Page 1 of 2
DNS dropping entries?
Posted: Wed Oct 05, 2016 12:27 pm
by bronson
Why would Gargoyle eat DNS entries? Is it because they're resolving to internal IP addresses?
I need to access a client's VPN that publishes internal hostnames on their public DNS. Now that I've installed Gargoyle, this no longer works.
When I query my ISP's dns directly, they're still there:
Code: Select all
~$ nslookup
> server 208.201.224.11
Default server: 208.201.224.11
Address: 208.201.224.11#53
> elmp2.example.com
Server: 208.201.224.11
Address: 208.201.224.11#53
Non-authoritative answer:
Name: elmp2.example.com
Address: 10.10.30.9
But when I try to use my Gargoyle-supplied DNS (which is, of course, using my ISP's DNS), they're gone.
Code: Select all
~$ nslookup
> elmp2.example.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
*** Can't find elmp2.example.com: No answer
Why does Gargoyle do this? Is there any way to get it to just pass them through?
Thanks!
Re: DNS dropping entries?
Posted: Wed Oct 05, 2016 3:15 pm
by tapper
Hi mate I am not a expert on the workings of DNS but do you have the ad block plug-in installed? All sow you could try using google's DNS 8.8.8.8 or 8.8.4.4 or like I do use OpenDNS. Sorry I can't give you more info.
Re: DNS dropping entries?
Posted: Fri Oct 07, 2016 3:11 pm
by bronson
I tried using OpenDNS -- no difference. Gargoyle still drops the internal IP addresses.
For now I'm manually configuring my computers to use the ISP's DNS directly, but that gets reset when DHCP recycles.
Guess it's time to roll up my sleeves and try to figure out exactly why dnsmasq is doing this. Thanks for the reply!
Re: DNS dropping entries?
Posted: Wed Oct 12, 2016 12:15 am
by ispyisail
Can you supply a screen shot of you main gargoyle config page.
Re: DNS dropping entries?
Posted: Sat Oct 15, 2016 11:38 pm
by bronson
Hi, it's just what you'd expect:
Sorry for the delay... Clearly I should set up email notifications. I'm still very interested in fixing this somehow.
Re: DNS dropping entries?
Posted: Sun Oct 16, 2016 3:17 am
by Lantis
Can you please check your /etc/resolv.conf contains only the two ISP DNS entries you would expect?
Re: DNS dropping entries?
Posted: Sun Oct 16, 2016 3:55 am
by ispyisail
I need to access a client's VPN that publishes internal hostnames on their public DNS.
The problem is when you are using OpenVPN?
Code: Select all
push "dhcp-option DNS 10.66.0.4"
push "dhcp-option DNS 10.66.0.5"
push "dhcp-option WINS 10.66.0.8"
Re: DNS dropping entries?
Posted: Sun Oct 16, 2016 5:06 am
by bronson
Which resolv.conf do you mean?
On the router:
search lan
nameserver 127.0.0.1
On my workstation:
domain lan
nameserver 192.168.1.1
I'm using OpenVPN on my workstation but the router shouldn't care... These DNS entries are global -- not affected by the VPN.
-- example:
I set up dbex.u32.net as an example. You can try it yourself.
ping dbex.u32.net
dig dbex.u32.net
If you're behind Gargoyle, you'll get "unknown host".
But, if you're connected directly to the internet, dbex.u32.net resolves perfectly fine (to 10.10.30.8).
If you bypass gargoyle's DNS, it also resolves of course:
dig dbex.u32.net @8.8.8.8
Re: DNS dropping entries?
Posted: Sun Oct 16, 2016 5:17 am
by Lantis
Go to the openwrt wiki for dnsmasq config.
I think you want to use option "6", which pushes the DNS servers to the clients.
So something like
option '6,8.8.8.4,8.8.8.8'
Would push the google DNs servers to the clients.
https://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
"Configuring dnsmasq to broadcast External DNS server information"
Re: DNS dropping entries?
Posted: Sun Oct 16, 2016 5:50 am
by bronson
Isn't that what the "Force Clients To Use Router DNS Servers" checkbox does?
I just notice that this is logged every time it refuses an entry
Sun Oct 16 02:34:21 2016 daemon.warn dnsmasq[23426]: possible DNS-rebind attack detected: dbex.u32.net
and THAT leads to this very helpful page:
https://doc.pfsense.org/index.php/DNS_R ... rotections
SO, I guess I need to put --rebind-domain-ok=/u32.net/ on the command line. Or, can I put this in /etc/config/dhcp directly?
Code: Select all
config dnsmasq
option rebind_domain '/u32.net/'
WIsh I'd thought to check the logfiles earlier! I'm still not used to treating this little router like a Linux box...