a separated subnet for VPN client works too, as long as the VPN
> server does the natting for them -- again, OpenVPN does that normally,
> so that no packet on 10.0.*.* should have a source or destination IP of
> 10.100.*.*.
>
>> There's only one internal interface on the router, eth1, and it's the
>> only interface that dnsmasq is listening (conf file says
>> interface=eth1) with the same /16 netmask.  The external interface is
>> eth0.
> Does that mean there is also an eth0 interface on the router?
>
>> The VPN server has only one interface on the network, it's eth0 also
>> with /16.  The clients come in via tunnels so they show up on the VPN
>> server as tun[] devices and the VPN server takes care to route onto
>> the main network.
>>
>> The router has four defined routes.  Two of the routes are for the
>> outbound external interface and all public IPs.  The other two routes
>> are for the internal network and the VPN client network.  Those are
>> defined as:
>>
>> net 10.100.0.0  gw 10.0.0.140 mask 255.255.255.0 if eth1 (remapping
>> gateway to the vpn server for the VPN block)
>> net 10.0.0.0 gw * mask 255.255.0.0 if eth1 (default route)
>>
>> The VPN server also has four routes, two are for its eth0 to the rest
>> of the network and the other two are the tun[] interfaces which are
>> only visible to connected clients.  The two eth0 routes are the
>> default route and the local network:
>>
>> net 0.0.0.0 gw 10.0.0.1 mask 0.0.0.0 eth0
>> net 10.0.0.0 gw * mask 255.255.0.0 eth0
>>
>> Every client on the internal network has DNS defined to be the
>> router. None of them are aware of any external DNS (every resolv.conf
>> or equivalent is set to 10.0.0.1).  The VPN clients have the same
>> configuration pushed to them on connect.  The only device on the
>> network aware of additional DNS servers is the router.  Its
>> resolv.conf points to the ISP DNS servers.  The IP address is static
>> so the entire configuration is static including the DNS servers (no
>> live rewriting of resolv.conf).
>>
>> All traffic and DNS lookups work for the main network hosts
>> (*.example.com) even from the VPN clients.  I can be on a VPN client
>> and ask for the IP of device.example.com and get an answer that is in
>> the 10.0.0.0/16 block as expected.  Reverse communication (i.e. ping)
>> is possible to the VPN client IP addresses so now it's just a matter
>> of getting DNS working.  I can manually query the VPN's dnsmasq using
>> dig or nslookup for a *.vpn.example.com address from any other network
>> machine and get a proper answer.  But if query the router's dnsmasq, I
>> get NXDOMAIN.
>>
>> I am also watching the VPN server's input for DNS packets.  When I
>> query the router's dnsmasq, the VPN server is never sent a DNS query
>> packet so the router's dnsmasq is not forwarding the request over to
>> the VPN server.  I can see the packet when I query direct just not
>> when I try to go through the router's dnsmasq.
> Can you watch the router's DNS traffic rather than the VPN server's?
> Possibly give a tcpdump of a successful and a failed DNS request? I
> assume you cannot change how dnsmasq runs on the router but if you can,
> then try having it log the successful and failed DNS requests too.
> This log might show whether a request is forwarded or cached, for
> instance.
>
I can't do a dump of traffic on the router but I think I should be able
to get logging working.  However, watching the traffic on the VPN I'm
confident the request is not being forwarded to the VPN server.  I
presume the log-queries directive will be sufficient for this.  I will
try it this evening.



More information about the Dnsmasq-discuss mailing list