19.07.7: DNS-Server behind tun0 not reachable

Gotthard · May 2, 2021, 3:41pm

Hi, folks,
My main router is a Bananapi R2, master branch, fresh built.
It serves DHCP, DNS, DLNA, VPN in finest manner, but one feature is missing
it should resolve queries for my private network behind vpn and gets timeout
Configuration is like this:

        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option leasefile '/tmp/dhcp.leases'
        option rebind_protection '0'
        option boguspriv '0'
        option readethers '1'
        option expandhosts '1'
        option localservice '0'
        list server '/my.company.com/10.0.0.1'
        option resolvfile '/tmp/resolv.conf.auto'
        option authoritative '1'
        option nonwildcard '0'

An Archer C7 running current 19.07.7 openwrt image in same LAN behind the Bananapi router using these settings can successful resolv queries like
nslookup server1.my.company.com and so other clients in the lan, if they using the archer for dns.
The main router itself giving timeout during querying.
What I´m missing here? May be firewall settings?
Firewall zone settings are both LAN<->VPN accept no masquerading because my LAN is routable to company LAN. Additionally traffic rules are allowing UDP traffic from device to VPN.
Thanks in advance for hints

vgaetera · May 2, 2021, 3:48pm

Assing the VPN interface to the LAN firewall zone.
Make sure to use topology subnet on the server.
Specify the server VPN IP as DNS on the client.

Gotthard · May 3, 2021, 5:56am

Thx for fast answer, now the results and questions

assigning the interface to LAN zone doesn´t help.
On which server I should use topology subnet? On remote site there is a Sophos XG and the possibilities are limited
Your last hint is cryptic.
for clarification. all clients on the LAN can query the VPN-DNS using nslookup server1.my.company.com 10.0.0.1, but not the openwrt router itself. In system protocol I see the forwarding of the query to the VPN, but it seems the answer is not arriving on the router

BTW: ping from router in VPN also doesn´t work.

Gotthard · May 4, 2021, 6:19am

Solved. Accidentally I had a short downtime at provider site. After reconnect I needed to restart the VPN connection manually and after this the dns resolution works as expected. May be the assigning of tun0 to lan zone needs a reconnect?

Gotthard · May 4, 2021, 10:10am

Not solved. Some time later same behavior.

trendy · May 4, 2021, 10:48am

If you can see the queries going out, but no replies coming back you should troubleshoot on the server side.

Gotthard · March 23, 2022, 8:35pm

Finally solved. Meanwhile I have SNAPSHOT r19162 running, the name resolution works since several new builts.
After comparing the config files from last year and today, I see these additions or changes

list interface 'lan'
option localservice '1'
option rebind_protection '1'
list rebind_domain 'my.company.com'
option rebind_localhost '1'

These entries are missing in current config

option localise_queries '1'
option nonwildcard '0'

Just to close this open question

system · April 2, 2022, 8:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.