Connect to DNS automatically, blocks access by NATed bind resolver

[dteed]

I went through some days troubleshooting this issue with the help of my LUG
and now have understood why I could not access my ISP's website while using
my own DNS resolver on my LAN.

One can read the thread conclusion here if you want more indications of the tracing:

http://nslug.ns.ca/pipermail/nslug/2015-August/026794.html

I run a bind resolver on Linux behind the asus merlin firmware router.
I'm on 378.55 and the model is RT-N66U

If I have checked Yes to:

Connect to DNS Server automatically

it means the router has exclusive access to my ISP's DNS server.
My resolver can look up anything on the Internet except hosts which
require the ISP's DNS to resolve. Dig confirms the lookup stops there.

The solution was to uncheck the Connect to DNS Server automatically
and once it was set as "No" then I can enter an IP of my own bind
resolver on my LAN (NATed, behind the Asus router). With my own
resolver entered for DNS Server1 on the WAN tab, everything works
at ISP web sites.

I don't know if that behaviour of making the automatic DNS exclusive
to access from the router to use is a feature or not. Seems like a bug to me.
Giving the router access to the ISP's DNS server seems like it would
be the natural setup, and it hides the fields for entering my own DNS.

 

[ColinTaylor]

The only thing I can think of that might explain your scenario would be if you had turned on "DNS-based Filtering" at Parental Control > DNS Filtering.

 

[dteed]

The only thing I can think of that might explain your scenario would be if you had turned on "DNS-based Filtering" at Parental Control > DNS Filtering.

Hi,

I've checked my settings. Under Parental controls I have time of day access configured only.
DNS based filtering is off and I've never used it.

To fix the problem, I have only changed the automatic DNS setting
under WAN tab. I suspect it is a firmware bug, because the router is able to access
the DNS server fine, while the Linux bind resolver behind NAT was
unable to reach only the ISP's DNS server.

 

[kvic]

@dteed Repeat the same and fill in google's public DNS ip address in place of your local BIND resolver. After that can you reproduce the same issue i.e. ur BIND resolver can't resolve your ISP domains?

 

[dteed]

@dteed Repeat the same and fill in google's public DNS ip address in place of your local BIND resolver. After that can you reproduce the same issue i.e. ur BIND resolver can't resolve your ISP domains?

If you took a look a the thread on the NSLUG linux users group, you'll see many things were tested.

Worked:

host bellaliant.net 8.8.8.8
host bellaliant.net 192.168.0.1 (asus router as gateway IP)
host cbc.ca 192.168.0.3 (Linux resolver server on my LAN)
(99% of the Internet could be resolved fine, the cbc.ca site is just an example)
host -t ns bellaliant.net 192.168.0.3 (Lookup the NS for Bell Aliant)


Didn't work:

host bellaliant.net 192.168.0.3 (Linux resolver on my LAN)
host bellaliant.net 142.177.1.2 (look up using Bell's DNS)
host sobeys.ca 192.168.0.3 (sobeys.ca uses Bell's DNS since they are hosted there)

After disabling the automatic DNS setting on the Asus router, everything worked. The failures were consistant over the period of several days I was troubleshooting with the help of LUG members.

The only way I can explain how it behaved, was that once the router had the DNS, it was blocking anything else on NAT from talking to that DNS. 90% of the people won't notice this as they use the router for DNS resolver. For awhile that is what I did too, I added 192.168.0.1 as a second entry in resolv.conf on my Linux system. Now with the new setting of no automatic DNS on the WAN setting of the router, I can simply use my Linux system's IP in resolv.conf

 

[kvic]

Sorry not being explicit in #4. My suggested test was that:

1. Set "No" to Connect to DNS Server automatically
2. Fill in 8.8.8.8 in DNS1 field
3. Click Apply
4. Try your failed cases on a machine that you previously did

I don't see you have tried this case.

What I had in mind is that rather the issue being on the firmware it's with your ISP. Worth talking to their technical support and they might reveal something interesting to you..

I could be wrong but I spent sometime building a giant dnsmasq on my AC56U. That yes and no does little and simple. I don't believe it'll cause such an issue you've encountered.

 

[dteed]

Sorry not being explicit in #4. My suggested test was that:

1. Set "No" to Connect to DNS Server automatically
2. Fill in 8.8.8.8 in DNS1 field
3. Click Apply
4. Try your failed cases on a machine that you previously did

I don't see you have tried this case.

What I had in mind is that rather the issue being on the firmware it's with your ISP. Worth talking to their technical support and they might reveal something interesting to you..

I could be wrong but I spent sometime building a giant dnsmasq on my AC56U. That yes and no does little and simple. I don't believe it'll cause such an issue you've encountered.

I had the same working set up as you describe, except using my
own resolver inside the LAN. I've tried your suggestion of using
8.8.8.8 for DNS Server 1 as above. Any kind of lookup of bellaliant.net
using these resolvers works fine:

8.8.8.8
192.168.0.1 (router)
192.168.0.3 (Linux system with bind)
dns-ns00.aliant.net (NS for bellaliant.net)

To reproduce my issue, here is what someone would have to do:

1. Run or install a linux system with a DNS resolver like bind.
2. Set that resolver in resolv.conf (e.g.127.0.0.1)
3. Set Merlin Asus firmware 378.55 with the WAN DNS Setting
of "Connect to DNS Server automatically" with "Yes" (gets ISP's DNS).

At this point, 99.99% of lookups will work fine.

To test the problem, you must set your system to use
the Linux system for DNS, not the router's DNS.
If you are using DHCP from the router, it will default to assigning
you the router's DNS (again, why many people won't experience my problem).
You'll only run into this if you are manually assigning the DNS
setting to your systems to use the Linux system's DNS server.

Try to visit the ISP's web site or webmail, or any
hosted business that also uses the same DNS as the ISP (the whois
record for that site would have an NS pointing to the same DNS
as the ISP is giving you). Your ISP's webmail would be a good
candidate to try. The ISP's site will not resolve.

Now, Uncheck the Connect to Server automatically
and fill in DNS Server 1 as the Linux system running the bind
resolver. The ISP's webmail can now be looked up.

 

[ColinTaylor]

When your router is set to "Connect to DNS Server automatically" what IP addresses is it getting for the DNS servers? Are they 142.177.1.2 and 198.164.30.2 ?

If you disable automatic DNS and instead specify 142.177.1.2 and 198.164.30.2 do you still have the problem? Then we will know whether it's the access to the DNS servers that is the problem or the button setting in the GUI doing something odd.

 

[kvic]

Any kind of lookup of bellaliant.net
using these resolvers works fine:

192.168.0.3 (Linux system with bind)
dns-ns00.aliant.net (NS for bellaliant.net)

The first one succeeded is kinda expected 'cos I assume now your linux BIND is the first guy talking to your ISP's nameserver. The second one is interesting..I would expect it failed. Seems likely the issue also related to configs in your BIND setup. BIND config is beyond me..

As @ColinTaylor suggested in #8, you shall test that too. I would expect all your failure cases fail again in this scenario. If not...really something interesting here.