DNS dropping entries?

[bronson]

Why would Gargoyle eat DNS entries? Is it because they're resolving to internal IP addresses?

I need to access a client's VPN that publishes internal hostnames on their public DNS. Now that I've installed Gargoyle, this no longer works.

When I query my ISP's dns directly, they're still there:

Code: Select all

~$ nslookup
> server 208.201.224.11
Default server: 208.201.224.11
Address: 208.201.224.11#53
> elmp2.example.com
Server:		208.201.224.11
Address:	208.201.224.11#53

Non-authoritative answer:
Name:	elmp2.example.com
Address: 10.10.30.9

But when I try to use my Gargoyle-supplied DNS (which is, of course, using my ISP's DNS), they're gone.

Code: Select all

~$ nslookup
> elmp2.example.com
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
*** Can't find elmp2.example.com: No answer

Why does Gargoyle do this? Is there any way to get it to just pass them through?

Thanks!

[tapper]

Hi mate I am not a expert on the workings of DNS but do you have the ad block plug-in installed? All sow you could try using google's DNS 8.8.8.8 or 8.8.4.4 or like I do use OpenDNS. Sorry I can't give you more info.

[bronson]

I tried using OpenDNS -- no difference. Gargoyle still drops the internal IP addresses.

For now I'm manually configuring my computers to use the ISP's DNS directly, but that gets reset when DHCP recycles.

Guess it's time to roll up my sleeves and try to figure out exactly why dnsmasq is doing this. Thanks for the reply!

[ispyisail]

Can you supply a screen shot of you main gargoyle config page.

[bronson]

Hi, it's just what you'd expect:



Sorry for the delay... Clearly I should set up email notifications. I'm still very interested in fixing this somehow.

[Lantis]

Can you please check your /etc/resolv.conf contains only the two ISP DNS entries you would expect?

[ispyisail]

I need to access a client's VPN that publishes internal hostnames on their public DNS.

The problem is when you are using OpenVPN?

Code: Select all

push "dhcp-option DNS 10.66.0.4"
push "dhcp-option DNS 10.66.0.5"
push "dhcp-option WINS 10.66.0.8"

https://openvpn.net/index.php/open-sour ... .html#dhcp

[bronson]

Which resolv.conf do you mean?

On the router:

search lan
nameserver 127.0.0.1

On my workstation:

domain lan
nameserver 192.168.1.1

I'm using OpenVPN on my workstation but the router shouldn't care... These DNS entries are global -- not affected by the VPN.

-- example:

I set up dbex.u32.net as an example. You can try it yourself.

ping dbex.u32.net
dig dbex.u32.net

If you're behind Gargoyle, you'll get "unknown host".

But, if you're connected directly to the internet, dbex.u32.net resolves perfectly fine (to 10.10.30.8).

If you bypass gargoyle's DNS, it also resolves of course:

dig dbex.u32.net @8.8.8.8

[Lantis]

Go to the openwrt wiki for dnsmasq config.
I think you want to use option "6", which pushes the DNS servers to the clients.
So something like
option '6,8.8.8.4,8.8.8.8'

Would push the google DNs servers to the clients.
https://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
"Configuring dnsmasq to broadcast External DNS server information"

[bronson]

Isn't that what the "Force Clients To Use Router DNS Servers" checkbox does?

I just notice that this is logged every time it refuses an entry

Sun Oct 16 02:34:21 2016 daemon.warn dnsmasq[23426]: possible DNS-rebind attack detected: dbex.u32.net

and THAT leads to this very helpful page: https://doc.pfsense.org/index.php/DNS_R ... rotections

SO, I guess I need to put --rebind-domain-ok=/u32.net/ on the command line. Or, can I put this in /etc/config/dhcp directly?

Code: Select all

config dnsmasq
    option rebind_domain '/u32.net/'

WIsh I'd thought to check the logfiles earlier! I'm still not used to treating this little router like a Linux box...