NAT name resolution on 2 routed TUN subnets

I have 2 networks at different location (different non-routable IP subnet) configured such that they are connected by an OpenVPN TUN setup (layer 3). I have the routing set up correctly such that I can connect cross the tunnel. Connecting by IP works in all supported applications (ping, ssh, vnc, etc). However, name resolution doesn't work.

Currently both networks are running their own dnsmasq, and they both retain their own access to the Internet. I want to keep it that way in case the link goes down (also why I chose TUN over TAP). Is it possible to configure dnsmasq so I can name resolve host on the other network? I want to configure it so does not increase resolution time if link failure, while not using static assignment.

Hey there.

Use different zone names for both areas. Let's say you have "area1.lan" for the first area and "area2.lan" for the second.

Go to "Network / DHCP".
On the first router, you add "/area1.lan/" as "Local server" and "area1.lan" as "Local domain".
On the second router, you add "/area2.lan/" as "Local server" and "area2.lan" as "Local domain".

Now add DNS forwarding settings.
Stay on "Network / DHCP".
On the first router, add "/area2.lan/$ipOfYourSecondRouter" as "DNS Forwarding".
On your second router, add "/area1.lan/$ipOfYourFirstRouter" as "DNS Forwarding".

Let's assume you have a computer called "some-computer" at your first area and another computer called "some-other-computer" at your second area.
They both should be able to resolve some-computer.area1.lan as well as some-other-computer.area2.lan.

The thing is:

  • Both areas need to have different domain names.
  • Each router needs to be told to look the other domain name up at the IP address of the other router.


Thank you, got it to work based on your instructions.

I had to add the following

option localservice '0'  # remote dnsmasq wouldn't respond to a nslookup if not added
list rebind_domain 'lan' # local dnsmasq seems to filter response if this is not added

Do those seem warranted?

Hey there.

The "localservice 0" is OK. It basically means dnsmasq is allowed to answer to nslookup requests from IPs that are not in local subnets. I had expected the VPN link was treated as local LAN so this was not necessary, but chances are I'm wrong here.

The "rebind_domain lan" means usually upstream DNS servers are not allowed to reassign the "lan" domain, but in that case the upstream DNS server is. Didn't expect that either since I thought every router would only prevent the local domain (area1.lan and area2.lan) to be rebind protected. But obviously every ".lan" domain is protected.

Both settings can very well be the way you configured them.
I'm glad it worked.