DNS - passing on source IP address to pihole in the cloud

[R3dbvll]

Hi all,

Firstly, I have searched as best I can, but I've not been able to find an answer to this, so forgive me if this has already been address.

I am running an Asus AC68U with the Merlin 386.13 firmware.
I have a small LAN and 2 piholes running in Oracle OCI free-tier. I have two VMs running Ubuntu there. I'm also using unbound as the upstream resolver for the piholes.

(no, I'm not running an open resolver - in case you ask!)

The router is handling DHCP for my LAN. On the LAN side, the DNS is set to the piholes for all clients using DHCP. On the WAN side of the router, the DNS is somewhere else.

The issue I'm having is that the cloud based piholes only see the router WAN-side IP address, not the individual device address (this is all IPv4 by the way).

I had this setup a year ago, and I'm sure I had this working. However I cannot recall (and stupidly didn't document) how to get this to work - whether it was a configuration of the router, a network/firewall setting for the VMs, or on Ubuntu itself, or a combination.

Does anyone know the answer to this, or if I'm completely wrong and misremembering this?

Thanks in advance,

Chris.

 

[dave14305]

You could make the 2 piholes the WAN DNS servers and have dnsmasq use the extra parameter add-subnet=32 when forwarding to your OCI servers. Remove the piholes from LAN DNS.

 

[R3dbvll]

You could make the 2 piholes the WAN DNS servers and have dnsmasq use the extra parameter add-subnet=32 when forwarding to your OCI servers. Remove the piholes from LAN DNS.

Yep that worked! The extra step being to have clients point to the router as DNS server.

Are there any downsides to doing this? Also, are there any other ways of doing this (that is, keeping the LAN and WAN side DNS configs separate)?

 

[dave14305]

Also, are there any other ways of doing this (that is, keeping the LAN and WAN side DNS configs separate)?

You really need dnsmasq in the middle to insert the LAN source IP into the query packet. Otherwise, LAN clients talking directly through the router will be NAT'ed to the router's public IP by the time the query reaches OCI.

Unless you can do something with a LAN-to-OCI VPN connection and send the DNS queries through the VPN tunnel, this is the best option I can think of. There are smarter people around who may have other ideas.

The plus side to this WAN DNS option through dnsmasq is that dnsmasq will cache responses locally, reducing the amount of queries you're sending to OCI, and hopefully making things a little faster for LAN clients.

 

[eibgrad]

The plus side to this WAN DNS option through dnsmasq is that dnsmasq will cache responses locally, reducing the amount of queries you're sending to OCI, and hopefully making things a little faster for LAN clients.

DNSMasq also offers local name resolution. Granted, the OP may already be managing that w/ the pi-hole(s), but that requires internet access for local references (not something I generally recommend).

And since DHCP is being managed locally w/ DNSMasq, it means you can't resolve any dynamically registered hostnames either.

DNSMasq for the purposes of DNS is an underlying assumption of many services (e.g., Accept DNS configuration w/ the OpenVPN clients). If for some reason you're dependent on the DNS server(s) of a remote OpenVPN server (esp. one you do NOT control), that may not be possible if you bypass DNSMasq.

Granted, some of these may be a stretch and NOT relevant to your current needs or concerns. But it's NOT as if bypassing DNSMasq has no potential negative consequences. You just have to keep in mind the possibility that you *might* break something in the process, esp. when it comes to all the extra features and AddOns offered by the router.

That's why I like to keep DNSMasq "in the mix" for DNS purposes unless I'm really sure I don't need it. For example, w/ a guest network, where I'm only offering simple internet access, I'm never going to route them over a VPN or given them access to local devices, so I always assign them public DNS servers (e.g., 8.8.8.8, 8.8.4.4).

 

[R3dbvll]

Great feedback, thank you both.

So would you say then, that in order to ensure to keep dnsmasq in scope, for the DHCP config in the router I'd specify the router IP address as DNS?

Using this approach, would there be any way of filtering our all the DNS noise from the router itself?

I am also looking at setting up a VPN from home to the cloud - that will also be used for mobile devices to use the cloud-based piholes when off the LAN.

Thanks
Chris.

 

[dave14305]

So would you say then, that in order to ensure to keep dnsmasq in scope, for the DHCP config in the router I'd specify the router IP address as DNS?

Unnecessary. When LAN DHCP DNS Servers 1 & 2 are blank, the router IP is automatically sent via DHCP as the DNS server.

Using this approach, would there be any way of filtering our all the DNS noise from the router itself?

You can get fancy with dnsmasq.postconf if you want only LAN traffic to use the Pi-Holes. Set the WAN DNS to whatever you want, then add something like this to /jffs/scripts/dnsmasq.postconf:

#!/bin/sh

source /usr/sbin/helper.sh

pc_delete  "servers-file" "$1"
pc_append  "server=5.5.5.5" "$1"
pc_append  "server=5.5.6.6" "$1"

Router queries will go to the WAN DNS servers and LAN queries will go via dnsmasq to the 2 IPs you put in the file above.

 

[R3dbvll]

Unnecessary. When LAN DHCP DNS Servers 1 & 2 are blank, the router IP is automatically sent via DHCP as the DNS server.

You can get fancy with dnsmasq.postconf if you want only LAN traffic to use the Pi-Holes. Set the WAN DNS to whatever you want, then add something like this to /jffs/scripts/dnsmasq.postconf:

#!/bin/sh

source /usr/sbin/helper.sh

pc_delete  "servers-file" "$1"
pc_append  "server=5.5.5.5" "$1"
pc_append  "server=5.5.6.6" "$1"

Router queries will go to the WAN DNS servers and LAN queries will go via dnsmasq to the 2 IPs you put in the file above.

This is great, thank you!

One futher question - is it possible to pass along a device name associated with the LAN-side IP address of that device? e.g. if 192.168.0.3 makes a DNS request, pass along it's name, 'my-pc'.