On 2015-11-30 05:02, Albert ARIBAUD wrote: > Hello again "A C", > > Le Mon, 30 Nov 2015 00:31:28 -0800 > A C <ag...@hotmail.com> a écrit: > >> On 2015-11-29 23:49, Albert ARIBAUD wrote: >>> Hi again "A C", >>> >>> Le Sun, 29 Nov 2015 23:19:28 -0800 >>> A C <ag...@hotmail.com> a écrit: >>> >>>> On 2015-11-29 22:50, Albert ARIBAUD wrote: >>>>> Hi "A C", >>>>> >>>>> Le Sun, 29 Nov 2015 14:08:50 -0800 >>>>> A C <ag...@hotmail.com> a écrit: >>>>> >>>>>> Ok, this question is for a much older version of dnsmasq because >>>>>> I haven't been able to update the router firmware to bring in a >>>>>> newer version. I'm currently using version 2.35 >>>>>> >>>>>> My current internal IP space is 10.0.0.0/255.255.0.0 (A Class B >>>>>> subnet of the 10.x.x.x Class A space). I have a VPN server on >>>>>> the network that I use when I'm away from home. It uses the >>>>>> 10.100.0.0 network space for the remote clients. >>>>>> >>>>>> What I would like to do is configure dnsmasq on my router to >>>>>> answer authoritatively for any requests about addresses in that >>>>>> 10.100.0.0 network even though the main network is outside that >>>>>> space. The VPN clients are assigned these extra IPs statically >>>>>> so I would just be adding them to the router's hosts file for >>>>>> dnsmasq to pick up. >>>>>> >>>>>> According to online man pages (the router doesn't have them >>>>>> because of space) there's a rev-server option which appears to be >>>>>> what I want but I can't determine if rev-server is supported in >>>>>> 2.35 or if it's a later addition. >>>>> As per the current manpage, the --rev-server option is just >>>>> syntactic sugar for --server. Therefore, if --rev-server does what >>>>> you need, do does --server, and IIUC, it does not work as a >>>>> "reverse query router". >>>>> >>>> Hi Albert, >>>> >>>> I did try server but it's not working. Attempting to resolve a >>>> hostname in the alternate netblock tries to send upstream. >>>> >>>> My current network has my router serving as DNS and DHCP server via >>>> dnsmasq. The VPN server has dnsmasq running with the goal of being >>>> authoritative for any of the VPN clients (the VPN software can >>>> write to the hosts file on the server as clients come and go). >>>> >>>> My router's configuration has local=/example.com/ (of course I'm >>>> using my real domain but it's not important for this) >>>> I added an additional line server=vpn.example.com/10.0.0.140 (my >>>> vpn server having the address 10.0.0.140) >>> OK, so from the docs, any request for "*.vpn.example.com" will be >>> forwarded to 10.0.0.140. Is that what you want? >> Yes, that's exactly correct. I want to address the vpn clients as >> <client>.vpn.example.com and I want the vpn server to be the DNS >> server for that subdomain. The main dnsmasq in the router should >> simply defer to the vpn server. >> >>>> On the VPN server, I have local=/vpn.example.com/ and the hosts >>>> file is populated by the server, for example: >>>> 10.100.0.10 client1.vpn.example.com >>>> >>>> On the VPN server I can run a DNS query against localhost and >>>> dnsmasq there returns the proper IP address. However, if I query >>>> using the router as the DNS server, the query actually gets sent >>>> upstream to the ISP and I eventually a failure. >>>> >>>> I also tried server=/0.100.10.in-addr.arpa/10.0.0.140 with no luck >>>> and I also added local=/vpn.example.com/ (so now there are two >>>> local directives) but the end result is that the query is not >>>> forwarded over to the VPN server, it's sent up to the ISP. >>> What is the physical and logical topology of your network, and what >>> are your router's and name server's networking configurations, both >>> in terms of hardware interfaces and of software settings such as IP >>> addresses and netmasks per interface, gateway(s), and routing >>> table(s)? >>> >> The entire private network is 10.0.0.0/16 and all machines are >> attached to the single NAT router. Everything going on is internal >> only, none of this traffic should exit the private network. >> >> The main router is 10.0.0.1, the VPN server is 10.0.0.140, all normal >> clients on the network are 10.0.0.0/16. >> VPN clients coming in from the outside receive 10.100.0.0/24 so that >> it falls outside of the internal network (otherwise routing breaks). > That depends on how you set it up, actually, and probably on the size > of the network, but for my (admittedly small) network, VPN connections > are handled by a bridging OpenVPN instance on a TAP device bridged with > a physical interface. Local and VPN clients thus have use the same DHCP > server and therefore coexist in the same subnet, and have access to the > same servers, including the DNS server. > > Now, a separated subnet for VPN client works too, as long as the VPN > server does the natting for them -- again, OpenVPN does that normally, > so that no packet on 10.0.*.* should have a source or destination IP of > 10.100.*.*. > >> There's only one internal interface on the router, eth1, and it's the >> only interface that dnsmasq is listening (conf file says >> interface=eth1) with the same /16 netmask. The external interface is >> eth0. > Does that mean there is also an eth0 interface on the router? > >> The VPN server has only one interface on the network, it's eth0 also >> with /16. The clients come in via tunnels so they show up on the VPN >> server as tun[] devices and the VPN server takes care to route onto >> the main network. >> >> The router has four defined routes. Two of the routes are for the >> outbound external interface and all public IPs. The other two routes >> are for the internal network and the VPN client network. Those are >> defined as: >> >> net 10.100.0.0 gw 10.0.0.140 mask 255.255.255.0 if eth1 (remapping >> gateway to the vpn server for the VPN block) >> net 10.0.0.0 gw * mask 255.255.0.0 if eth1 (default route) >> >> The VPN server also has four routes, two are for its eth0 to the rest >> of the network and the other two are the tun[] interfaces which are >> only visible to connected clients. The two eth0 routes are the >> default route and the local network: >> >> net 0.0.0.0 gw 10.0.0.1 mask 0.0.0.0 eth0 >> net 10.0.0.0 gw * mask 255.255.0.0 eth0 >> >> Every client on the internal network has DNS defined to be the >> router. None of them are aware of any external DNS (every resolv.conf >> or equivalent is set to 10.0.0.1). The VPN clients have the same >> configuration pushed to them on connect. The only device on the >> network aware of additional DNS servers is the router. Its >> resolv.conf points to the ISP DNS servers. The IP address is static >> so the entire configuration is static including the DNS servers (no >> live rewriting of resolv.conf). >> >> All traffic and DNS lookups work for the main network hosts >> (*.example.com) even from the VPN clients. I can be on a VPN client >> and ask for the IP of device.example.com and get an answer that is in >> the 10.0.0.0/16 block as expected. Reverse communication (i.e. ping) >> is possible to the VPN client IP addresses so now it's just a matter >> of getting DNS working. I can manually query the VPN's dnsmasq using >> dig or nslookup for a *.vpn.example.com address from any other network >> machine and get a proper answer. But if query the router's dnsmasq, I >> get NXDOMAIN. >> >> I am also watching the VPN server's input for DNS packets. When I >> query the router's dnsmasq, the VPN server is never sent a DNS query >> packet so the router's dnsmasq is not forwarding the request over to >> the VPN server. I can see the packet when I query direct just not >> when I try to go through the router's dnsmasq. > Can you watch the router's DNS traffic rather than the VPN server's? > Possibly give a tcpdump of a successful and a failed DNS request? I > assume you cannot change how dnsmasq runs on the router but if you can, > then try having it log the successful and failed DNS requests too. > This log might show whether a request is forwarded or cached, for > instance. > I can't do a dump of traffic on the router but I think I should be able to get logging working. However, watching the traffic on the VPN I'm confident the request is not being forwarded to the VPN server. I presume the log-queries directive will be sufficient for this. I will try it this evening.
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
