Nxdomain on windows after altering dns suffix (openwrt dnsmasq)

kessleari · May 1, 2019, 1:00pm

Hi,

I'm using OpenWrt 18.06.2 with LuCI Web Interface and dnsmasq as dhcp&dns server.

My problem is after altering the local domain suffix and local server specification, my windows hosts are unable to resolve the dns request with the dns suffix (nxdomain response). If I omit the suffix (only a dot appended to hostnames), it works. On android devices I have no problems at all.

I did some tweaking for ipv6 as recommended in the IPv6 DNS OpenWrt Wiki article but that didn't change anything.

Client's connecting to my network have a static ip lease and several hostnames assigned.

Could you please check if I made a mistake in my config? Which config files are relevant?

lleachii · May 1, 2019, 2:28pm

@kessleari, welcome to the community!

Where did you alter the suffix?
What do you mean by "local server specification"?
Is the domain name being appended by OpenWrt or Windows?
Where are your configs?

kessleari · May 1, 2019, 3:50pm

@lleachii thank you!

and 2.:

local_serverdomainsettings.png837×163 4.79 KB

Can be found in LuCi under Network > DHCP and DNS > Server Settings > General Settings
Seems windows is appending the suffix automatically although I didn't set it (as you can see here https://imgur.com/JKqBRSa): on android it gives me a 'bad hostname' response if I omit the suffix.

This is my etc/resolv.conf (nameservers for wan were inserted automatically so I kept them)

search 3
nameserver 127.0.0.1
nameserver ::1
# Interface wan
nameserver 217.68.162.126
nameserver 62.117.5.126
# Interface wan6
nameserver 2a02:2457:10c:101::126
nameserver 2a02:2457:20c:101::126

This is my etc/hosts

127.0.0.1 localhost
::1 localhost localhost6

And this is my etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option logqueries '1'
	option boguspriv '0'
	option sequential_ip '1'
	option strictorder '1'
	option allservers '1'
	option localservice '0'
	option rebind_protection '0'
	option quietdhcp '1'
	option expandhosts '1'
	option domain '3'
	option resolvfile '/etc/resolv.conf'
	option local '/3/'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option force '1'
	option ra_default '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'whh'
	option dns '1'
	option mac 'D0:50:99:48:AE:55'
	option ip '192.168.1.104'
	option duid '0001000121cd2d599829a64b0eb0'

config host
	option name 'ladmin'
	option dns '1'
	option mac '98:22:EF:7B:C8:51'
	option ip '192.168.1.105'
	option duid '000100011ceed0a9d0509948ae55'

config host
	option name 'androids6'
	option dns '1'
	option mac '90:B6:86:B1:FA:64'
	option ip '192.168.1.203'

config domain
	option name 'laptop'
	option ip '192.168.1.105'

config domain
	option name 'wc'
	option ip '192.168.1.105'

config domain
	option name 'sd'
	option ip '192.168.1.105'

config domain
	option name 'ul'
	option ip '192.168.1.105'

config domain
	option name 'lt'
	option ip '192.168.1.105'

config domain
	option name 'bigmac'
	option ip '192.168.1.104'

Do you need any additional configs?

lleachii · May 1, 2019, 3:56pm

You did set it, you clearly changed the domain suffix from lan to 3. Also, I don't believe an integer is valid as a domain name.

You do not edit this file. It is generated by /etc/config/dhcp

Do not edit this file.

You clearly set a domain suffix. Simply remove the option domain, or set it to your correct suffix.

kessleari · May 1, 2019, 3:59pm

Sorry for the misunderstanding. With "set" I mean if I try to ping a hostname with suffix appended or if I try to open up the hostname with the suffix in my browser.

I tried it without the domain option but that didn't work and it used to work before with another suffix.

edit: I did this with the resolv.conf on purpose in order to force dnsmasq to use this file:
resolv

slh · May 1, 2019, 4:02pm

Just to rule out the obvious, did you try something other than a single digit as top level domain, e.g. xyz instead of 3?

kessleari · May 1, 2019, 4:06pm

Yep. I did and it works. But according to this post https://superuser.com/a/117098

it's recommended for top level local names.

Is this outdated? Don't I have to care for that?

edit: it's important for me because I'm running my own certificate authority and ssl is checked against the fqdn

lleachii · May 1, 2019, 4:14pm

No misunderstandings. Also be mindful you have a new user positing limit!

Why don't you just change the setting in one place?
Also, if your Windows machines are in a domain, verify that they're not appending too

That is not an OpenWrt Wiki
That information is invalid, a domain cannot contain an integer as its last character

See: http://blog.eleven2.com/2007/05/26/what-is-an-invalid-domain-name/

slh · May 1, 2019, 4:20pm

DNS requires interoperability support on multiple levels, from the standards body, IANA not suddenly assigning the chosen zone to a registry, your DNS server interpreting and supporting it correctly, the various client operating systems and their name resolving stacks recognizing it as valid domains to be resolved, not to forget the various apps accepting the input - and as the final point also UCI (OpenWrt's config management) and the dnsmasq initscripts expanding the configuration settings into a temporary and valid dnsmasq configuration. The further you diverge from the officially blessed structure, the more likely you'll encounter problems and bugs in the various software stacks involved.

Right now I'm not going to check the various RFCs to check the validity of single character/ single digit top level domains, especially as the rules governing these have been significantly relaxed and redefined in recent years, but considering that neither single ASCII character top level domains nor single digit domains (nor pure number top level domains) are officially assigned (although one would expect them to be rather attractive, paying top dollar) - and the whole concept just feeling wrong to my gut instincts (which might be wrong) made this stick out.

kessleari · May 1, 2019, 4:32pm

@lleachii

Didn't know about the posting limit yet. Thanks for the info!

Also didn't know about the domain name ending convention, I'm relatively new to the whole topic on how to setup your internal network properly.

Solved by changing it. I think I'll go with .lan or some other then, hoping this is not outdated too https://en.wikipedia.org/wiki/.local#Microsoft_recommendations (edit: @slh yeah thx you are right, it seems kinda confusing to me and it is also mentioned in the same article https://en.wikipedia.org/wiki/.local#Global_DNS_queries)

@slh
Thank you for your long explanation and your help. I'm experimenting a lot to get a better understanding of how the underlying systems are working (with the risk of breaking everything, but I always do a backup). I reverted the changes I made to the config files and set everything back to default.

Maybe I should consider the RFCs next time before asking. Sorry about that

slh · May 1, 2019, 4:34pm

Avoid .local, as this has been become a 'special' domain a few years back (o.k., I'm getting old, more like over a decade ago), reserved by zeroconf/ bonjour/ avahi for dynamic search domains (mDNS).

system · May 11, 2019, 4:34pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.