'Local' dns served over wan port

[bassplayerchris]

Hi -

In my setup I have an asus device inside my network - on a separate subnet. Is it possible to get asuswrt to answer dnsqueries from the 'wan' side - the idea is that it will serve to look up names within the subnet it manages.

 

[thelonelycoder]

Hi -

In my setup I have an asus device inside my network - on a separate subnet. Is it possible to get asuswrt to answer dnsqueries from the 'wan' side - the idea is that it will serve to look up names within the subnet it manages.

I would be surprised if that works since this would be the reverse of what a router does.

 

[bassplayerchris]

I would be surprised if that works since this would be the reverse of what a router does.

Not sure what you mean? 'normally' a router just routes between two networks, there isn't any directionality implied necessarily.

I already have static routes pointing back to the subnet served by the asus - I just need to know how to enabled dnsmasq to listen for dns queries on the outgoing wan interface (with possibly some filtering).

 

[thelonelycoder]

The standard Dnsmasq resolves DNS queries from the LAN side via upstream through the WAN port.
I don't think you get it to resolve queries coming in from WAN back to WAN side clients.
This is how I understand you want it and I believe this is not how it can work.

 

[bassplayerchris]

Well, actually in my setup I have dnsmasq on the asus serving up an upstream DNS server via DHCP as the DNS server for the local network it manages.

As the asus is the only thing that knows the bindings for the hosts/ips it manages, i'm trying to get it to serve as a dns server for the internal domain/subnet it manages so I can look these hosts up from the rest of the network.

 

[thelonelycoder]

Well, actually in my setup I have dnsmasq on the asus serving up an upstream DNS server via DHCP as the DNS server for the local network it manages.

Yes, that is standard, you set it in the LAN settings, it resolves for the devices connected on the LAN side, if I understand you correctly.

As the asus is the only thing that knows the bindings for the hosts/ips it manages, i'm trying to get it to serve as a dns server for the internal domain/subnet it manages so I can look these hosts up from the rest of the network.

So, on the LAN side of th router you want it to resolve domains on the same LAN side?
If so, use the /jffs/configs/dnsmasq.conf.add file to do that.
You have to create the file yourself, then put something like this in:

address=/dev/192.168.2.160
address=/aus/192.168.2.170

In the above example, I have two developement servers, one serves *.dev domains, the other *.aus domains.
For example, all queries ending in dev will resolve to the IP 192.168.2.160.
ab-solution.dev or test-domain.aus and so forth.
Maybe this is what you need?

 

[bassplayerchris]

So, on the LAN side of th router you want it to resolve domains on the same LAN side?

My network is like this (simplified - there are more lans/devices)

[DSL]----[Router]-------[ASUS]----WIRELESS LAN (.wlan)
|
Wired LAN (.lan)

Only the Asus knows the mappings for .wlan (as it serves up its DHCP addresses), i'm trying to find a mechanism of being able to look up hosts in that domain from the rest of the network. At the moment all DNS resolution is being done on 'Router' - the easiest way I can think of achieving what I want is to have dnsmasq on the asus respond to port 53 on the 'WAN' side for the domain/subnet it serves.

 

[thelonelycoder]

My network is like this (simplified - there are more lans/devices)

[DSL]----[Router]-------[ASUS]----WIRELESS LAN (.wlan)
|
Wired LAN (.lan)

Only the Asus knows the mappings for .wlan (as it serves up its DHCP addresses), i'm trying to find a mechanism of being able to look up hosts in that domain from the rest of the network. At the moment all DNS resolution is being done on 'Router' - the easiest way I can think of achieving what I want is to have dnsmasq on the asus respond to port 53 on the 'WAN' side for the domain/subnet it serves.

OK, too late for me and not really my field to give a qualified answer the way you want it.
I'm sure someone else can help you.

 

[john9527]

If I understand what your are asking?....you can't resolve to private addresses (like 192.168.x.x) from the WAN side, they are not unique.

You can set up a VPN Server on the router, then connect via a VPN client when you are outside of your local network to accomplish what you want....

 

[bassplayerchris]

If I understand what your are asking?....you can't resolve to private addresses (like 192.168.x.x) from the WAN side, they are not unique.

No, not quite. In my case the 'WAN' side of the asus is just a name. It connects to the rest of my network, all of which is private. The actual WAN boundary is my DSL device (which does NAT once on the boundary of my network), internally i have separate subnets using private address space and static routes going to things like the ASUS which are serving up the different subnets, so:

.lan (served by Router) = 192.168.1.X
.wlan (served by Asus) = 192.168.2.X

and so on .. (I have NAT turned off on the ASUS - and as far as possible its set up as a router between the the two networks it is on).

 

[Alfsu]

Do you have to have these subnets segregated like that?
What is the point if both are private?
You could have all devices behind the ASUS: wired devices using main DHCP and a separate instance of dnsmasq binding to a particular wireless interface (ie wl1.1)

Sent from my ONEPLUS A3000 using Tapatalk

 

[bassplayerchris]

Do you have to have these subnets segregated like that?
What is the point if both are private?

A number of reasons. I want to segregate embedded devices (streamers and so on) from the rest of the network to give me some level of control over the types of access they have (i'm using vpns on the asus to redirect some of these elsewhere). I have a proper switch on the spine of my network because the backplane of the asus is fairly easily saturated. The asus can't (really) run codel/cake - so it can't serve as the main router on the network (and anyway it doesn't have the kinds of firewalling capability that the current switch - running LEDE - gives me).

 

[Alfsu]

Never mind then...

Just out of curiosity, all this is happening in a home network?

Sent from my ONEPLUS A3000 using Tapatalk

 

[bassplayerchris]

Never mind then...

Just out of curiosity, all this is happening in a home network?

Yep. Absolutely. I have a couple of desktops and laptops, a couple of servers (PLEX, NAS and a few other things), and then differing requirements for phones/tablets vs embedded streaming devices connected to the TV and speakers.

I think it's probably more devices than some folk have - but otoh I bet a lot more people have a lot more embedded devices these days (all the streaming boxes like chromecasts, fire/alexas, rokus, streaming TVs, sonus boxes and so on).

 

[Alfsu]

That is awesome.
I have around 20 devices as well: Plex, iTunes home share, iPhones, iPads, appletvs, Android phones, Kodi on an RPi, smart TVs, two always on PCs, three laptops, and a few lighting switches controlled over WIFI; and all is connected to a n RT-AC68P, with two VPN clients one of which is routing traffic from the LAN where the server is located (across the Atlantic)...
As far as firewall, I am running the SKYNET script (from Adam's) on top of Asus own.
It all just works nicely... Cheers!

Sent from my ONEPLUS A3000 using Tapatalk

 

[sfx2000]

It's possible with DNSMasq to do this, the concern would be how this interacts with the WebGUI of AsusWRT...

Have you considered using Avahi/Bonjour/mDNS to work within the .local TLD on the LAN?

Android/Mac/iOS/Win (with some help)/Linux (most popular distros) all support this, either directly, or via add-ons...

It can be a win/win for both device and service discovery on the local area network. And no config needed other than install the packages perhaps.

 

[bassplayerchris]

It's possible with DNSMasq to do this, the concern would be how this interacts with the WebGUI of AsusWRT...

Have you considered using Avahi/Bonjour/mDNS to work within the .local TLD on the LAN?

It can be a win/win for both device and service discovery on the local area network. And no config needed other than install the packages perhaps.

Yes, the next step will be to try and get mDNS working and fed via DNSmasq - however, that's for the future.

The actual simplest solution would be to use DHCP relay, sending all queries up to the 'border router' in that picture. Unfortunately, it looks like this might break more than it would solve (at least for asuswrt):

https://github.com/RMerl/asuswrt-merlin/issues/243

For now, I've managed to solve this with DNSmasq alone, and present the solution below in case it's useful for anyone else.

The first changes are on the asus. In /jffs/scripts/dnsmasq.postconf I have the following:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

# Allow upstream to deal with private ranges
pc_delete "bogus-priv" $CONFIG

# Listen for DNS on eth0 - 'wan'
pc_append "interface=eth0" $CONFIG
pc_append "no-dhcp-interface=eth0" $CONFIG

# Serve all local ip addresses without forwarding - otherwise bogus-priv removal will end up forwarding these
pc_append "local=/2.168.192.in-addr.arpa/" $CONFIG

In my case eth0 is the 'WAN' (northbound) interface - this listens on this interface, but never serves dhcp there. The last line stops things ping-ponging till exhaustion.

Next on the Router side. I have the following in the openwrt config files - converting these to dnsmasq equivalents should be trivial:

        list rebind_domain '/wlan/'
        list server '/wlan/192.168.1.3'
        list server '/2.168.192.in-addr.arpa/192.168.1.3'

In this case 192.168.1.3 is the northbound side of the ASUS. This marks the ASUS as the DNS server for the wlan domain and the 192.168.2.0/24 range. The rebind option gets openwrt to accept the private address returned by the asus (rebind_protection is on - so this is an exception to the general rule).