OpenWrt Forum Archive

Topic: Correct DNS Forwarding Without DNSMasq?

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
quangdog
9 Jun 2008, 18:06

I have my own instance of BIND running on a local machine here in the office, which is used as our public DNS.  In short, I have set up firewall rules to do the following:

DNSLookup -> Wan -> local server

i.e., when someone hits one of my domain names from outside my office, it resolves correctly and they can hit the site. 

However, when someone in my office tries to do the same, the domain will not resolve.

There are several ways to solve this, but I'd like to set all my office machines to only use the DNS provided by our upstream host.  It, in turn, should query our DNS for authoritative responses to requests for hosts on my domains.

I'm a DNS newbie, and only recently discovered and installed openWRT.  I'm using kamikaze.  Other than this issue, things are peachy.

Here are the rules from my firewall scripts that I've set up thus far:

/etc/setup/firewall:
forward:proto=tcp dest=207.70.62.18 dport=53:192.168.0.30:53
forward:proto=udp dest=207.70.62.18 dport=53:192.168.0.30:53

/etc/firewall.user:
iptables -t nat -A prerouting_rule -d 207.70.62.18 -p udp --dport 53 -j DNAT --to 192.168.0.30       
iptables -A forwarding_rule -p udp --dport 53 -d 192.168.0.30 -j ACCEPT                               
#iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p udp --dport 53 -d 192.168.0.30 -j MASQUERADE

If I uncomment that last line in firewall.user, then the server (which hosts bind, postfix, apache, etc) can't look up any domains on external DNS - it tries to send a dns request but the wrt sends it right back, as it is forwarding and masquerading all dns lookups from the lan.

Help!

Thanks!

-- Kimball

Post #2
vasquez
11 Jun 2008, 13:08

I take it that the wrt is your gateway to the outside world, it has a static ip and you don't have dnsmasq running. Your problem is that your server has two different IPs: One external, reachable from outside and one internal one, in the 192.168.0.0 net. Your clients get the external IP back from the server, and your wrt doesn't do "loop routing": from internal to external to internal again.
Options that I see:
1. DNS "Split-horizon" may be possible. Afaik Bind can answer queries differently depending from where the request comes. Look in the bind docs for "views" .
2. Depending on your ISP setup, you could also put your server that answers queries from external in a DMZ, without portforwarding. Int and ext "see" the same IP.
3. Use a different domain internally, maybe even move out your public DNS/web entirely. DNS through IP port forwarding can be brittle.

Post #3
Adain214
4 Dec 2009, 07:50

Thanks for taking the time to help, I really apprciate it.

------------------------------------------------
DNS Lookup

Post #4
jow
6 Dec 2009, 00:56

Another possibility is to advertise a different DNS server to DHCP clients.

The discussion might have continued from here.