On Wed, 30 Sep 2020 08:40:49 +0100 Mark Rogers mark@more-solutions.co.uk allegedly wrote:
On Tue, 29 Sep 2020 at 17:39, mick mbm@rlogin.net wrote:
Try adding your local addresses to the static hosts file on the router and make sure that your resolv.conf (or whatever resolver routines you use) point to the openwrt router and that router can correctly resolve local addresses.
I'm reluctant to add the addresses elsewhere (it defeats the point of having DNS, I might as well add them to hosts on my laptop!), but I might be left with no choice. But if so I'd like to understand why.
Actually no, it doesn't. You are using dnsmasq to resolve your addresses so it makes perfect sense to use a local hosts file to list all your RFC1918 local addresses. Those addresses are not routeable over the wider internet so it makes no sense to query an external DNS server for such an address. It is also very confusing for anyone /outside/ your network querying your DNS and getting an address they cannot reach. It is also impossible to get a correct answer to a reverse DNS query for such an address. Try it - you will get an NXDOMAIN answer.
However, if you do as I do, and I suggested, and use your local dnsmasq on the router to query a local hosts file for /internal/ addresses you can sucessfully get both forward and reverse answers. Any non local DNS quesries will simply be passed to the external DNS servers you use - and they /should/ have correct in-addr.arpa zone files mapping the reverse addresses.
You only have to have one local hosts file if you use dnsmasq on your router (or in my case two, because I have split networks each with their own DNS servers).
I know the authoratative DNS is set up correctly as I can resolve the hosts using dig/nslookup from my laptop (Win10, using nslookup under Windows and dig under WSL, although I now find that nslookup under WSl fails). If I try the same from the router, it queries 127.0.0.1 (dnsmasq) and gets no response. If I tell it to use Google's DNS at 8.8.8.8 it works, though, so it definitely seems to be a configuration issue within dnsmasq. (And it can resolve other hosts on the same domain that aren't 192.168.x.x addresses.)
I just tried using dig from my Ubuntu desktop (behind same router) where both nslookup and dig fail. The Ubuntu box is itself, of-course, using dnsmasq.
Part of my problem is finding a way to describe what is happening to ask Google and get a meaningful answer. It seems that dnsmasq is blocking local IP responses from non-local DNS servers (maybe there's a securty reason to do so but if so surely there's a way to turn that off if such responses are valid?)
I have a siilar setup, but I have two separate internal networks, each with their own DNS server running DNSmasq (and stubby for DNS encryption) I have no trouble resolving internal addresses.
Is dnsmasq ever resolving a local IP from a non-local DNS server in your configuration? (I think that's the key here.)
No - as I have said, all my local addresses are mapped in my hosts file.
Obviously all my comments regarding example.com are to avoid referencing the real hosts but I think maybe a real example might help, so I have just set up: alugtest.msl-office.co.uk => 192.168.0.100 Its authoritative DNS is ns.123-reg.co.uk and I just verified that it is live there now but it may take a little while to propagate beyond that. I'd be interested to know who can/can't resolve it. (Google's DNS also resolve it correctly as I write this.)
Yes, but as I said above, rDNS doesn't work. And an external DNS server is not the right place for non-routeable RFC1918 addresses
(Though I confess that I often use 127.0.0.1 on some of my external records (with a very short TTL) when I know that I am about to spin up a new server so that I can later add the correct (external) address and get a fast DNS response. Take a look at pump.rlogin.net for example.)
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------