DNS Config for LAN within a LAN

Hello,

I'm using OpenWrt in a different way than the typical use case of routing to the internet. I don't think it matters much for the discussion, but the hardware are all Espressobin V7 boards.

I have machines that I deploy inside our company that have several devices on them to run the machine: cameras, industrial controllers, visualization PC's, etc. These can be considered embedded devices in spirit. These are assigned to the "lan" zone in OpenWRT.

We also have a company wide network (one subnet actually) that the machine routers connect to which I've left as the zone "wan" to make setup easier. This is a typical small office network with several Microsoft servers and PC workstations, printers, etc.

The goal of this is to limit (or eliminate) the number of static IPs on our network associated with machinery, provide a bidirectional firewall both for security reasons and to have limited traffic on the embedded devices on our machine. Of course, having a medium power linux computer on every machine could be very handy!

Most of the devices only need to be accessed occasionally so that I can set them up or program them with my laptop computer directly connected to the "wan" side. I have had good luck in setting these up as port forwards for the most part.

One or two of my machine devices need to access a couple of servers on our company network for things like SMB shares and MS SQL database (file backup and database logs/lookups).

On our "machine" side or "lan" zone the devices are static IP but I leave DHCP enabled for new devices that need to be configured, etc. For the company side or "wan" zone the router is getting its IP and suggesting its hostname via the company DHCP server. This is pretty slick in that I can access each machine by their actual name and I can give it a name right through the Luci interface.

I want my embedded devices to be able to access the company servers by name and have the firewall rules be defined as names as well. I originally did this by setting up a port forward routing rule to access the company's DNS server port. This seemed a bit cheap/cheating and I think I needed to use a numeric IP address which kind of defeats the purpose.

So, with all that background, here are the questions:

What is the best way for my "lan" zone devices to be able to use hostnames of the company servers listed on the wan" zone DNS server? Can Dnsmasq be set up to do this or am I just going to have to do some fancy script files running lookup commands in the background populating host name tables? Will either of these allow me to specify DNS names in the /etc/config/firewall config file?

Thanks!
MAD

Shouldn't it work automatically since the "lan" zone devices forward their DNS requests to the OpenWrt routers which should forward them to the company DNS server.
But you have the use the fully qualified domain name unless you add the company domain to the DNS search list.

2 Likes

Mikma,

For that to work would I configure my "lan" devices to use the openwrt's address on "lan" as the DNS server?

When I SSH into the OpenWrt I can only ping and resolve the internet names like www.google.com (I tried our company's domain suffix to no avail). I can ping with a numeric IP address though. I realize that this is different than trying from a device on the "lan" network, which I can try later once I get a PC hooked up to the "lan" network.

Thank you.
MAD

Yes, that's the default when using DHCP, but when using static IPs you need to configure it manually.

Have you configured the company DNS server on the OpenWrt either automatically (dhcp) or manually on the wan interface?

You can also run nslookup to check if the company DNS resolver returns the expected results.

nslookup <domain> <dns resolver>

2 Likes

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like

The wan is setup to pull info from the company DHCP server.

I'm not sure if this is what you asked but I did the nslookup command like this:
Note: domain and IP address changed.

root@OpenWrt:~# nslookup mydomain.com ZZ.ZZ.ZZ.253
Server:         ZZ.ZZ.ZZ.253
Address:        ZZ.ZZ.ZZ.253#53

Name:      mydomain.com
Address 1: ZZ.ZZ.ZZ.253
*** Can't find mydomain.com: No answer

See my next answer, I have all the output from the command trendy posted.

Here is the output of the command you posted. I changed the IPs but where I did I was consistent with the naming. I also zeroed some of the ports and descriptions on port forwards but in reality they were valid descriptions and port numbers .

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "4.14.167",
        "hostname": "OpenWrt",
        "model": "Globalscale Marvell ESPRESSOBin Board V7",
        "board_name": "globalscale,espressobin-v7",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.1",
                "revision": "r10911-c155900f66",
                "target": "mvebu/cortexa53",
                "description": "OpenWrt 19.07.1 r10911-c155900f66"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7b:db8d:9b34::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr 'YY.YY.YY.1'

config interface 'wan'
        option ifname 'wan'
        option proto 'dhcp'
        option hostname 'XXXX-SPARE2'

config interface 'wan6'
        option ifname 'wan'
        option proto 'dhcpv6'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'REJECT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option dest_port '80'
        option src 'wan'
        option name 'Allow LUCI from WAN'
        option target 'ACCEPT'

config rule
        option dest_port '22'
        option src 'wan'
        option name 'Allow SSH from WAN'
        option target 'ACCEPT'

config redirect
        option dest_port '0000'
        option src 'wan'
        option name ''
        option src_dport '0000'
        option target 'DNAT'
        option dest_ip 'YY.YY.YY.11'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '0000'
        option src 'wan'
        option name ''
        option src_dport '0000'
        option target 'DNAT'
        option dest_ip 'YY.YY.YY.10'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '0000'
        option src 'wan'
        option name ''
        option src_dport '0000'
        option target 'DNAT'
        option dest_ip 'YY.YY.YY.15'
        option dest 'lan'
        list proto 'tcp'

config rule
        option src_port '0000'
        option src 'wan'
        option name ''
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip 'YY.YY.YY.15'
        option dest_port '0000'
        list proto 'tcp'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Jan 29  2020 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct 29 18:42 /etc/resolv.confbak
-rw-r--r--    1 root     root            32 Oct 29 16:21 /tmp/resolv.conf
-rw-r--r--    1 root     root            61 Oct 29 16:21 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /etc/resolv.confbak <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver ZZ.ZZ.ZZ.253
search mydomain.com
head: /tmp/resolv.*/*: No such file or directory
root@OpenWrt:~#

I hope that this makes sense. Thank you for your help!
MAD

No need to masquerade on the lan zone.

The allow rules you have on the wan are not needed if the INPUT of wan zone is ACCEPT.

Other than that you are using the ZZ.ZZ.ZZ.253 as nameserver from the wan interface, which seems to be resolving successfully.

I don't see why it won't work.

That is tricky as the name is resolved once the firewall is starting. If it changes, the firewall won't know.

If you assign IPs with DHCP, then you can leave everything to default. Hosts will query OpenWrt and OpenWrt will relay the query to company nameserver.
If addresses are static, you can configure the OpenWrt as nameserver.

1 Like

Thank you Trendy,

I was wondering about the lan masquerade, I will disable that. I'm still learning these things.

I will remove the WAN rules as you pointed out, keep it simple. I think these were leftover from the default config.

I don't mind restarting the routers (or firewalls) if we ever have a server reassignment. They haven't changed in years as they are on a reserved IP arrangement.

I'm hoping to config one of my embedded PCs today so that I can test out the DNS. I'll let you all know what I find.

Thanks!
MAD

I've got a computer configured on my lan (win 10). I have it configured to use the openwrt IP address as the default router as well as the DNS server.

I wasn't even able to see my servers on the company network so I pretty much opened up the router firewall to accept everything. I am able to ping servers on the company network now, including the nameserver.

I'm still not able to use DNS at all, using ping just says bad address (whether or not I append the domain suffix to the server names). The same thing with nslookup.

Here is the latest config output:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "4.14.167",
        "hostname": "OpenWrt",
        "model": "Globalscale Marvell ESPRESSOBin Board V7",
        "board_name": "globalscale,espressobin-v7",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.1",
                "revision": "r10911-c155900f66",
                "target": "mvebu/cortexa53",
                "description": "OpenWrt 19.07.1 r10911-c155900f66"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7b:db8d:9b34::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr 'A.B.C.1'

config interface 'wan'
        option ifname 'wan'
        option proto 'dhcp'
        option hostname 'XXXX-SPARE2'

config interface 'wan6'
        option ifname 'wan'
        option proto 'dhcpv6'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wan'

config rule
        option dest_port '80'
        option src 'wan'
        option name 'Allow LUCI from WAN'
        option target 'ACCEPT'

config rule
        option dest_port '22'
        option src 'wan'
        option name 'Allow SSH from WAN'
        option target 'ACCEPT'

config redirect
        option dest_port '5007'
        option src 'wan'
        option name 'Melsoft Program Connection'
        option src_dport '5007'
        option target 'DNAT'
        option dest_ip 'A.B.C.11'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '3389'
        option src 'wan'
        option name 'Kingstar PC Remote Desktop'
        option src_dport '3389'
        option target 'DNAT'
        option dest_ip 'A.B.C.10'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '50000'
        option src 'wan'
        option name 'Keyence Marker Builder 3'
        option src_dport '50000'
        option target 'DNAT'
        option dest_ip 'A.B.C.15'
        option dest 'lan'
        list proto 'tcp'

config rule
        option src_port '50000'
        option src 'wan'
        option name 'Keyence Marker Builder'
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip 'A.B.C.15'
        option dest_port '50000'
        list proto 'tcp'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Jan 29  2020 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Nov  2 15:40 /etc/resolv.confbak
-rw-r--r--    1 root     root            32 Nov  2 15:42 /tmp/resolv.conf
-rw-r--r--    1 root     root            61 Nov  2 15:40 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /etc/resolv.confbak <==

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver X.Y.Z.253
search mydomain.com
head: /tmp/resolv.*/*: No such file or directory
root@OpenWrt:~#

Anything more that I can try?

Thanks,
MAD

You should check on the nameserver the logs. Does the query arrive? Is there a reply or not?

I don't have access to the company server but I set up the log for dnsmasq and got the following:

root@OpenWrt:~# cat /tmp/dnsmasq.log
Nov  2 19:36:51 dnsmasq[2464]: started, version 2.80 cachesize 150
Nov  2 19:36:51 dnsmasq[2464]: DNS service limited to local subnets
Nov  2 19:36:51 dnsmasq[2464]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
Nov  2 19:36:51 dnsmasq-dhcp[2464]: DHCP, IP range A.B.C.100 -- A.B.C.249, lease time 12h
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain test
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain onion
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain localhost
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain local
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain invalid
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain bind
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain lan
Nov  2 19:36:51 dnsmasq[2464]: reading /tmp/resolv.conf.auto
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain test
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain onion
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain localhost
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain local
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain invalid
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain bind
Nov  2 19:36:51 dnsmasq[2464]: using local addresses only for domain lan
Nov  2 19:36:51 dnsmasq[2464]: using nameserver X.Y.Z.253#53
Nov  2 19:36:51 dnsmasq[2464]: read /etc/hosts - 4 addresses
Nov  2 19:36:51 dnsmasq[2464]: read /tmp/hosts/odhcpd - 1 addresses
Nov  2 19:36:51 dnsmasq[2464]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Nov  2 19:36:51 dnsmasq-dhcp[2464]: read /etc/ethers - 0 addresses

A.B.C.x is my lan network and X.Y.Z.253 is the comany DNS server. I don't see how the dnsmasq even knows which network to use.

Note:

If I copy /tmp/resolv.conf.auto to /etc/resolv.conf I am able to ping from the openwrt machine (using ssh). It still doesn't seem to work from a device on the lan, however.

You'll need to copy-paste here what you are doing on the console, we cannot guess.

Are you pinging the fqdn or just a hostname? The resolv.conf.auto is using your company's domain for search, the default one is using .lan .

1 Like

Sorry I haven't gotten back to reply. I've been remote part time due to covvid and my kids' school schedules and it makes testing certain things difficult over a VPN.

I tried the hostname and fully qualified domain name (FQDN) in response to the last post. Both worked on the openwrt machine through ssh (with the copied resolv.conf file) but neither worked for a PC sitting on my lan side. I always try the hostname and FQDN.

For what its worth I did try to restore the default settings and used DHCP such that it was a vanilla installation as possible. I could resolve internet addresses from my lan side PC but not my company servers on the wan.

I've resorted to port forwarding on port 53 to the DNS server. I dont know what else to do and this is working fine. The down side is that I had to hard code the DNS server address in the port forward rule which isn't good practice. I could write a script that finds the DNS server address reported by DHCP but I thought that dnsmasq is supposed to do all of this already.

I don't know if it makes a difference or not but the company DNS server is a Windows server. I would think all of that is standards compliant anyway?

Thanks,
MAD

I don't think there is any incompatibility between Windows server and OpenWrt.
My last idea is to look at the packets. Install tcpdump if you don't have it already opkg update; opkg install tcpdump
Then capture dns packets and start queries from the lan hosts.
tcpdump -i any -evn udp port 53

Trendy,

I did the tcpdump and it looks like maybe the server is being queried and responding but nothing is getting back to the ping command AFAIK.

I've included the ssh tcpdump output first, with the second bit containing the ping that created the TCP traffic. I've obscured the wan as 192.X.Y.n and the lan as 10.A.B.n

10.A.B.1 -> Openwrt.lan router
10.A.B.10 -> windows PC on lan side
192.X.Y.253 -> company (wan) NFS server.
192.X.Y.3 -> myfs.mydomain.com


root@OpenWrt:~# tcpdump -i any -evn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
18:58:05.657500  In b4:2e:99:4d:d5:1e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 111, offset 0, flags [none], proto UDP (17), length 60)
    10.A.B.10.60852 > 10.A.B.1.53: 26627+ A? myfs.mydomain.com. (32)
18:58:05.657500  In b4:2e:99:4d:d5:1e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 111, offset 0, flags [none], proto UDP (17), length 60)
    10.A.B.10.60852 > 10.A.B.1.53: 26627+ A? myfs.mydomain.com. (32)
18:58:05.659399 Out f0:ad:4e:0c:cb:4b ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 11920, offset 0, flags [DF], proto UDP (17), length 60)
    192.X.Y.99.17550 > 192.X.Y.253.53: 44771+ A? myfs.mydomain.com. (32)
18:58:05.659491 Out f0:ad:4e:0c:cb:4b ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 11920, offset 0, flags [DF], proto UDP (17), length 60)
    192.X.Y.99.17550 > 192.X.Y.253.53: 44771+ A? myfs.mydomain.com. (32)
18:58:05.659977  In 4c:d9:8f:38:82:b7 ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 128, id 23128, offset 0, flags [none], proto UDP (17), length 76)
    192.X.Y.253.53 > 192.X.Y.99.17550: 44771* 1/0/0 myfs.mydomain.com. A 192.X.Y.3 (48)
18:58:05.665347 Out f0:ad:4e:0c:cb:4b ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 36332, offset 0, flags [DF], proto UDP (17), length 60)
    10.A.B.1.53 > 10.A.B.10.60852: 26627* 0/0/0 (32)
18:58:05.665396 Out f0:ad:4e:0c:cb:4b ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 36332, offset 0, flags [DF], proto UDP (17), length 60)
    10.A.B.1.53 > 10.A.B.10.60852: 26627* 0/0/0 (32)
18:58:05.665419 Out f0:ad:4e:0c:cb:4b ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 36332, offset 0, flags [DF], proto UDP (17), length 60)
    10.A.B.1.53 > 10.A.B.10.60852: 26627* 0/0/0 (32)
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#



C:\Windows\system32>ping myfs.mydomain.com
Ping request could not find host myfs.mydomain.com. Please check the name and try again.

C:\Windows\system32>

Both 192.168 and 10. addresses are private, you don't need to redact them.
Since you have private IPs in both sides of OpenWrt, disable the boguspriv, rebind_protection, and rebind_localhost

This Worked!

If you don't mind, what do you think was happening?

Thank you so much!

~MAD

You are querying a nameserver with private IP. If we knew from the beginning that it has private IP we would have solved it earlier.

1 Like