DNS relay with 3 LEDE on the same LAN


I will try to explain properly what i have in my hands now.
This is the logic topology:

< Router 01 ><===== L2 OVPN Tunnel =====> < Router 02 > <===== L2 OVPN Tunnel =====> < Router 03>

Router 01
DHCP Server for: upto 255 (netmask
Has it own Internet Access, it serves via DHCP its ip as a gateway
OpenVPN Client
LEDE Ver 17.04.4

Router 02
DHCP Server for: upto 199 (netmask
Has it own Internet Access, it serves via DHCP its ip as a gateway
OpenVPN Server
LEDE Ver 17.04.4

Router 03
DHCP Server for: upto 99 (netmask
Has it own Internet Access, it serves via DHCP its ip as a gateway
OpenVPN Client
LEDE Ver 17.04.4

Addittional Information
I reserved upto 10 for OpenVPN L3 clients.
I used ebtables to block dhcp traffic inside OpenVPN tunnels (tap'n' interfaces), to be sure every router is the main gateway for its dhcp clients.
I cannot use DHCP option cause 1.- Cant send 3 DNS (some machines cannot handle them) 2.- Some machines just use the first DNS even when it cannot resolve the dns name. It just use the second DNS when the first one isnt accessible.

The Problem
I dont know how to solve the dns queries in order to have Router 3 clients ping or use services from Router 1 clients via its name instead its IP Address. I solved it when i make every Router belongs to a 3 different domains, but i want to share the same domain for all of them.

Any suggestions?


This issue is not unique to OpenWrt.

You have to ensure that your clients always query a DNS server or relay that possesses the hostnames, or queries a server that does. All servers in your DNS hierarchy should know the hostnames, that's how DNS works. There are countless methods of doing so:

  • Create your own DNS server
  • (probably difficult to set this up dynamically across all devices due to DHCP) Add the hostnames to all OpenWrt routers that will be queried
  • Ensure that all routers use a DNS server that knows the hostnames
  • (probably most costly) Register a global domain name and add entries there, as most registrars offer free DNS with purchase and parking
  • Etc.

Yes, this is the solution. Logically, they are in 3 different "domains" (as far as control of naming is concerned). Even if you were to make one device refer to the other for the same domain, I think this can only be done between 2 devices, because as you said, it will only get an answer for any given network, approximately 50% of the time.

Also, it appears you're using IPs in the range in the tunnel. If you also use this for LAN addressing, this may become a routing nightmare.

Oh, so sorry. I have been googling, searching lede forum and openwrt forum (when it was up) long time ago to avoid duplicates, so sorry if i failed.

Yes, it was my goal. But, even if i found the way to do it, i thought it could be a very hard to make it works, since seems so easy to fall inside a infinite dns queries loops between all openwrt routers when no router can resolve.

Cant, since the new DNS Server wont handle hostnames given by machines when the acquire its IP via DHCP request.

Cant also, since DHCP will be automatic. I dont know all the machines that are going to be connected. Maybe if there are some mechanism to announce the name of the host to other routers when the host get the proper IP address from its DHCP server.

Agree concerning naming control, but logically, they share a lan segment which makes more sense for me to be the equivalent to "domain." From my point of view, "Domain" should be bigger concept than DHCP section.

Ofc, it is my goal. The main question is... how can i sync all hostnames across all 3 routers dinamically? Does it existe a way to create a real dns cluster?

No, i just use first 10 ip address for L3 OpenVPN Clients, just to treat them as a local machines. I control which gateway i want to assign to them,



dnsmasq is great for embedded devices, but not full featured.

For what you're asking to do (real-time DNS replication and/or multi-target DDNS combined) you probably should look at unbound, nsd, and bind, as well as moving your DHCP to kea.

I'd evaluate the utility of what you're asking for against the time/cost of implementation.

Perhaps you have a good reason for three DHCP servers on the same network (since you're using L2 bridging), but that is generally a poor idea. A single server would be sufficient and preferred. It would simplify your configuration in general to have a single DHCP server and single DNS server (with appropriate fail-over if that was desired -- there's no redundancy in your configuration, as I understand it).

From my point of view, i just need a solution to make router 1 forward to others routers when he receives a dns resolution it dont know how to solve, with taking care to avoid forwards dns query when they comes from other openwrt. (to avoid loops)

I tried to config WAN DNS for every router to ask to others with weird behaviour due loop queries, i guess. It also have the problem i cannot config more than 2 DNS per router, and i dont want to forget the high avalaibility.

From my ignorance, (sorry), are there some kind of "tag" to check if a dns query is pure or forwarded?

DNS doesn't work the way it sounds like you think it does. I'd take some time to understand the concepts of recursive and non-recursive resolution, as well as how the domain name system, in general works (from the root servers on down, including "glue")

I'd also rip out the craziness of three DHCP servers and three DNS servers on a single network. You do realize that there is absolutely no guarantee that a host on, say "segment A" will get its DHCP assignment from the server on segment A and not from segment B. All three servers will get the DISCOVER packet and respond and it will be up to the client's own, generally uncontrollable logic to determine which server it chooses to interact with. Not to mention a client that has a "stale" lease and tries to reestablish a new lease with that older address.

1 Like

Hehe, it is probably my error. Can you suggest me some documentation in order to understand it more properly? I would love to learn it. ty.

No, this problem became solved when i fitered DHCP requests inside OpenVPN tunnels with ebtables. And yes, i could use separated ip ranges, but i want to spread broadcast services inside all the topology.

I see absolutely no value in the segmentation and replication of services on the single network, just additional complication. Most of your "problems" are self-inflicted by that topology.

If you're in a commercial or other setting that requires high availability, you should be running an OS that better supports logging and failure-resistant disks and using commercial-grade software for those critical services, not this brittle, three-segment hack.

The 3-segment lan is a geographical condition i cannot solve without a L2 Tunnel. trust me it isnt self-inflicted problems i would love to have :smiley: I must solve this issue and keep them as-is they were at the same lan. Which isnt so weird topology, i guess.

I could build the lan with just one DHCP server, (and dns) but all of them will use just one gateway at the same time, which could be a waste of bandwidth from each building.

It sounds like you have three lan segments which you want to have share lan infrastructure, but each segment also has it's own gateway and ISP whose bandwidth you want to utilize.

Can you filter arp traffic in the tunnel and thereby duplicate one gateway IP in each segment? Everyone uses the same gateway, but each segment sees a different Mac address for it... The Mac of the local gateway machine.

Working back to the use case:

  • Three physical segments, each with their own gateway
  • Clients on each segment should be able to
    • Get a DHCP address and other configuration parameters
    • Get on-link broadcasts from the others
    • Use the "local" gateway
    • Resolve DHCP-assigned names (forward and reverse?)
  • Robust to link-down conditions (?)

I'd approach it along the lines of

  • Block DHCP broadcast traffic on the L2 bridges
  • Run a DHCP relay on each segment (I use that build into enterprise switches, so can't suggest an OpenWRT option)
  • Configure kea to bind to a socket (no broadcast) and assign different pools and/or parameters with the "right" gateway based on the relay agent
  • Consider kea HA implementation with one server on each segment -- point-to-point DHCP connections required for clients to server(s), but no broadcast across segments
  • Some kind of freakishly complex scripting with kea hooks to publish DHCP leases to bind or to unbound (through the control sockets) to synchronize the dynamic DNS information, and to re-synchronize if a link goes off-line

Simpler idea:

Use something like as your IP network. Put three DHCP servers each one serves a different pool 10.44.1.x 10.44.2.x and 10.44.3.x

Each one serves as the gateway.

Block the DHCP traffic in the tunnel so hosts get DHCP from their local pool.

Block ARP requests for in the tunnel so that ARP is always answered by the local gateway.

Put as an additional IP on LAN side of each router.

Have each router serve a different sub domain for DNS



Set up each DNS to point to the other DNS to resolve the subdomains... There is no reason why subdomains need to map to routed networks.


Hi, First of all, Thank you so much for every nice idea you all answered here. It's a pleasure to see this forus belongs to a such well informed people.

Anyway, i dont have any problem with IP connectivity, since i allow them to be a section of the same network, every host get a different gateway and they work perfectly through each of them. Internet traffic is solved with easy ebtables filter configuration inside tap interfaces.

I just have the problem when one host, belonging to the router 1 dhcp, tries to use resources via its name from the router 3. I solved it, as some suggested with different domains. But i would love to share the same domain towards all pc's, which i start thinking is not possible.


Seems the only one solution i have. :slight_smile:

1 Like

Limiting DNS isn't going to provide any restriction on access to resources "on other routers". It just makes it a tiny bit harder to find them. Of course, those resources may already be broadcasting their presence with mdns, so what you do with your DNS servers may not matter anyways.

Having one set of clients see one view of DNS and another see a different view is often called "split-horizon DNS".

It's somewhere between "very difficult" and "not possible" with dnsmasq but is supported by unbound after 1.6 or so (bind as well, but that is likely overkill). Given that you're relying on dnsmasq to populate the DHCP addresses into its own local table, you could use unbound to stub-resolve those from dnsmasq running on a different port, restricted to the loopback interface.

Absolutly agree Jeff. i have no knowledge about unbound, but i were starting to read about it since you metioned. Not sure yet i could deploy this kind of config... let see :smiley:

I still have the option to split onto 3 domains and relay when they want to reach other machines inside other domain.

1 Like

I didn't think the point was restriction, rather it seemed like the point was to ensure everyone had access to machines by name populated by DHCP.

The problem seems to be to create a single unified DNS even while three separate DHCP servers are populating.

Splitting into subdomains does this, though you now have to search through the subdomains to figure out which one each device is in.

I think ideally what he'd have is not split horizon but unified horizon distributed. When a device gets a new lease it's DNS should be propagated to all three DNS servers... If dnsmasq had a hotplug trigger on lease or something then MQTT messages could fire off that told all the other DNS servers that lease info. Cool but not currently supported afaik

I think using BIND here makes sense. Set bind up as a ddns provider, and then every 30 seconds have the routers poll the lease file and update the DNS servers. Requires some custom scripting. I'd consider mosquitto to use MQTT to send the data and receive it on each router. Then your script validates it and does nsupdate to it's local BIND.

Now all the segments see all the devices by name even though each segment uses only it's local BIND and local gateway

And this is the most clear way you show me how bad my english is. :slight_smile: I am unable to explain it better than you did..

perfect analisys.

perfect... do you have any documentation so i can learn how to deploy your solution?

Thanks a lot to all for your help.