DNS resolution

I've been using the following configuration for DNS:

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option ip6assign '60'
        option enabled '1'
        option dns 'DNS_1 DNS_2'
        option mtu '1500'
        option netmask '255.255.255.0'
        option proto 'static'
        option ipaddr '10.248.1.1'
        option auto '1'
        option ifname 'eth1'

DNS 1 and 2 are internal DNS servers reacheable via VPN but sometimes openwrt forward queries to external DNSs (apparently at random). I don't have any other DNS configuration and I thought that this configuration would assure that all queries from LAN would be forwarded to those DNSs. How do I make sure that only the listed DNSs will be used? I'm aware I can use option peerdns '0' on the wan but I want to allow openwrt itself to use those external DNS servers. I can also use DHCP option 6 but I wonder what is the right way to keep using dnsmasq to forward queries to DNSs I listed. Any help is appreciated.

I'm using Chaos Calmer.

  • Not sure why you have DNS servers defined for LAN...
  • What are you DNS settings for
    • WAN and
    • System

You only need DNS servers specified in one location, BTW.

I'm lost, as that statement cannot be possible.

  • Perhaps you're referring to an Android that uses Google DNS?

Not sure why you have DNS servers defined for LAN

Because I have a VPN server that needs to be resolved from public DNSs. I cannot use DNS 1 and 2 until the VPN is estabilished.

Blockquote What are you DNS settings for

WAN

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

System? If you mean /etc/config/system there is no DNS configuration.

Blockquote I'm lost, as that statement cannot be possible.

I mean Openwrt configuration. I don't set anything else other than the lan interface option DNS at /etc/config/network.

Thanks.

1 Like

You have answered it yourself:


What for?
Please explain what are you trying to achieve in detail.


OK, I see.

1 Like

Alright. There are many reasons. The first one is that the devices will use a VPN connection and the VPN portal is resolved by openwrt using public DNSs but the clients on the LAN will use internal DNS that will only be available after VPN is up so that they can resolve internal resources. Openwrts are connected to ISPs in the wild, they need to use regular DNS servers, public ones.

The second is that those Openwrt devices configuration are controlled by Openwisp, this controller is reached over the Internet, it can also be reacher via VPN but anyway I want it to be reached whether VPN is operational or not.

You mean that the only way to do that is setting peerdns and configuring resolv.conf to use say 8.8.8.8? Resolv.conf is tricky beacause it's actually a link to file managed by dnsmasq. Should I use /etc/config/network wan session for that?

Thanks.

Run script on VPN-client connect/disconnect event to disable/enable peerdns (or enable/disable DNS-forwarding) with UCI and reload dnsmasq.

I see, this way openwrt will use the DNSs I defined in the LAN section of /etc/config/network?

DNS-forwarding could be more preferable way, because applying it only requires reload/restart of dnsmasq service, however applying peerdns settings may also require reload/restart of network service.

Something like this:

#!/bin/sh
# ACTION := { add | del }
ACTION="$1"
DNS_SERV="DNS1 DNS2"
for DNS in $DNS_SERV
do
   uci ${ACTION}_list dhcp.@dnsmasq[0].server="$DNS"
done
/etc/init.d/dnsmasq reload

That's not desireable to restart the network so I'll possibly use peerdns '0' as a standard configuration and set DNS in the wan section. I don't think dns forwarding is a solution as well, it's a step away from what I want to do. I would use a script to controll the LAN side DNS only if that's possible so that clients could use public DNSs when for any reason VPN is down but using a script to control what DNS the device itself will use is kind of too risky to me.

I'm still unsure if there is a way to configure it without rewriting resolv.conf. There are just too many ways to configure DNS. I'm about to try the following:

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        option dns 'PUB_DNS_1 PUB_DNS_2'

config interface 'lan'
       option force_link '1'
       option type 'bridge'
       option ip6assign '60'
       option enabled '1'
       option dns 'PRIV_DNS_1 PRIV_DNS_2'
       option mtu '1500'
       option netmask '255.255.255.0'
       option proto 'static'
       option ipaddr '10.248.1.1'
       option auto '1'
       option ifname 'eth1'

And use the script to control the lan dns. By the way you forgot 'commit dhcp'.

#!/bin/sh
# PEER_DNS := { 0 | 1 }
PEER_DNS="$1"
uci set network.wan.peerdns="$PEER_DNS"
uci set network.wan6.peerdns="$PEER_DNS"
/etc/init.d/network reload

Hm, looks like service reload does not require uci commit.
And network reload does not drop wireless connection, unlike restart which does.

My attempt didn't work, if I set wan and lan dns dnsmasq will use wan defined dns even if I query from lan. By the looks of it the only way to achieve what I want is following your suggestion. Dnsmasq astonishngly does not discern a DNS query originated from the lan from a DNS query originated inside openwrt. Thanks for your help.

They are both stored in /tmp/resolv.conf.auto and dnsmasq sees no difference.

1 Like

If only some domains need to be resolved by external DNS server, will this help?

https://openwrt.org/docs/guide-user/base-system/dhcp#several_dns_servers

Alternatively, you could also force the dnsmasq to query the DNS servers in the order specified in dnsmasq rather than round robin if strict_order is set.

Perhaps.

The documentation states that strictorder "Obey order of DNSservers in `/etc/resolv.conf" but when DNS servers are deifined in /etc/config/dhcp dnsmasq section those servers are not written to resolv.conf nor they are written to resolv.conf.auto. I wonder if this will appy in this case. Thank you.

Some testing results (https://ipleak.net/):

  • server-option has higher priority, however to fix DNS-leaking issue completely requires removing resolvfile-option.
  • strictorder-option depends on the method to preserve servers order and works only until the first DNS-server is available, otherwise it just ignores that server and goes to the next one.
  • /tmp/resolv.conf.auto is generated automatically discarding all manual changes, the only way to modify it is peerdns-option.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.