Topic: Correct DNS Forwarding Without DNSMasq?
I have my own instance of BIND running on a local machine here in the office, which is used as our public DNS. In short, I have set up firewall rules to do the following:
DNSLookup -> Wan -> local server
i.e., when someone hits one of my domain names from outside my office, it resolves correctly and they can hit the site.
However, when someone in my office tries to do the same, the domain will not resolve.
There are several ways to solve this, but I'd like to set all my office machines to only use the DNS provided by our upstream host. It, in turn, should query our DNS for authoritative responses to requests for hosts on my domains.
I'm a DNS newbie, and only recently discovered and installed openWRT. I'm using kamikaze. Other than this issue, things are peachy.
Here are the rules from my firewall scripts that I've set up thus far:
forward:proto=tcp dest=22.214.171.124 dport=53:192.168.0.30:53
forward:proto=udp dest=126.96.36.199 dport=53:192.168.0.30:53
iptables -t nat -A prerouting_rule -d 188.8.131.52 -p udp --dport 53 -j DNAT --to 192.168.0.30
iptables -A forwarding_rule -p udp --dport 53 -d 192.168.0.30 -j ACCEPT
#iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p udp --dport 53 -d 192.168.0.30 -j MASQUERADE
If I uncomment that last line in firewall.user, then the server (which hosts bind, postfix, apache, etc) can't look up any domains on external DNS - it tries to send a dns request but the wrt sends it right back, as it is forwarding and masquerading all dns lookups from the lan.