Multiple lan DNS resolution

Hello guys !

As I have some time now, I'm reviewing my network architecture.
Here's what I want to achieve:

My problem, for now, is that I can't resolve from mydomain.lan to lab.lan for example.

Here are my config files:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix xxxx'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.254'
	option broadcast '192.168.1.255'
	option _orig_ifname 'eth0.1000 radio1.network1 radio2.network1'
	option _orig_bridge 'true'
	option delegate '0'
	list dns '127.0.0.1'
	option ifname 'eth0.1000'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option broadcast '192.168.100.255'
	option delegate '0'
	option ipaddr '192.168.100.254'
	list dns '127.0.0.1'

config interface 'wan'
	option ifname 'eth1.2000'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	list dns '127.0.0.1'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth1.2000'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config interface 'wg0'
...

config wireguard_wg0 'wgclient'
...

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '1000'
	option ports '3 4t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '2000'
	option ports '4t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '1100'
	option ports '2 5t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '1 5t'
	option vid '1200'

config interface 'lab'
	option proto 'static'
	option ifname 'eth0.1100'
	option ipaddr '192.168.2.254'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '127.0.0.1'
	option broadcast '192.168.2.255'

/etc/config/dhcp

config dnsmasq 'dnsmasq_lan'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option leasefile '/mnt/usb/log/dnsmasq_lan.leases'
	option localservice '1'
	option logqueries '1'
	option logfacility '/mnt/usb/log/dnsmasq_lan.log'
	option local '/mydomain.lan/'
	option domain 'mydomain.lan'
	option allservers '1'
	option nohosts '1'
	option filterwin2k '1'
	option nonegcache '1'
	option noresolv '1'
	option enable_tftp '1'
	option tftp_root '/mnt/usb/pxe/'
	option cachesize '1000'
	list notinterface 'wan'
	list notinterface 'guest'
	list notinterface 'lab'
	list interface 'lan'
	list interface 'wg0'
	list interface 'loopback'
	list server '127.0.0.1#5353'
	list server '/lab.lan/192.168.2.254'

config dhcp 'lan'
	option interface 'lan'
	option force '1'
	list dhcp_option '42,192.168.1.254'
	option instance 'dnsmasq_lan'
	option start '200'
	option leasetime '12h'
	option limit '40'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'name'
	option mac 'xxxx'
	option ip '192.168.1.10'

...

config host
	option name 'test'
	option mac 'xxxx'
	option ip '192.168.2.10'

...

config dnsmasq 'dnsmasq_guest'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option localservice '1'
	option logqueries '1'
	option logfacility '/mnt/usb/log/dnsmasq_guest.log'
	option local '/guest.lan/'
	option domain 'guest.lan'
	option allservers '1'
	option nohosts '1'
	option filterwin2k '1'
	option nonegcache '1'
	option noresolv '1'
	list server '9.9.9.9'
	list server '149.112.112.112'
	list server '80.67.169.12'
	list server '80.67.169.40'
	list interface 'guest'
	option leasefile '/mnt/usb/log/dnsmasq_guest.leases'
	list notinterface 'lan'
	list notinterface 'wan'
	list notinterface 'wg0'
	list notinterface 'lab'

config dhcp 'guest'
	option interface 'guest'
	option force '1'
	option leasetime '12h'
	option start '100'
	option instance 'dnsmasq_guest'
	option limit '100'

config dhcp 'lab'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'lab'
	list dhcp_option '42,192.168.2.254'
	option instance 'dnsmasq_lab'
	option force '1'

config dnsmasq 'dnsmasq_lab'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option leasefile '/mnt/usb/log/dnsmasq_lab.leases'
	option logqueries '1'
	option logfacility '/mnt/usb/log/dnsmasq_lab.log'
	option local '/lab.lan/'
	option domain 'lab.lan'
	option allservers '1'
	option nohosts '1'
	option filterwin2k '1'
	option nonegcache '1'
	option noresolv '1'
	list server '127.0.0.1#5353'
	option cachesize '1000'
	option localservice '1'
	list interface 'lab'
	list notinterface 'wan'
	list notinterface 'lan'
	list notinterface 'wg0'
	list notinterface 'guest'

/etc/config/firewall

config rule
	option name 'WAN -> DEVICE | Allow SSH'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'WAN -> DEVICE | Allow DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'WAN -> DEVICE | Allow Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> DEVICE | Allow IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'WAN -> DEVICE | Allow DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'WAN -> DEVICE | Allow MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'WAN -> DEVICE | Allow ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port 'xxxx'
	option name 'WAN -> DEVICE | Allow WireGuard VPN'

config rule
	option name 'WAN -> ANY ZONE | Allow ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'WAN -> LAN | Allow IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'WAN -> LAN | Allow ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'GUEST -> LAN | Deny All'
	option src 'guest'
	option dest 'lan'
	option proto 'all'
	option target 'DROP'

config rule
	option name 'GUEST -> LAN | Allow DHCP Request'
	option src 'guest'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'GUEST -> WAN | Allow DNS Queries'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option name 'GUEST -> WAN | Allow HTTP/HTTPS'
	option src 'guest'
	option proto 'tcp'
	option target 'ACCEPT'
	option dest 'wan'
	option dest_port '80 443'

config rule
	option name 'GUEST -> WAN | Deny'
	option src 'guest'
	option dest 'wan'
	option proto 'all'
	option target 'DROP'

config defaults
	option syn_flood_protect '1'
	option drop_invalid '1'
	option syn_flood '1'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option network 'guest'
	option output 'ACCEPT'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option dest 'wan'
	option src 'guest'

config zone
	option input 'ACCEPT'
	option forward 'DROP'
	option name 'lab'
	option output 'ACCEPT'
	option network 'lab'

config forwarding
	option dest 'lab'
	option src 'lan'

Somes tests:

• trying to resolve the router lab interface:

machine.mydomain.lan $ 
nslookup linksys.lab.lan
Server:		192.168.1.254
Address:	192.168.1.254#53

*** Can't find linksys.lab.lan: No answer

• Whereas if I try to join the OpenWRT's lab interface:

machine.mydomain.lan $ 
ping 192.168.2.254
PING 192.168.2.254 (192.168.2.254) 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=3.34 ms
...                         

So the communication seems to work.

• I tried to add this line in /etc/config/dhcp for mydomain.lan but it doesn't work:

list server '/lab.lan/192.168.2.254'

• I can ping from my router any machine based on their name:

root@linksys:/etc/config# ping test.lab.lan
PING test.lab.lan (192.168.2.10): 56 data bytes
64 bytes from 192.168.2.10: seq=1 ttl=64 time=0.223 ms
64 bytes from 192.168.2.10: seq=2 ttl=64 time=0.339 ms
...

and some remarks

• Both DHCP/DNS work well on their respective interfaces: linksys.mydomain.lan and linksys.lab.lan respond, DHCP with static leases also.
• The ADM zone is not configured yet, just the interface (eth0.1200), as the mirroring port, it's planned, as soon as my other issues will be fixed
• As you may notice, I use dnscrypt-proxy2 for internet DNS quesries, which explains the port 5353.
• As soon as everything works, I'll add a Wifi on the lab interface

If anyone has the solution, I'd be happy to hear it
And of course, if anyone finds any odd patterns, or have a better network configuration, let me know...

Thank you !

Don't use that in the interfaces. Normally you assign there external NS that are reachable from this interface.
You have nohosts and expandhosts both enabled
Turn localservice '0', filterwin2k '0'

Thanks for your feedback.

Obviously, I didn't know. I've modified accordingly.

Unfortunately, it didn't change anything.

But, after looking to logs, I found that:

Mar 24 00:04:43 dnsmasq[5840]: 283 192.168.1.10/57342 query[A] linksys.hack.lan from 192.168.1.10
Mar 24 00:04:43 dnsmasq[5840]: 283 192.168.1.10/57342 forwarded linksys.hack.lan to 192.168.2.254
Mar 24 00:04:43 dnsmasq[5840]: possible DNS-rebind attack detected: linksys.lab.lan
Mar 24 00:04:43 dnsmasq[5840]: 284 192.168.1.10/55936 query[AAAA] linksys.lab.lan from 192.168.51.12
Mar 24 00:04:43 dnsmasq[5840]: 284 192.168.1.10/55936 forwarded linksys.lab.lan to 192.168.2.254

So after adding list rebind_domain 'lab.lan', everything works.

If it can be helpful for anyone...

After adding a interface on my laptop to join my admin network, I'm now facing another DNS resolution problem.

When I try to resolv an address on admin.lan, I get the following error (192.168.1.x -> 192.168.51.x and 192.168.3.x -> 192.168.33.x)

$ nslookup linksys.admin.lan
Server:		192.168.51.254
Address:	192.168.51.254#53

** server can't find linksys.admin.lan: NXDOMAIN

root@linksys$ logread -f
...
Tue Mar 31 15:18:08 2020 daemon.info dnsmasq[5114]: 1 192.168.51.10/52811 query[A] linksys.admin.lan from 192.168.51.10
Tue Mar 31 15:18:08 2020 daemon.info dnsmasq[5114]: 1 192.168.51.10/52811 forwarded linksys.admin.lan to 127.0.0.1
Tue Mar 31 15:18:08 2020 daemon.info dnsmasq[5114]: 1 192.168.51.10/52811 reply linksys.admin.lan is NXDOMAIN
...

even if the resolv.conf seems ok:

# Generated by NetworkManager
search mydomain.lan admin.lan
nameserver 192.168.51.254
nameserver 192.168.33.254

I thought he was going to go to the second one, but I guess not.

But if I try with the admin DNS ip, it works:

$ nslookup linksys.admin.lan 192.168.33.254
Server:		192.168.33.254
Address:	192.168.33.254#53

Name:	linksys.admin.lan
Address: 192.168.33.254

To try to debug, I created a Virtualbox lab and here are the things I tested:

1. trying several combinations of parameters: boguspriv, cachelocal, domainneeded, expandhosts, filterwin2k, local, localise_queries, localservice, nohosts, nonegcache, noresolv, resolvfile...

doesn't work

2. trying to be inspired by the given solutions here, here and here:

doesn't work

3. trying to modify /etc/resolv.conf, /tmp/resolv.conf or /tmp/resolv.conf.auto:

doesn't work

4. the above solution works, but request is sent over the mydomain DNS, not the admin one:

root@OpenWrt:~# cat /etc/config/dhcp
...
list server '/admin/192.168.33.254'
list rebind_domain 'admin'
...
root@OpenWrt:~# logread -f
...
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12365]: 5 192.168.51.10/50593 query[A] debian-admin.admin from 192.168.51.10
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12365]: 5 192.168.51.10/50593 forwarded debian-admin.admin to 192.168.33.254
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12366]: 5 192.168.33.254/11639 query[A] debian-admin.admin from 192.168.33.254
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12366]: 5 192.168.33.254/11639 DHCP debian-admin.admin is 192.168.33.10
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12365]: 5 192.168.51.10/50593 reply debian-admin.admin is 192.168.33.10
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12365]: 6 192.168.51.10/53975 query[AAAA] debian-admin.admin from 192.168.51.10
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12365]: 6 192.168.51.10/53975 forwarded debian-admin.admin to 192.168.33.254
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12366]: 6 192.168.33.254/27208 query[AAAA] debian-admin.admin from 192.168.33.254
Tue Mar 31 11:08:15 2020 daemon.info dnsmasq[12366]: 6 192.168.33.254/27208 config debian-admin.admin is NODATA-IPv6
...

work

5. this solution works too, but it goes also trough the mydomain DNS:

root@OpenWrt:~# cat /etc/config/dhcp
...
list address '/admin/192.168.33.254'
...

root@OpenWrt:~# logread -f
...
Tue Mar 31 11:09:22 2020 daemon.info dnsmasq[12956]: 1 192.168.51.10/45171 query[A] debian-admin.admin from 192.168.51.10
Tue Mar 31 11:09:22 2020 daemon.info dnsmasq[12956]: 1 192.168.51.10/45171 config debian-admin.admin is 192.168.64.254
Tue Mar 31 11:09:22 2020 daemon.info dnsmasq[12956]: 2 192.168.51.10/38334 query[AAAA] debian-admin.admin from 192.168.51.10
Tue Mar 31 11:09:22 2020 daemon.info dnsmasq[12956]: 2 192.168.51.10/38334 config debian-admin.admin is NODATA-IPv6
...

work

6. Modifying the /etc/hosts with the revelant option works too, but as previously, the request is sent over the mydomain interface, and this requires maintaining the /etc/hosts file which I'd like to avoid.

work

So here are my (many...) questions:

1. How can I tell my pc to ask the second DNS ? I tried with the option authoritative '0' but it doesn't work...
2. What are differents between 4 and 5 ?
3. Do I need dnsmasq to listen to loopback ? If so, which instance is supposed to listen ?
4. What is the purpose of /tmp/hosts/dhcp.* ? Why is there only one entry ?
5. What are the differencies between /tmp/resolv.conf, /tmp/resolv.conf.auto and those defined with resolvfile ? Who uses whom ?
6. Which instance uses /etc/dnsmasq.conf ? Is there any revelant configuration options there ?
7. Why is the router unable to resolve it's own address ?

root@OpenWrt:~# cat /tmp/resolv.conf
# Interface wan
nameserver 8.8.8.8
root@OpenWrt:~# nslookup OpenWRT.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find OpenWRT.lan: NXDOMAIN
** server can't find OpenWRT.lan: NXDOMAIN
root@OpenWrt:~# nslookup OpenWRT.admin 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

*** Can't find OpenWRT.admin: No answer
Name:      OpenWRT.admin
root@OpenWrt:~# nslookup OpenWRT.lan 192.168.51.254
Server:		192.168.51.254
Address:	192.168.51.254#53

** server can't find OpenWRT.lan: NXDOMAIN
** server can't find OpenWRT.lan: NXDOMAIN
root@OpenWrt:~# nslookup OpenWRT.admin 192.168.33.254
Server:		192.168.33.254
Address:	192.168.33.254#53

** server can't find OpenWRT.admin: NXDOMAIN
** server can't find OpenWRT.admin: NXDOMAIN

8. I noticed this when I set the wan DNS to loopback:

Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 92 192.168.51.254/51901 query[PTR] 254.51.168.192.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 92 192.168.51.254/51901 /tmp/hosts/dhcp.lan_dns 192.168.51.254 is OpenWrt
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 93 192.168.51.254/51901 query[PTR] 2.56.168.192.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 93 192.168.51.254/51901 config 192.168.56.2 is NXDOMAIN
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 94 192.168.51.254/51901 query[PTR] 10.51.168.192.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 94 192.168.51.254/51901 config 192.168.51.10 is NXDOMAIN
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 95 192.168.51.254/51901 query[PTR] 10.33.168.192.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 95 192.168.51.254/51901 config 192.168.33.10 is NXDOMAIN
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 96 192.168.51.254/51901 query[PTR] 15.3.0.10.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 96 192.168.51.254/51901 config 10.0.3.15 is NXDOMAIN
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 97 192.168.51.254/51901 query[PTR] 254.33.168.192.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 97 192.168.51.254/51901 /tmp/hosts/dhcp.test_dns 192.168.33.254 is OpenWrt
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 98 192.168.51.254/51901 query[PTR] 1.56.168.192.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 98 192.168.51.254/51901 config 192.168.56.1 is NXDOMAIN
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 99 192.168.51.254/51901 query[PTR] 2.3.0.10.in-addr.arpa from 192.168.51.254
Tue Mar 31 13:55:28 2020 daemon.info dnsmasq[2072]: 99 192.168.51.254/51901 config 10.0.3.2 is NXDOMAIN

Who send these requests ? Why are they being sent continuously ? How can I stop them ? Why for example 192.168.51.10 is NXDOMAIN while it is defined in /etc/config/dhcp ?

I tried to be as exhaustive as possible but do not hesitate if you have any questions about my configuration.
I know there are many questions, but I really try the understand the various implications as there many places/options to set.
All I'm trying to do is to be able to resolve queries to the respective DNS, that the router is also capable of resolving all of them, and that requests sent continuously cease.

I'd be very grateful to anyone who can help me...