DNS resolving static lease hostnames in other subnet

I have 2 openwrt routers which are connected via VPN (using openVPN - layer 3) and both have their own subnet:

  • 192.168.2.0/24
  • 192.168.8.0/24

I have setup static leases on one openwrt router and this is my DHCP and DNS Server Settings.

When I am in the network of this openwrt router, I am able to resolve the static leases by appending .lan (so that is working fine).

jan@nuc2:~$ ping nuc1.lan
PING nuc1.lan (192.168.2.11) 56(84) bytes of data.
64 bytes from nuc1.lan (192.168.2.11): icmp_seq=1 ttl=64 time=21.5 ms
64 bytes from nuc1.lan (192.168.2.11): icmp_seq=2 ttl=64 time=18.3 ms

but the same ping is not working when I am in the other openWrt network (see here below). Note that the same ping is working when I am using the actual IP address.

mac-jan:nuc2 jan$ ping nuc1.lan
ping: cannot resolve nuc1.lan: Unknown host
mac-jan:nuc2 jan$ nslookup nuc1.lan
Server:         192.168.8.1
Address:        192.168.8.1#53

** server can't find nuc1.lan: NXDOMAIN

mac-jan:nuc2 jan$ ping 192.168.2.11
PING 192.168.2.11 (192.168.2.11): 56 data bytes
64 bytes from 192.168.2.11: icmp_seq=0 ttl=62 time=46.842 ms
64 bytes from 192.168.2.11: icmp_seq=1 ttl=62 time=12.935 ms
^C
--- 192.168.2.11 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.935/29.889/46.842/16.953 ms
mac-jan:nuc2 jan$ 

So I would like to configure DNS on my 2 openwrt routers so that it is able to resolve those .lan addresses in the other network.

Thanks for any help.

If you want to resolve both sites I would set the domain name on 192.168.2.0 to lan2 and the 192.168.8.0 to lan8

In 192.168.2.0 in DNS forwardings you add: /lan8/192.168.8.1 this tells the DNS server to ask 192.168.8.1 for *.lan8 domain names.

In 192.168.8.0 you add in DNS forwardings: /lan2/192.168.2.1

Hopefully you get the idea (and hopefully I am right) :slight_smile:

3 Likes

Yes, or you can make subdomains like home.lan and office.lan. The point being that the two sites have to have different domain names so that DNS requests can be directed to the proper site.

2 Likes

I tried it but it is still not working.
E.g. this is what I have specified on one openwrt router:

When I am logged on to a server of archer7 network and I do ping mac-jan.lan2 then it doesn't work.

jan@nuc1:~$ ping mac-jan.lan2
ping: mac-jan.lan2: No address associated with hostname
jan@nuc1:~$ ping 192.168.8.40
PING 192.168.8.40 (192.168.8.40) 56(84) bytes of data.
64 bytes from 192.168.8.40: icmp_seq=1 ttl=61 time=18.8 ms
64 bytes from 192.168.8.40: icmp_seq=2 ttl=61 time=17.4 ms
64 bytes from 192.168.8.40: icmp_seq=3 ttl=61 time=25.0 ms
^C
--- 192.168.8.40 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 17.358/20.404/25.028/3.323 ms
jan@nuc1:~$ exit
logout
Connection to 192.168.2.11 closed.
# So now I am on the lan2 network and there it resolves mac-jan.lan2
mac-jan:nuc2 jan$ ping mac-jan.lan2
PING mac-jan.lan2 (192.168.8.40): 56 data bytes
64 bytes from 192.168.8.40: icmp_seq=0 ttl=64 time=1.233 ms
64 bytes from 192.168.8.40: icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from 192.168.8.40: icmp_seq=2 ttl=64 time=0.075 ms
64 bytes from 192.168.8.40: icmp_seq=3 ttl=64 time=0.163 ms
^C
--- mac-jan.lan2 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.065/0.384/1.233/0.492 ms
mac-jan:nuc2 jan$ 

I fixed it by

  • setting DNS forwardings for domain lan to 192.168.2.1 (see green box)
  • unchecking Rebind protection (Discard upstream RFC1918 responses) (see red box).

Yes should disable Rebind protection indeed.
Rebind protection will stop resolving from other private DNS servers :frowning:

1 Like

To add you could add in DNS masq options ( /etc/dnsmasq.conf):
rebind-domain-ok=<domain-name>

in your case:
rebind-domain-ok=lan

Then you can enable Rebind protection but for the lan domain it is accepted to use private dns server address

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.