Topic: Correct DNS Forwarding Without DNSMasq?

I have my own instance of BIND running on a local machine here in the office, which is used as our public DNS.  In short, I have set up firewall rules to do the following:

DNSLookup -> Wan -> local server

i.e., when someone hits one of my domain names from outside my office, it resolves correctly and they can hit the site. 

However, when someone in my office tries to do the same, the domain will not resolve.

There are several ways to solve this, but I'd like to set all my office machines to only use the DNS provided by our upstream host.  It, in turn, should query our DNS for authoritative responses to requests for hosts on my domains.

I'm a DNS newbie, and only recently discovered and installed openWRT.  I'm using kamikaze.  Other than this issue, things are peachy.

Here are the rules from my firewall scripts that I've set up thus far:

forward:proto=tcp dest= dport=53:
forward:proto=udp dest= dport=53:

iptables -t nat -A prerouting_rule -d -p udp --dport 53 -j DNAT --to       
iptables -A forwarding_rule -p udp --dport 53 -d -j ACCEPT                               
#iptables -t nat -A postrouting_rule -s -p udp --dport 53 -d -j MASQUERADE

If I uncomment that last line in firewall.user, then the server (which hosts bind, postfix, apache, etc) can't look up any domains on external DNS - it tries to send a dns request but the wrt sends it right back, as it is forwarding and masquerading all dns lookups from the lan.



-- Kimball

Re: Correct DNS Forwarding Without DNSMasq?

I take it that the wrt is your gateway to the outside world, it has a static ip and you don't have dnsmasq running. Your problem is that your server has two different IPs: One external, reachable from outside and one internal one, in the net. Your clients get the external IP back from the server, and your wrt doesn't do "loop routing": from internal to external to internal again.
Options that I see:
1. DNS "Split-horizon" may be possible. Afaik Bind can answer queries differently depending from where the request comes. Look in the bind docs for "views" .
2. Depending on your ISP setup, you could also put your server that answers queries from external in a DMZ, without portforwarding. Int and ext "see" the same IP.
3. Use a different domain internally, maybe even move out your public DNS/web entirely. DNS through IP port forwarding can be brittle.

Re: Correct DNS Forwarding Without DNSMasq?

Thanks for taking the time to help, I really apprciate it.

DNS Lookup

Enjoy yuor self

Re: Correct DNS Forwarding Without DNSMasq?

Another possibility is to advertise a different DNS server to DHCP clients.