[RT-AC66R] [380.62] DNS Questions

[Digital Noise]

I'm having a bit of a conundrum, and I'm wondering if anyone here has encountered the same issue and perhaps has found a solution.

When I set up my RT-AC66R, I set the LAN > DHCP Server > RT-AC66R's Domain Name value to that of an actual domain name that I own (example.com), such that every machine that connected would get a FQDN - ie. laptop.example.com, xboxone.example.com.

I also made sure to set LAN > DCHP Server > Forward local domain queries to upstream DNS? to No, because no external name servers would know about these internal machines.

And that brings me to my current issue - I picked up a VPS and I want to use a subdomain tied to it such as dev.example.com, I've done all of the configuration on the VPS side - DNS, whois, etc. - but I can't reach it from any machine connected to the RT-AC66R because all local domain queries aren't forwarded, and obviously the router considers dev.example.com to be a local domain query since the domain name on the router is set to example.com.

How can I work around this? Initially I thought to change the value of the Domain Name in the router configuration to something like home.example.com, leading to FQDN's of machine1.home.example.com, which would, in theory, cause dev.example.com to be forwarded to upstream DNS servers.

I think I would run into a number of issues with this on some of my VMs and containers that rely on FQDN to perform actions - yes, I can update them, but it can get complicated. Not to mention that any logging would be technically invalid unless I manually altered the log files - which I'd prefer not to do, especially since they're all going into an internal ELK stack.

I looked at the static route options, but it doesn't let me supply a hostname - only the ip, netmask and gateway, so I don't think that will work.

Is there a way to configure the router to forward only specific local domain queries to upstream DNS, while leaving the rest in the hands of the router?

 

[RMerlin]

You should never use a public domain name on a LAN. Change your LAN domain for a non public one.

 

[Digital Noise]

You should never use a public domain name on a LAN. Change your LAN domain for a non public one.

Why? If I wanted to host a server at home that provided services tied to a domain name that I owned, wouldn't the server in question need to have a FQDN that reflected that domain name?

 

[RMerlin]

Why? If I wanted to host a server at home that provided services tied to a domain name that I owned, wouldn't the server in question need to have a FQDN that reflected that domain name?

A server is not the same thing as a LAN managed by a DHCP server. The public IP of that server would be within your public domain, while the DHCP/local IP would be handled by a local domain.

The issue here is that your authoritative nameservers are tied to your public domain. Your DHCP server and your LAN, however, are tied to a local nameserver (in your case, provided by your router's dnsmasq). You are basically telling your router that it's become authoritative for your public domain, while the registrar says otherwise.

It boils down to authority over the domain name at the zone level.

 

[routers]

Here is what I did to accomplish something similar. I agree that it probably is not the best idea, but it works for me.
I have a domain, mydomain.com, and it even has a public wildcard record, which makes it a bit more complicated.

LAN -> DHCP Server ->
Domain Name -> mydomain.com
DNS Server 1 -> Blank (router adds itself and use DNS from WAN setting)
DNS Server 2 -> Blank
Default Gate -> Blank (router adds itself)
Advertise... -> No
Forward..... -> No

Now when I ping mydomain.com or "test" it resolves to the router (not good).
Entering something in the address bar in a browser would ask "Do you want to go to this site", which by selecting, would take me to the router (not good).

I then enabled jffs/ssh and added the following to /jffs/configs/dnsmasq.conf.add:

# inside
address=/mydomain.com/0.0.0.0
address=/mydomain.com/::

# outside
address=/www.mydomain.com/mail.mydomain.com/my-ipv4-address
address=/www.mydomain.com/mail.mydomain.com/my-ipv6-address

Then restart dnsmasq with "service restart_dnsmasq" and on Windows flush DNS cache with "ipconfig /flushdns" in a command prompt.

Now when I ping "mydomain.com" or "test" I get "not found" (kind of great).
When I ping "www.mydomain.com" or just "www" I ping my website (great).
The browser question is gone (great).
I can still reach my local machines by "laptop" or "laptop.mydomain.com".

Obviously this will not work if your public website does not include www. Another potential downside is that you have to add all outgoing hostnames to the file. So in my example, I added "mail.mydomain.com" to allow that aswell.

But because you probably don't have a wildcard record, I guess you could omit the # inside block.

I believe something has changed in regard to "Forward local domain queries to upstream DNS" since 380.58 or 380.59. I question if it works as intented. In 380.57, my router did not catch the wildcard record while now it does when it's off and it makes this more complicated.

At the same time, something happened to NAT-loopback. I use double NAT.
192.168.1.1 Modem/NAT
192.168.2.1 Router/NAT (WAN address 192.168.1.2)
In 380.57 I could reach my routers interface by going to 192.168.1.2. Not anymore.

 

[Digital Noise]

Here is what I did to accomplish something similar. I agree that it probably is not the best idea, but it works for me.
I have a domain, mydomain.com, and it even has a public wildcard record, which makes it a bit more complicated.

LAN -> DHCP Server ->
Domain Name -> mydomain.com
DNS Server 1 -> Blank (router adds itself and use DNS from WAN setting)
DNS Server 2 -> Blank
Default Gate -> Blank (router adds itself)
Advertise... -> No
Forward..... -> No

Now when I ping mydomain.com or "test" it resolves to the router (not good).
Entering something in the address bar in a browser would ask "Do you want to go to this site", which by selecting, would take me to the router (not good).

I then enabled jffs/ssh and added the following to /jffs/configs/dnsmasq.conf.add:

# inside
address=/mydomain.com/0.0.0.0
address=/mydomain.com/::

# outside
address=/www.mydomain.com/mail.mydomain.com/my-ipv4-address
address=/www.mydomain.com/mail.mydomain.com/my-ipv6-address

Then restart dnsmasq with "service dnsmasq_restart" and on Windows flush DNS cache with "ipconfig /flushdns" in a command prompt.

Now when I ping "mydomain.com" or "test" I get "not found" (kind of great).
When I ping "www.mydomain.com" or just "www" I ping my website (great).
The browser question is gone (great).
I can still reach my local machines by "laptop" or "laptop.mydomain.com".

Obviously this will not work if your public website does not include www. Another potential downside is that you have to add all outgoing hostnames to the file. So in my example, I added "mail.mydomain.com" to allow that aswell.

But because you probably don't have a wildcard record, I guess you could omit the # inside block.

I believe something has changed in regard to "Forward local domain queries to upstream DNS" since 380.58 or 380.59. I question if it works as intented. In 380.57, my router did not catch the wildcard record while now it does when it's off and it makes this more complicated.

At the same time, something happened to NAT-loopback. I use double NAT.
192.168.1.1 Modem/NAT
192.168.2.1 Router/NAT (WAN address 192.168.1.2)
In 380.57 I could reach my routers interface by going to 192.168.1.2. Not anymore.

Thank you for the detailed walk-through.

What I eventually did was just change all of my machines behind the router to get a int.example.com - that way local network lookups still resolve correctly, and requests to .example.com outside of the network also resolve correctly. It's been working perfectly so far; none of my internal names can be resolved from outside the network because they do not exist as A records.