Separate network is using LAN dns?

polleke69 · January 18, 2021, 6:36pm

Hi,

I have a VPN running with vpn policy based routing. Seems to work, only strange thing i'm seeing is that the vpn network (which is a completely separate interface: vpnlan ->tun0) is also using the LAN network DNS...

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.251'
        option gateway '192.168.0.250'
        option delegate '0'
        list dns '192.168.0.20'

config interface 'vpnlan'
        option proto 'static'
        option delegate '0'
        option netmask '255.255.255.0'
        option ipaddr '172.16.12.1'
        option type 'bridge'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

A dns leaktest shows that all dns servers from the config are used on the vpnlan network.

Any ideas on this issue?

vgaetera · January 18, 2021, 6:48pm

Check network/DNS config/status on the client.
Make sure there's no firewall redirects intercepting DNS traffic on the router.

polleke69 · January 18, 2021, 6:54pm

Clients are getting the router ip from the VPNLAN as dns server...

NO firewall redirects...

ps. if i remove the list dns from the LAN, all is well.. But this would mean no more dns on the LAN

i'm not seeing it ;-(

vgaetera · January 18, 2021, 7:05pm

It doesn't work as you may think.
DNS on interfaces is used by the router itself, not its clients.
Instead, you need to provide custom DNS with DHCP.

polleke69 · January 18, 2021, 7:54pm

Ok, that (logically) works.

So dns on interfaces is not used by clients? Whats the flow then when a client has got the routers ip as DNS?

It looks like the DNS of the LAN interface is being used instead of the vpnlan's DNS...

Or does this mean that all interface dns's are used on all interfaces?

Would setting up 2 dnsmasq instances solve this?

vgaetera · January 18, 2021, 8:40pm

Clients typically use DNS advertised by DHCP that uses the router's IP by default.
DNS on interfaces are used as upstream resolvers for Dnsmasq and are unrelated to DHCP configuration.
Dnsmasq periodically queries all upstream resolvers and uses the one which replies the fastest for a period of time.
Yep, using multiple Dnsmasq instances should work as well assuming you specify different upstream resolvers for each instance and properly configure routing for outgoing DNS traffic.

polleke69 · January 18, 2021, 9:45pm

Alrighty!, got it...

Thnx Vgaetera

polleke69 · January 18, 2021, 10:52pm

Not yet ;-(

Why is this in the multi dnsmasq config:
ln -f -s /tmp/resolv.conf.auto /etc/resolv.conf.${INST}

This way the 2 instances get the same upstream dns servers...?

# Interface lan
nameserver 192.168.0.20
# Interface vpnlan
nameserver 103.86.96.100
nameserver 103.86.99.100

or am i with stupid

vgaetera · January 18, 2021, 11:04pm

The example in the wiki uses symlinks to the same resolver config for all instances.
You can replace the symlink with a custom config file, or utilize DNS forwarding.

polleke69 · January 24, 2021, 8:21am

Thnx vga, got it fixed now, separate instances for lan/guest/vpn/local...

tmomas · January 24, 2021, 7:22pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.