DNSMasq - Resolve domain name within LAN without loopback support

Issues related to configuring your network
Post Reply
nthomthom
Posts: 16
Joined: 2019/11/24 18:54:48

DNSMasq - Resolve domain name within LAN without loopback support

Post by nthomthom » 2019/12/22 00:03:18

Hi.

Ive been working on trying to get my domain name to resolve to my webserver locally. My router doesnt support hairpinng or NAT loopback and so I set up a dnsmasq server. It works great but now i have a separate problem.
My webserver is behind two routers. First router/modem brings in connection with subnet 10.0.0.X and dmz to the static ip the second router connects to (10.0.0.2) and the second router connected to the first and dmz to server has subnet of 10.0.1.X. Because of the setup i am able to now see my webpage using the domain name when connected to the second router only (thanks to DNSMASQ). By design, router #2 is outside the scope of router #1 so when a client is connected to the first router it cant access the webserver because its not on the same lan. Anyway to get this to work?

User avatar
jlehtone
Posts: 2925
Joined: 2007/12/11 08:17:33
Location: Finland

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by jlehtone » 2019/12/24 13:28:01

I have trouble following who is who.

Code: Select all

WAN--rtr1--lanA--rtr2--lanB--server
Is that what you have?

* client in lanB can access the server, because it (a) resolves name to IP and (b) is link local to server
* client in lanA does not know the route to lanB

* if rtr2 does not NAT, then lanA clients could have route "to server via lanA-IP of rtr2"
* if rtr2 does NAT, then lanA clients should resolve "server" to lanA-IP of rtr2 (and rtr2 must port-forward)

nthomthom
Posts: 16
Joined: 2019/11/24 18:54:48

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by nthomthom » 2019/12/25 00:27:25

Hi.

Basically I have a router r1 (SMARTRG Router) which DHCP ips for lan1 of 10.0.0.0/24 and connected to r1 is another router r2 (Apple Airport Extreme). R2 connects to R1 and has a static ip of 10.0.0.2. Lan2 DHCP ips of 10.0.1.0/24. Both routers NAT.

A webserver is configured on lan2 at ip 10.0.1.110.

R1 DMZ’s to 10.0.0.2 and R2 DMZ’s to 10.0.1.110. I know this setup works because when i use mydomain.com which is bound to our WAN ip it passes through both R1 and R2 to retrieve my index.html page.

The issue was that because the main router (R1) doesnt support nat loopback mydomain.com wasnt accessible on either LAN1 or LAN2. That’s when I created a DNSMasq server on 10.0.1.110. Now mydomain.com resolves on LAN2. However because of the setup LAN1 doesnt know that LAN2 exists. I attempted to create a static route 10.0.1.110/32 via 10.0.0.2 metric 1 with no luck.

User avatar
jlehtone
Posts: 2925
Joined: 2007/12/11 08:17:33
Location: Finland

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by jlehtone » 2019/12/25 09:39:18

Okay, your term "DMZ's" is apparently same as "port forwarding" (and for iptables "DNAT").

The static route 10.0.1.110/32 via 10.0.0.2 for LAN1 fails, because the R2 does filter incoming "WAN traffic".
R2 allows replies to LAN2 client's connections, which arrive "to 10.0.0.2" due to SNAT
and forwards "to 10.0.0.2 web" into 10.0.1.110 due to DNAT. It drops everything else.

If the R2 would route without NAT and filter, then the static route would work.
Alas, I presume your consumer routers do not have such configurability.

How do you get the LAN2 clients to use 10.0.1.110 as DNS?
Doesn't DHCP of R2 supply R2 (or its upstream) as DNS?


An option is to remove R2 and have everything in LAN1.

An option is to make LAN1's DNS resolve "webserver" into 10.0.0.2, just like LAN2's DNS resolves "webserver" into 10.0.1.110.

An option is to move webserver into LAN1, and make DNS of LAN1 and LAN2 resolve "webserver" into 10.0.0.w.

nthomthom
Posts: 16
Joined: 2019/11/24 18:54:48

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by nthomthom » 2019/12/27 01:38:36

I set R1 DNS server to 10.0.0.2 but unfortunately R2 must be filtering the requests even though port forwarding is set up and working but some reason the requests only come thru if they come from the real WAN Ip thru R1 then thru R2, it seems strange to me that the request would be filtered out from R2 if the request comes directly from LAN1/R1 since r2 should view these requests as coming from the WAN and forward the port.

nthomthom
Posts: 16
Joined: 2019/11/24 18:54:48

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by nthomthom » 2019/12/27 01:56:14

As a side note R2 has nat-pmp enabled and is using 10.0.0.1 as the default gateway (which is LAN1), don’t know if this causes any NAT issues that would cause R2 to filter out the requests.

User avatar
jlehtone
Posts: 2925
Joined: 2007/12/11 08:17:33
Location: Finland

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by jlehtone » 2019/12/27 18:24:38

The default on consumer "devices" is that they:
1. act as DHCP client to configure their "WAN"-port
2. act as DHCP server for the "LAN"-subnet
3. act as "default gateway" for LAN clients
4. either pass DNS server(s) that they got from WAN into the LAN clients or act as DNS relay

Easy, but limited options.

If your R1 could be configured as DNS server, then you could add there that "webserver" resolves to 10.0.0.2.
Everyone on LAN1 would be happy, because R2 port-forwards those requests correctly.

On LAN2 you have a DNS that resolves "webserver" to 10.0.1.110. That makes LAN2 clients happy.

nthomthom
Posts: 16
Joined: 2019/11/24 18:54:48

Re: DNSMasq - Resolve domain name within LAN without loopback support

Post by nthomthom » 2019/12/27 23:12:42

Hello

First, I would like to thank you for helping me - I really appreciate your responses.

I understand what you are saying. If on R1 I set the DNS server to 10.0.0.2 then R1 should pass the request over to R2 which is at IP 10.0.0.2, R2 should then forward the port 53 request over to 10.0.1.110. However, this isn't working, it's almost as if R2 sees the request as local and not coming from WAN and therefore doesn't bother to process the forward. I have attached a screenshoot of the R2 networking settings, I noticed that the "Router IP address" is set to 10.0.0.1 which is odd because this the IP address of R1 which is on LAN1 and these are the settings of R2. I'm wondering if this setting would prohibit this request to successfully pass through. Should this circled "Router IP" be set to LAN2 ip of 10.0.1.1? Would this cause issues?

Post Reply

Return to “CentOS 8 - Networking Support”