Model Linksys WRT1900ACv2
Firmware Version LEDE Reboot 17.01.5 r3919-38e704be71 / LuCI lede-17.01 branch (git-18.180.55366-b78664c)
I have setup a custom dns server using LuCI by going to WAN advanced and unchecking "Use DNS servers advertised by peer", then setting my dns to cloudflare 1 . 1 . 1 . 1, google and a few others. So far it's been working well.
The trouble I am having is that domain name resolution is not working in some cases that involve development work I am doing.
For example my company does a hacky thing where we assign subdomains addresses on the fly frequently for testing purposes. So for example I might assign the address 192 . 168 . 1 . 200 to subdomaintest . mycompany . com for temporary testing purposes. It seems to propagate fast because when I go to whatsmydns and enter in subdomaintest . mycompany . com it comes back with 192 . 168 . 1 . 200. But when I run nslookup subdomaintest . mycompany . com on my computer it doesn't find it. When I ssh into my router and run the same command again it does not find it. When I run the command nslookup subdomaintest . mycompany . com 1 . 1 . 1 . 1 it does find it.
I don't know if eventually it will work and I just need to wait a long time or not. Are there any logs from the DNS server running on LEDE to see what it is doing?
I tried disabling the custom DNS servers I set, restoring the checkmark on "Use DNS servers advertised by peer" and rebooting but no luck fixing the problem.
You generally can't rely on external DNS servers and have internal, "custom" DNS resolved. Those custom entries likely are only served by the non-public DNS servers with your company's internal network. One way or another you likely need to use them.
One way would likely be to accept what your DHCP server gives you for DNS servers.
Another way would be to run unbound with your choice of upstream resolvers and declare your company's "internal" DHCP servers as forwarders for your company's domain. Setting "forward-first" can help handle the cases where those servers are either not available or you've referenced the wrong IP addresses by going to your choice of upstream resolvers if they are either not reached or fail to return a result. Note that setting forward-first potentially leaks internal hostnames to the upstream resolvers.
That's called DNS rebind and you may tune the settings in luci -> network -> DHCP and DNS. In "Domain whitelist", add the domains which you would expect to have internal IP resolved, such as subdomaintest.mycompany.com.
Thanks yes I enabled DNS logs and I see in the logs now "daemon.warn dnsmasq[4493]: possible DNS-rebind attack detected: ". I've disabled "Rebind protection" as needed.