[Solved] Problem resolving *some* CNAMEs

I am having a problem resolving certain addresses. This problem is happening on the router, and seems to be specific to AWS CNAMES, anecdotally those which return a private IP (at least those are the ones that I'm having a problem with).

First off, problem nslookup on the OpenWrt router itself:

root@OpenWrt:~# nslookup mysql.prodna2.aws.weeverapps.com
Server:        127.0.0.1
Address:    127.0.0.1#53

*** Can't find mysql.prodna2.aws.weeverapps.com: No answer
Name:      mysql.prodna2.aws.weeverapps.com
mysql.prodna2.aws.weeverapps.com    canonical name = pm9b3h99ksjjzp.cbydxvymevbo.us-east-1.rds.amazonaws.com

Then, if I do the same lookup but tell nslookup to use 8.8.8.8 as the nameserver, it works:

root@OpenWrt:~# nslookup mysql.prodna2.aws.weeverapps.com 8.8.8.8
Server:        8.8.8.8
Address:    8.8.8.8#53

Name:      mysql.prodna2.aws.weeverapps.com
mysql.prodna2.aws.weeverapps.com    canonical name = pm9b3h99ksjjzp.cbydxvymevbo.us-east-1.rds.amazonaws.com
Name:      pm9b3h99ksjjzp.cbydxvymevbo.us-east-1.rds.amazonaws.com
Address 1: 10.15.42.9
mysql.prodna2.aws.weeverapps.com    canonical name = pm9b3h99ksjjzp.cbydxvymevbo.us-east-1.rds.amazonaws.com

The dnsmasq section in /etc/config/dhcp:

config dnsmasq
    option domainneeded '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '0'
    list server '8.8.8.8'
    list server '8.8.4.4'

And the output of /tmp/resolv.conf.auto:

root@OpenWrt:~# cat /tmp/resolv.conf.auto
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 192.168.20.1
nameserver 8.8.8.8
nameserver 8.8.4.4
search localdomain

From all appearances, it looks like I am configured to use 8.8.8.8 as my default DNS server, however something is clearly wrong with nslookup unless I forcibly set the NS. Also, for the record, it's not just nslookup that can't resolve that address - ping doesn't work either, and neither do any clients using the OpenWrt as a DNS server.

The OpenWrt router is connected to the internet via a wifi network (192.168.20.x). If I connect directly to that network and bypass OpenWrt altogether, name resolution works fine, so it's not a problem with the upstream DNS server. And it's obviously not a problem with 8.8.8.8.

Does anyone have any idea what's going on?

Correct...or any public DNS server.

nslookup queries DNS to get the mapping.

Sorry, what I meant was "it looks like I am configured to use 8.8.8.8 as my default DNS server". But clearly that's not the case, or something else is amiss.

Looks like you did...

Curious if dig behaves differently than nslookup in your environs.

From a Mac client...

Working:

$ dig mysql.prodna2.aws.weeverapps.com

; <<>> DiG 9.9.7-P3 <<>> mysql.prodna2.aws.weeverapps.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11452
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mysql.prodna2.aws.weeverapps.com. IN	A

;; ANSWER SECTION:
mysql.prodna2.aws.weeverapps.com. 59 IN	CNAME	pm9b3h99ksjjzp.cbydxvymevbo.us-east-1.rds.amazonaws.com.
pm9b3h99ksjjzp.cbydxvymevbo.us-east-1.rds.amazonaws.com. 4 IN A	10.15.42.9

;; Query time: 218 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Feb 21 19:12:50 -05 2018
;; MSG SIZE  rcvd: 143

Broken:

$ dig mysql.prodna2.aws.weeverapps.com

; <<>> DiG 9.9.7-P3 <<>> mysql.prodna2.aws.weeverapps.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1204
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;mysql.prodna2.aws.weeverapps.com. IN	A

;; Query time: 486 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Wed Feb 21 19:13:20 -05 2018
;; MSG SIZE  rcvd: 61

Exactly. It looks like I did, yet the nslookup results are different depending on whether or not I specify 8.8.8.8 - but they should be identical, since the system is configured to use 8.8.8.8. So why isn't the system resolving addresses like the working nslookup is? That's my question.

Because you have dnsmasq option to discard upstream answers that are RFC1918 i.e. local private addresses. Dnsmasq defaults for Openwrt are suitable for home networks, but you need to tailor them if your environment is more complex.

Set rebind_protection 0

https://wiki.openwrt.org/doc/uci/dhcp

PS Dnsmasq will naturally bump the query upstream to a public DNS server, if needed. Usually the default servers that your router gets from ISP are good enough.

3 Likes

You are the man! I'd buy you a beer if I could. Thank you so much!

The rebind protection bit me the other week, I thought it was my DNS provider blocking private addresses, turned out it was me!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.