Reverse DNS not working

Moxie · October 7, 2021, 11:47am

This is my setup:

Turris Omnia with TurrisOS 5.2.7 / OpenWrt 19 as main router, IP 192.168.0.1, DNS pointing to 192.168.0.9.
PiHole with IP 192.168.0.9.

The problem is that requests to resolve IPs into hostnames coming from the PiHole receive NXDOMAIN responses for all local devices.

I tried this on the OpenWrt router:

nslookup 192.168.0.99 127.0.0.1

and I get:

Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find 99.0.168.192.in-addr.arpa: NXDOMAIN

Normal lookups DO work (IP address is returned, although I don't know what's up with the last "can't find" line and if it's normal):

nslookup sauron.lan 127.0.0.1

Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      sauron.lan
Address 1: 192.168.0.99
*** Can't find sauron.lan: No answer

I expect to receive hostnames based on DHCP static leases.

Here are selections from my configs:

/etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option port '0'
        option logqueries '1'
        option domainneeded '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'lan'
        option local '/lan/'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '72h'
        option force '1'
        list dhcp_option '121,10.10.0.0/24,192.168.0.9,10.11.0.0/24,192.168.0.9'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.0.99'
        option name 'sauron'
        option dns '1'

config domain
        option name 'sauron'
        option ip '192.168.0.99'

[...]

/etc/config/network

config interface 'loopback'
		option ifname 'lo'
		option proto 'static'
		option ipaddr '127.0.0.1'
		option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
		option type 'bridge'
		option proto 'static'
		option netmask '255.255.255.0'
		option ip6assign '60'
		option bridge_empty '1'
		list ifname 'lan0'
		list ifname 'lan1'
		list ifname 'lan2'
		list ifname 'lan3'
		list ifname 'lan4'
		option _turris_mode 'managed'
		option ipaddr '192.168.0.1'
		list dns '192.168.0.9'
		option ipv6 '0'
		option delegate '0'

config interface 'wan'
		option ifname 'eth2'
		option proto 'pppoe'
		option password 'X'
		option username 'Y'
		option ipv6 '0'

config interface 'guest_turris'
		option enabled '1'
		option proto 'static'
		option netmask '255.255.255.0'
		option bridge_empty '1'
		option ipaddr '192.168.10.1'
		option type 'bridge'

config interface 'wan6'
		option ifname '@wan'
		option proto 'none'
		option ipv6 '0'

config route
		option interface 'lan'
		option netmask '255.255.255.0'
		option gateway '192.168.0.9'
		option target '10.5.0.0'

config route
		option interface 'lan'
		option netmask '255.255.255.0'
		option gateway '192.168.0.9'
		option target '10.11.0.0'

/etc/config/resolver

config resolver 'common'
		list interface '0.0.0.0'
		list interface '::0'
		option port '53'
		option keyfile '/etc/root.keys'
		option verbose '0'
		option msg_buffer_size '4096'
		option msg_cache_size '20M'
		option net_ipv6 '1'
		option net_ipv4 '1'
		option prefered_resolver 'kresd'
		option ignore_root_key '0'
		option prefetch 'yes'
		option static_domains '1'
		option dynamic_domains '0'
		option forward_upstream '0'

config resolver 'kresd'
		option rundir '/tmp/kresd'
		option log_stderr '1'
		option log_stdout '1'
		option forks '1'
		option keep_cache '1'

config resolver 'unbound'
		option outgoing_range '60'
		option outgoing_num_tcp '1'
		option incoming_num_tcp '1'
		option msg_cache_slabs '1'
		option num_queries_per_thread '30'
		option rrset_cache_size '100K'
		option rrset_cache_slabs '1'
		option infra_cache_slabs '1'
		option infra_cache_numhosts '200'
		list access_control '0.0.0.0/0 allow'
		list access_control '::0/0 allow'
		option pidfile '/var/run/unbound.pid'
		option root_hints '/etc/unbound/named.cache'
		option target_fetch_policy '2 1 0 0 0'
		option harden_short_bufsize 'yes'
		option harden_large_queries 'yes'
		option qname_minimisation 'yes'
		option harden_below_nxdomain 'yes'
		option key_cache_size '100k'
		option key_cache_slabs '1'
		option neg_cache_size '10k'
		option prefetch_key 'yes'

config resolver 'unbound_remote_control'
		option control_enable 'yes'
		option control_use_cert 'no'
		list control_interface '127.0.0.1'

/etc/dnsmasq.conf

[...]

dhcp-option=6,192.168.0.9

/etc/@resolv.conf

search lan
nameserver 127.0.0.1

/etc/hosts

127.0.0.1 localhost

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

192.168.0.99	sauron

[...]

As you can see from the configs above, I also tried adding entries in LuCi > Hostnames, and in /etc/hosts and "service dnsmasq restart", still no reverse DNS.

Note: although not relevant to the issue, just for full understanding, 10.10.0.0/24 and 10.11.0.0/24 are subnets of 2 VPNs that also reside on the PiHole, hence the reason I setup Static Routes in the router.

trendy · October 7, 2021, 1:32pm

There is no AAAA record for IPv6.

Regarding your problem, if I understand correctly, you have disabled dnsmasq

and you are using unbound. Does it know how to contact dnsmasq to ask for this address?
In my configuration with dnsmasq only, reverse lookup works fine.

This can be added in /etc/config/dhcp as list dhcp_option '6,192.168.0.9' under config dhcp 'lan'

Moxie · October 7, 2021, 1:58pm

Oh wow, I didn't realise that.

On further documenting, looks like Omnia uses kresd as DNS resolver and only uses dnsmasq for DHCP.

I set the port to 53 under "config dnsmasq" and rDNS now works.

I also found this, but don't think I need to go that complicated route as I actually use the PiHole as DNS resolver anyway. Oddly enough, the "kresd" service appears disabled in Luci > System > Startup, but appears to run as a process:

ps aux | grep kresd
kresd    27366  0.1  0.3  31324  7276 ?        S<   16:43   0:00 /usr/sbin/kresd --noninteractive -c /tmp/kresd.config /tmp/kresd

I'll try to see if there's anything else to disable related to kresd (just to free up resources on the router) and document further on this.

Thank you very much! I kind of suspected this is a specific Turris thing but didn't appear obvious, sorry for the trouble.

trendy · October 7, 2021, 2:03pm

You're welcome! Just keep in mind that troubleshooting the turris image is out of the scope of this forum.

Moxie · October 7, 2021, 3:58pm

Followup:

After killing kresd, I started noticing this in the system log:

/dhcp_host_domain_ng.py: DHCP add new hostname [netprinter,192.168.0.50]
/dhcp_host_domain_ng.py: Kresd is probably not running no socket found.

So I went the other route as suggested by Turris, and:

set dsmasq port to 5353 in /etc/config/dhcp
edit /etc/config/resolver, add option include_config '/etc/kresd/custom.conf' under config resolver 'kresd'
create /etc/kresd/custom.conf containing:

local lan_rule = policy.add(policy.suffix(policy.STUB('127.0.0.1@5353'), policy.todnames({'lan','168.192.in-addr.arpa'})))
policy.del(lan_rule.id)
table.insert(policy.rules, 1, lan_rule)

local vpn_main_rule = policy.add(policy.suffix(policy.STUB('127.0.0.1@5353'), policy.todnames({'lan','10.10.in-addr.arpa'})))
policy.del(vpn_main_rule.id)
table.insert(policy.rules, 2, vpn_main_rule)

local vpn_restricted_rule = policy.add(policy.suffix(policy.STUB('127.0.0.1@5353'), policy.todnames({'lan','11.10.in-addr.arpa'})))
policy.del(vpn_restricted_rule.id)
table.insert(policy.rules, 3, vpn_restricted_rule)

to cover LAN + VPNs resolving.

(I hope the syntax is correct, kresd didn't complain)

Then

service dnsmasq restart
service kresd restart

Also added hostnames for VPN IPs (I configured OpenVPN to allocate static IPs to clients) to Luci > Network > Hostnames (which adds config domain entries in /etc/config/dhcp) so they would be resolved too by the router.

Only tested the setup for LAN resolving, so take the VPN setup with a grain of salt.

I was surprised that the first option of running both dnsmasq and kresd on the same port worked, as

netstat -ulnp | grep :53

gave this:

udp 0 0 0.0.0.0:53 0.0.0.0:* 8152/kresd
udp 0 0 127.0.0.1:53 0.0.0.0:* 3159/dnsmasq
udp 0 0 192.168.0.1:53 0.0.0.0:* 3159/dnsmasq

It probably worked because the interfaces are different, and 0:0:0:0 is the last one responding in the precedence order.

system · October 17, 2021, 3:58pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.