[SOLVED] Question about DNS

Hi, whenever I establish a tunnel using vpnc my openwrt try to resolv IPs that were already resoved before using the loopback address. For example, vpnc will get the IP for my gateway say vpn.domain.com but after the connection is established and I have tun0 up openwrt can't resolv this address anymore. When I use nslookup vpn.domain.com It will query 127.0.0.1 instead and return that the address can't be resolved. I've ben using tcpdump to monitor every DNS query. If I query any other adddres say www.yahoo.com.br it'l direct the dns query to the server I have configured in my wan interface which is how it should work for any name I want to resolve. I checked /etc/resolv.conf and it's configured to search lan and nameserver 127.0.0.1. But it works when I don't have the tun0 up, if I force the correct nameserver there it works fine again. Is there a way to solve that without having to edit /etc/resolv.conf manually (It's rewriten everytime I reboot the router so that's not a good solution)? Why openwrt is forwarding especific internal DNS queries to the loopback address after I set the tunnel and how can I fix that?
EDIT: it's apparently not a problem related to vpnc, I think it would happen with any vpn client.

The files that should be edited in LuCI are usually contained in /etc/config, not in /etc.

  • Why do you have a DNS server of LOCALHOST configured into your router?

You need a real, Global DNS server.

I don't. I configure my dns via /etc/config/network:

config interface 'lan'
	option dns 'Public DNS Address'

config interface 'wan'
	option dns ''Public DNS Address'
	option peerdns '0'
	

I've never had to worry about /etc/resolv.conf, but it has always been the same:

search lan
nameserver 127.0.0.1

I even thought openwrt just ignored this file and used uci instead.

  • The /etc/config/network file configures DNSMASQ
  • Dnsmasq listens at LOCALHOST for requests from the router

udp 0 0 localhost:domain 0.0.0.0:* 2332/dnsmasq

So this is OK.

I personally only add DNS servers to my WAN interface. I have no issues connected to my VPNs while doing so.

  • Perhaps your public DNS server is not available over the tunnel's ISP. Try using a public server like Google (8.8.8.8) or Cloudflare (1.1.1.1).
  • Is this hostname Globally Registered, or only existing in your router's custom hosts config?
  • Why do you need to lookup the IP of your WAN port via its Global hostname?

I see. Thanks for the clarification about dnsmasq, that was very useful explanation. I'll try to figure out something and post here whether I'm successful or not.

1 Like

Ok., I sort of achieved what I wanted. I have two diferent sets of DNS: external (available on the Internet) and internal (available over vpn). External DNS are supposed to be used by the openwrt iself and clients on the lan when tunnel is down. Tunnel bellongs to zone wan as well as interface wan. When tunnel is up clients on the lan will use the internal DNS. I've rewriten /etc/resolv.conf so it points only to the external DNS, it's not pontinh to the loopback anymore so whatever happens to the tunnel openwrt itself will use those DNSs. The only problem now is that when tunnel is down for any reason clients on the lan will try to use the internal DNSs that are not available anymore, I fix that by restarting dnsmasq server. It looks like I will need to write a sort of daemon to monitor the tunnel interface and manage the dns and routes. My configuration looks like this:

/etc/config/dhcp

...

config dnsmasq 'cfg02411c'
        option readethers '1'
        option expandhosts '1'
        option boguspriv '1'
        option localise_queries '1'
        option nonegcache '0'
        option resolvfile '/tmp/resolv.conf.auto'
        option rebind_localhost '0'
        option domain 'lan'
        option localservice '1'
        option rebind_protection '0'
        option filterwin2k '0'
        option local '/lan/'
        option authoritative '1'
        option domainneeded '1'
        option leasefile '/tmp/dhcp.leases'

/etc/config/network

...

config interface 'tun0'
        option proto 'vpnc'
        option server 'vpn.domain.com'
        option username 'xxxxxx'
        option password 'xxxxxx'
        option authgroup 'xxxxxxxxxxxxx'
        option passgroup 'xxxxxxxxxxxxx'
        option defaultroute '0'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option ip6assign '60'
        option enabled '1'
        option mtu '1500'
        option netmask '255.255.255.0'
        option proto 'static'
        option ipaddr '192.168.123.1'
        option auto '1'
        option ifname 'eth1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option dns 'EXTERNAL_DNS_1 EXTERNAL_DNS_2'
        option peerdns '0'

...

/etc/resolv.conf

nameserver EXTERNAL_DNS_1
nameserver EXTERNAL_DNS_2

/etc/config/firewall

config zone 'rule1'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding 'rule2'
        option src 'lan'
        option dest 'wan'

config zone 'rule3'
        list network 'wan'
        list network 'tun0'
        option output 'ACCEPT'
        option masq '1'
        option name 'wan'
        option input 'REJECT'
        option forward 'REJECT'
        option mtu_fix '1'

1 Like

That's good then. I use DHCP Option 6 to assign LAN DNS servers only available over the tunnel too.

As in your config, the WAN DNS servers are only used by the WAN Interface (running Wireguard). If you have a preference of WAN DNS server(s), you can make a static routes for them so they are always reached over WAN.

Example, Google DNS (8.8.8.8):

config route
	option interface 'wan'
	option target '8.8.8.8'
	option netmask '255.255.255.255'

If your issue is fixed, feel free to edit the title and add "[SOLVED]" to the beginning.