I'm trying to build a test environment by OpenWrt, for verifying the DNS functionality of other devices. The environment needs two DNS servers inside a single OpenWrt system. When the tested devices connect to the Wi-Fi access point, I suppose they can send DNS query on both DNS servers. I have configuration below. I do see 2 dnsmasqs listen on 2 networks, but only the first dnsmasq replies DNS queries. The second one doesn't reply any query. I don't know if I set some things wrong, especially for firewall or network creates.
- Add a network ‘nif4dns’
# uci set network.nif4dns=interface
# uci set network.nif4dns.proto='static'
# uci set network.nif4dns.ipaddr='192.168.2.1'
# uci set network.nif4dns.netmask='255.255.255.0'
# uci set network.nif4dns.ip6assign='60'
# uci set network.nif4dns.ifname='eth1.2'
# uci commit network
# /etc/init.d/network restart
# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd84:786a:9d65::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1.1 eth1.2'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'nif4dns'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1.2'
- Configure firewall for network ‘nif4dns’
# uci add_list firewall.@zone[0].network=‘nif4dns’
# uci commit firewall
# /etc/init.d/firewall restart
# uci show firewall
…
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'nif4dns'
...
- (from LuCi) Add network ‘nif4dns’ into network ‘lan’ bridge
# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.78d294a83443 no eth1.1
wlan0
eth1.2
- Configure 2 instances of dnsmasq
// exclude 'nif4dns' from default dnsmasq
# uci add_list dhcp.@dnsmasq[0].notinterface="nif4dns"
// add ‘2nd_dnsmasq’
# uci set dhcp.2nd_dnsmasq=dnsmasq
# uci set dhcp.2nd_dnsmasq.domainneeded='1'
# uci set dhcp.2nd_dnsmasq.localise_queries='1'
# uci set dhcp.2nd_dnsmasq.rebind_protection='1'
# uci set dhcp.2nd_dnsmasq.rebind_localhost='1'
# uci set dhcp.2nd_dnsmasq.expandhosts='1'
# uci set dhcp.2nd_dnsmasq.authoritative='1'
# uci set dhcp.2nd_dnsmasq.readethers='1'
# uci set dhcp.2nd_dnsmasq.leasefile='/tmp/dhcp.leases'
# uci set dhcp.2nd_dnsmasq.resolvfile='/tmp/resolv.conf.auto'
# uci set dhcp.2nd_dnsmasq.nonwildcard='1'
# uci set dhcp.2nd_dnsmasq.localservice='1'
# uci set dhcp.2nd_dnsmasq.local='/SOME_TEST_DOMAIN/'
# uci set dhcp.2nd_dnsmasq.domain='SOME_TEST_DOMAIN'
# uci set dhcp.2nd_dnsmasq.logqueries='1'
# uci add_list dhcp.2nd_dnsmasq.interface='nif4dns'
# uci add_list dhcp.2nd_dnsmasq.notinterface='loopback'
- Disabling DHCP role on 2nd dnsmasq
# uci set dhcp.nif4dns="dhcp"
# uci set dhcp.nif4dns.instance="2nd_dnsmasq"
# uci set dhcp.nif4dns.interface="nif4dns"
# uci set dhcp.nif4dns.ignore="1"
# uci commit dhcp
/etc/init.d/dnsmasq restart
/etc/init.d/odhcpd restart
- check current status
# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option nonwildcard '1'
option localservice '1'
option local '/SOME_TEST_DOMAIN/'
option domain 'SOME_TEST_DOMAIN'
option logqueries '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
list notinterface 'nif4dns'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'SOME_TEST_DOMAIN'
option ip '100.91.132.67'
config dnsmasq '2nd_dnsmasq'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option local '/SOME_TEST_DOMAIN/'
option domain 'SOME_TEST_DOMAIN'
option logqueries '1'
list interface 'nif4dns'
list notinterface 'loopback'
config dhcp 'nif4dns'
option instance '2nd_dnsmasq'
option interface 'nif4dns'
option ignore '1'
# netstat -lutnp | grep dnsmasq
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 19186/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 19186/dnsmasq
tcp 0 0 100.91.132.67:53 0.0.0.0:* LISTEN 19186/dnsmasq
tcp 0 0 192.168.2.1:53 0.0.0.0:* LISTEN 19187/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fe80::7ad2:94ff:fea8:3444:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fe80::7ad2:94ff:fea8:3443:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 2401:fa00:49c:5e0::1:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fd84:786a:9d65::1:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fe80::7ad2:94ff:fea8:3443:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 2401:fa00:480:9003:7ad2:94ff:fea8:3444:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fe80::7ad2:94ff:fea8:3444:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fe80::7ad2:94ff:fea8:3445:53 :::* LISTEN 19186/dnsmasq
tcp 0 0 fd84:786a:9d65:10::1:53 :::* LISTEN 19187/dnsmasq
tcp 0 0 fe80::7ad2:94ff:fea8:3443:53 :::* LISTEN 19187/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 19186/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 19187/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 19186/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 19186/dnsmasq
udp 0 0 100.91.132.67:53 0.0.0.0:* 19186/dnsmasq
udp 0 0 192.168.2.1:53 0.0.0.0:* 19187/dnsmasq
udp 0 0 ::1:53 :::* 19186/dnsmasq
udp 0 0 fe80::7ad2:94ff:fea8:3444:53 :::* 19186/dnsmasq
udp 0 0 fe80::7ad2:94ff:fea8:3443:53 :::* 19186/dnsmasq
udp 0 0 2401:fa00:49c:5e0::1:53 :::* 19186/dnsmasq
udp 0 0 fd84:786a:9d65::1:53 :::* 19186/dnsmasq
udp 0 0 fe80::7ad2:94ff:fea8:3443:53 :::* 19186/dnsmasq
udp 0 0 2401:fa00:480:9003:7ad2:94ff:fea8:3444:53 :::* 19186/dnsmasq
udp 0 0 fe80::7ad2:94ff:fea8:3444:53 :::* 19186/dnsmasq
udp 0 0 fe80::7ad2:94ff:fea8:3445:53 :::* 19186/dnsmasq
udp 0 0 fd84:786a:9d65:10::1:53 :::* 19187/dnsmasq
udp 0 0 fe80::7ad2:94ff:fea8:3443:53 :::* 19187/dnsmasq
Clues:
- The client device in WLAN can ping both 192.168.1.1 and 192.168.2.1.
- The client device send DNS query to 192.168.1.1:53 can get replies from the default dnsmasq.
- The client device send DNS query to 192.168.2.1:53 won't get any reply from the 2nd dnsmasq. From OpenWrt system log, there is no any query being processed on the 2nd dnsmasq after launch. From tcpdump, the OpenWrt did receive DNS queries from client device on 192.168.2.1:53. Those packets were never responded.
// tcpdump
1461 2020-09-11 13:03:59.442241 192.168.1.222 192.168.2.1 DNS 96 Standard query 0x4761 A www.cnn.com OPT
1461 2020-09-11 13:03:59.442241 192.168.1.222 192.168.2.1 DNS 96 Standard query 0x4761 A www.cnn.com OPT
- When I SSH into OpenWrt, it can do DNS query on both dnsmasqs.
//System log
Fri Sep 11 20:50:17 2020 daemon.info dnsmasq[19186]: 4 192.168.1.1/44270 query[A] www.yahoo.com from 192.168.1.1
Fri Sep 11 20:50:17 2020 daemon.info dnsmasq[19186]: 4 192.168.1.1/44270 forwarded www.yahoo.com to 8.8.8.8
Fri Sep 11 20:50:17 2020 daemon.info dnsmasq[19186]: 4 192.168.1.1/44270 forwarded www.yahoo.com to 8.8.4.4
Fri Sep 11 20:50:17 2020 daemon.info dnsmasq[19186]: 4 192.168.1.1/44270 reply www.yahoo.com is <CNAME>
Fri Sep 11 20:50:17 2020 daemon.info dnsmasq[19186]: 4 192.168.1.1/44270 reply new-fp-shed.wg1.b.yahoo.com is 180.222.102.202
Fri Sep 11 20:50:17 2020 daemon.info dnsmasq[19186]: 4 192.168.1.1/44270 reply new-fp-shed.wg1.b.yahoo.com is 180.222.102.201
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 query[A] www.cnn.com from 192.168.2.1
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 forwarded www.cnn.com to 8.8.8.8
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 forwarded www.cnn.com to 8.8.4.4
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 reply www.cnn.com is <CNAME>
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 reply turner-tls.map.fastly.net is 151.101.1.67
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 reply turner-tls.map.fastly.net is 151.101.65.67
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 reply turner-tls.map.fastly.net is 151.101.129.67
Fri Sep 11 20:50:26 2020 daemon.info dnsmasq[19187]: 1 192.168.2.1/56340 reply turner-tls.map.fastly.net is 151.101.193.67
I feel I'm pretty close to the target. But I still miss a piece of puzzle.