Dnsmasq conditinal forward to windows domain.local not working

Hi,

I'm trying to forward domain.local to the windows dns but I get no reponse from the server.
I have added
list server '/domain.local/10.10.10.100' in /etc/config/dhcp
But all dns queries fail to that domain with
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for computer.domain.local

If set the NIC to use 10.10.10.100 server instead then it resolves the hostname. So the windows dns is working, but not if i use dnsmasq with the above setting.

Full dns trace from windows:

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        1.100.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  1.100.168.192.in-addr.arpa
        name = nighthawk.refused.net
        ttl = 0 (0 secs)

------------
Server:  nighthawk.refused.net
Address:  192.168.100.1

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        computer.domain.local.domain.local, type = A, class = IN
    AUTHORITY RECORDS:
    ->  refused.local
        ttl = 3600 (1 hour)
        primary name server = domain.local.local
        responsible mail addr = hostmaster.domain.local
        serial  = 1530
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        computer.domain.local.domain.local, type = AAAA, class = IN

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        computer.domain.local, type = A, class = IN

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        computer.domain.local, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  domain.local
        ttl = 3600 (1 hour)
        primary name server = computer.domain.local
        responsible mail addr = hostmaster.domain.local
        serial  = 1530
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for computer.domain.local

Any ideas?

Now I of course found the issue.
You need to uncheck rebind protection in Luci, it's in the wiki here but it needs CLARIFICATION as it doesn't say rebind_protection needs to be set.

1 Like

Still have an issue, gpupdate does not work. Says the AD domain is unavailable. Any ideas?
EDIT:
Using Windows DNS as the secondary DNS server seems to have helped. Maybe that's the only "fix" available. I was hoping I could use dnsmasq as the only DNS server.

You cannot use 2 different DNS sources as prime/secondary. Data must be identical in all servers in the DNS infrastructure. Otherwise, you will get ~25% failure on the lookup not contained at the other server. If you have a Windows Domain, you will have to do the following:

  • Configure your DHCP to give out the DHCP of the Windows DNS server using DHCP Option No. 6:

Screenshot%20from%202018-09-26%2010-48-36

  • Next, configure Windows DNS server to ONLY reference the OpenWrt's dnsmasq as the Forwarder
    Screenshot%20from%202018-12-21%2009-26-38
  • You would then setup DNS servers in the router as normal.

Alternatively:

  • Configure OpenWrt to reference ONLY the Windows DNS Server(s)
  • Setup DNS Forwarders in the Windows DNS server

Thanks, I will try this. I've tried using the windows dns as primary as you stated below and forward the external requests to openwrt. However even if I removed root servers from the windows dns, it seems to go out and find external lookups and does not honor locally set dns names set in openwrt.

This is what happens:
C:\Users\shelter>nslookup foobar.domain
Server: enterprise.refused.local
Address: 10.10.10.100

Non-authoritative answer:
Name: foobar.domain
Address: 192.168.100.10

Second time I run the command i get
C:\Users\shelter>nslookup foobar.domain
Server: enterprise.refused.local
Address: 10.10.10.100

Non-authoritative answer:
Name: foobar.domain
Address: xxx.xxx.xxx.xxx (now resolves to an external ip, i removed the IP here for security reasons)
Aliases: foobar.domain

(enterprise.refused.local is the windows dns pointing to openwrt as forwarder)

You're not being clear.

  • Which method described above did you use to setup the DNS?
  • How did you setup local hostnames in the OpenWrt?

I set my windows machines to use the AD DNS.
The AD DNS points to openwrt as a forward.
Roothints are removed from AD DNS.
I've set a specific hostname to a static local IP under hostnames in Openwrt's Luci.

If I lookup that hostname from Windows which uses the AD DNS, it first resolved the hostname set in Luci.
If I do the lookup the second time it resolved the external hostname IP (which also exsts).
This ONLY happens if i use the "AD DNS".

If I use openwrt's dns which uses dnsmasq it always resolves the IP i've set in Luci, this is the way I want it when using the AD DNS too.
I don't get how the AD DNS suddenly resolves the external IP, it shouldn't be able to find it.

4 suggestions:

  • Ensure you've cleared all DNS caches
  • Ensure the domain name is not a zone the Windows DNS server controls
  • Ensure your Windows hosts only have one DNS server (the Windows DNS)
  • the utility nslookup also exists on Windows

Now gpupdate seems to work on the Windows 10 client, don't know what did it really.

In case anyone is curious this is what I did today:
Make OpenWRT (dnsmasq) forward the AD domain to the Windows (AD) DNS server.
Set rebind protection is off.
Cleared all caches everywhere.
Set adblock in OpenWRT to Use local dns server only.

This is something I did a while back, blocked Internal DNS requests to external servers from LAN, meaning OpenWRT (dnsmasq) is the only allowed DNS server for external requests.

Also, all root hints are removed from the Windows (AD) DNS server.

I'll report back if I encounter any issues.

I wrote a small howto a while back but I've updated it recently.in case someone is interested