OpenVPN - Internal DNS - dnsmasq - .local domain

Hi, I'm having trouble getting my router to use internal dns with connecting to openvpn. Everything else works and I can ping everything internal to my vpn network, but I am unable to resolve anything.

After a bunch of research, I think I have a good understanding about how this SHOULD work, but it doesn't appear to be doing so in practice.

How I understand it.

This instructs dnsmasq to change which resolv settings it uses.
At the bottom of .ovpn file
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2

When connecting to OpenVPN the below script will create resolv.conf.vpn and sets it as the active file, and restarts dnsmasq
/etc/openvpn/update-resolv-conf

#!/bin/sh

case $script_type in
up)
        i=1
        ns=""
        while true; do
                # As we know, for non-Windows openvpn clients can accept push DH
                # options by using a client-side up script which parses the
                # foreign_option_n environmental variable list
                eval opt=\$foreign_option_${i}
                [ -z "${opt}" ] && break

                ns="$ns\n$(echo ${opt} | sed -e 's/dhcp-option DOMAIN/domain/g'

                i=$((i + 1))
        done

        if [ -n "$ns" ]; then
                echo -e "$ns" > /tmp/resolv.conf.vpn
        else
                echo -e "nameserver 209.244.0.3\nnameserver 64.6.64.6" > /tmp/resolv.conf.vpn
        fi

        uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
        uci commit dhcp
        # Let it runs on background, in order to avoid any delay to add route table,
        # which will effort to mwan3
        /etc/init.d/dnsmasq restart &
        ;;
down)
        # Restore dns
        [ -f "/tmp/resolv.conf.vpn" ] || return 0
        rm -fr "/tmp/resolv.conf.vpn"
        uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
        uci commit dhcp
        /etc/init.d/dnsmasq restart &
        ;;
esac

exit 0

Dnsmasq config when connected to OpenVPN
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '0'
option rebind_protection '0'
option resolvfile '/tmp/resolv.conf.vpn'

Difference when not Connected to OpenVPN
option resolvfile '/tmp/resolv.conf.auto'

Contents of resolv.conf
search lan
nameserver 127.0.0.1

Contents of resolv.conf.vpn (Internal DNS)
nameserver 192.168.1.20
nameserver 8.8.8.8
domain domain.local
dhcp-option ADAPTER_DOMAIN_SUFFIX domain.local

Contents of resolv.conf.auto (gateway of uplink)
#Interface wwan
nameserver 192.168.254.1

Now, this all looks correct to me, but for whatever reason, it doesn't use my internal DNS when connected.

dnsmasq doesn't work on complementary principle.
It's either round-robin, or strict-order, or the quickest-response which is the default.

Hi vgaetaera,
Thanks for your response! I don't really understand what that means sadly. Is there a setting I should change to get this working?

As far as I understand, dnsmasq is told which settings to use and then restarted once set. Does this not work?
The goal would be to have the DNS be internal when connected to the OpenVPN connection and reverted back to normal when not.

I mean, if you depend on 192.168.1.20, you should remove 8.8.8.8 as it will return negative responses on your local requests, or make sure you set strictorder=1 and your DNS is the first in the list.

gotcha. It was working everywhere else, so I didn't think it should be an issue here.
I went ahead and removed 8.8.8.8 from my openvpn server. I then disconnected and reconnected to the vpn. I confirmed that 8.8.8.8 is no longer in the resolv.conf.vpn. There is no change. I still cannot resolve internally :(.

I can manually run an nslookup hostname 192.168.1.20 and that works, but it's not being used to resolve.

Make sure your DNS does not truncate UPD responses:

dig @192.168.1.20 openwrt.org +short
dig @192.168.1.20 openwrt.org +short +ignore

My DNS is from windows server 2012

I cannot run the dig command on my router. Is there another way I can check?

Not sure if this will help, but I'll add it nontheless.


root@GL-S1300:/tmp# nslookup domaincontroller.domain.local 192.168.1.20
Server:    192.168.1.20
Address 1: 192.168.1.20 domaincontroller.domain.local

Name:      domaincontroller.domain.local
Address 1: [IPV6] domaincontroller.domain.local
Address 2: [IPV6] domaincontroller.domain.local
Address 3: 192.168.1.20 domaincontroller.domain.local
root@GL-S1300:/tmp# nslookup domaincontroller.domain.local
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

nslookup: can't resolve 'domaincontroller.domain.local': Name or service not known

It is not wise to use .local as a private domain, because it is reserved for mDNS.
Although you can set boguspriv=0 or edit /usr/share/dnsmasq/rfc6761.conf to allow the forwarding.

1 Like

Yes you can.

Yeah.... I've been too lazy to make the switch and migrate my stuff. It is a homelab, so I really should just make the upgrade at some point :slight_smile:

This has done the trick. I can now ping my hostnames from "hostname.domain.local". However, i cannot resolve them from "hostname"

Contents of resolv.conf.vpn (Internal DNS)

nameserver 192.168.1.20
domain domain.local
dhcp-option ADAPTER_DOMAIN_SUFFIX domain.local

it looks like it contains my domain and suffix information in there from my openvpn server. Is there anything I can do to make them resolvable without the FQDN?

This is a glinet router, which I believe runs a different split of openwrt? I'm unsure how to get the dig command on there.

What about domainneeded=0?

I thought that might work too after reading up on some of the default options in my /etc/config/dhcp, but no luck :frowning:

I tried a few other things in my /etc/resolv.conf.vpn as well, but none of them worked. see below.

domain-SEARCH domain.local
nameserver 192.168.1.20
dhcp-option ADAPTER_DOMAIN_SUFFIX domain.local
domain domain.local
search domain.local

what about option domain 'lan'
Should that be anything else?

These are the current settings i'm running in /etc/config/dhcp. I changed quite a few now, but nothing seems to let me use the short name resolve.

config dnsmasq
        option domainneeded '0'
        option boguspriv '0'
        option filterwin2k '0'
        option localise_queries '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '0'
        option rebind_protection '0'
        option resolvfile '/tmp/resolv.conf.vpn'

Probably it should be expandhosts=0, otherwise it will use domain=lan for the suffix.
Also dhcp-option ADAPTER_DOMAIN_SUFFIX ... doesn't look like it should be there, so better remove it.

dhcp-option ADAPTER_DOMAIN_SUFFIX domain.local

That part is added from the script automatically. It's pushed from the OpenVPN-as server for windows clients. I can temporarily remove it to test this and see if it makes any difference.

I tried with both expanded hosts on and off :frowning:

I'll try a few more things tomorrow and report back.

Okay, these are my latest settings. It's still not resolving "hostname", but will correctly resolve "hostname.domain.local".

/etc/config/dhcp

config dnsmasq
        option domainneeded '0'
        option boguspriv '0'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '0'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '0'
        option resolvfile '/tmp/resolv.conf.vpn'

/tmp/resolv.conf.vpn

nameserver 192.168.1.20
domain domain.local
search domain.local

i pushed "search domain.local" into the file in the script used to create resolv.conf.vpn using 'echo "search domain.local" >> /tmp/resolv.conf.vpn'. the other 2 parts are pushed by my openvpn-as server and put into the .vpn file from the script /etc/openvpn/update-resolv-conf.

maybe changing option domain 'lan' in /etc/config/dhcp would fix it, but I'm unsure if it would break anything when I'm not connected to the vpn.

Anyone else have an idea of what I can try to get shortnames to resolve from hostname to hostname.domain.local while connected to openvpn?

       option local '/lan/'
       option domain 'lan'

to

       option local '/domain.local/'
       option domain 'domain.local'

Thanks for your response wulfy. Trying that caused it to break all resolution to domain.local, long and short.

Do note that

     option resolvfile '/tmp/resolv.conf.vpn'

is adding

nameserver 192.168.1.20
domain domain.local
search domain.local
1 Like