DNS Loop Problem: Configuring Central DNS Server for Multiple LANs

Installing and Using OpenWrt Network and Wireless Configuration
1

I have two LANs connected through a WireGuard tunnel. I've configured search domains for both LANs, allowing me to access my machines using intuitive domain names. The first LAN, "192.168.35.0/24," is referred to as "op1" (OpenWrt 1), and the other “192.168.36.0/24” is "op2"。

I intend to use op1's DNS server as my central DNS server due to some complex settings on op1. Accordingly, on op1, I've set 192.168.36.1 as the upstream DNS server for "*.op2" domains, and this configuration is functioning well.

On op2, I've configured 192.168.35.1 as the default upstream DNS server. However, an issue arises when attempting to resolve "debian12-docker.op2" (a Docker container in the op2 LAN). Op2's dnsmasq retrieves the correct answer from the DHCP lease file, but it still sends a DNS request to op1. Subsequently, op1 forwards the DNS request back to op2, creating a loop. As a result, the request cannot be resolved correctly, leading to error messages such as "No answer" or "SERVFAIL."

I'm seeking guidance on how to prevent op2 from sending requests to the upstream DNS server when resolving local search domains? Is there a misconfiguration in my settings?

The nslookup output:

root@op2 ➜  ~ nslookup debian12-docker.op2
Server:         127.0.0.1
Address:        127.0.0.1:53

Name:   debian12-docker.op2
Address: 192.168.36.137

*** Can't find debian12-docker.op2: No answer

Tcpdump found request loop between op1 and op2

root@op2 ➜  ~ tcpdump -ni any udp port 53 |grep debian
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
10:42:06.385808 IP 127.0.0.1.53119 > 127.0.0.1.53: 51457+ A? debian12-docker.op2. (37)
10:42:06.385822 IP 127.0.0.1.53119 > 127.0.0.1.53: 51714+ AAAA? debian12-docker.op2. (37)
10:42:06.388495 IP 10.0.32.2.53348 > 192.168.35.1.53: 13219+ AAAA? debian12-docker.op2. (37)
10:42:06.389850 IP 10.0.32.1.59871 > 192.168.36.1.53: 7106+ [1au] AAAA? debian12-docker.op2. (48)
10:42:06.389983 IP 10.0.32.2.39748 > 192.168.35.1.53: 20089+ [1au] AAAA? debian12-docker.op2. (48)
10:42:06.391086 IP 10.0.32.1.37076 > 192.168.36.1.53: 37382+ [1au] AAAA? debian12-docker.op2. (48)
10:42:08.889751 IP 127.0.0.1.53119 > 127.0.0.1.53: 51714+ AAAA? debian12-docker.op2. (37)
10:42:08.890363 IP 10.0.32.2.53348 > 192.168.35.1.53: 13219+ AAAA? debian12-docker.op2. (37)
10:42:08.892259 IP 10.0.32.1.59755 > 192.168.36.1.53: 7106+ [1au] AAAA? debian12-docker.op2. (48)
10:42:08.892541 IP 10.0.32.2.39748 > 192.168.35.1.53: 20089+ [1au] AAAA? debian12-docker.op2. (48)
10:42:08.894341 IP 10.0.32.1.33708 > 192.168.36.1.53: 37382+ [1au] AAAA? debian12-docker.op2. (48)
10:42:08.894564 IP 10.0.32.2.39748 > 192.168.35.1.53: 20089+ [1au] AAAA? debian12-docker.op2. (48)
10:42:08.896553 IP 10.0.32.1.48899 > 192.168.36.1.53: 37382+ [1au] AAAA? debian12-docker.op2. (48)

My op2 dnsmasq configuration

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'op2'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option ednspacket_max '1232'
        option rebind_protection '0'
        option port '53'
        list server 192.168.35.1
        #option confdir '/etc/dnsmasq.d'
        option localservice '0'
        option noresolv '1'
        option localuse '1'
        option cachesize '0'
2

You really ought to use a top-level domain like lan or home and have op1 and op2 be the second-level domain. For example, op2.lan instead of just op2. This would result in domains like debian12-docker.op2.lan for your Docker container.

That being said, this immediately sticks out to me:

Change this to:

    option local '/op2/'
    option domain 'op2'

Refer to the DNSMASQ man page:

-S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]]
...
Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case.

2 Likes
3

Thank you! It works! I apologize for not discovering this straightforward configuration earlier. :rofl:

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.