1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Broadcast static IPs hostnames to all devices in the network?

Discussion in 'Tomato Firmware' started by Nazgulled, Oct 6, 2017.

  1. Nazgulled

    Nazgulled Reformed Router Member

    All my devices with static IPs have specific hostnames defined. On my main PC I've also defined this hostnames in the system hosts file pointing to their correct IP addresses. But is there away to broadcast the hostnames to all devices in the network instead of relying on editing the hosts file manually?

    The advantages I see in this for my use case:
    • If I need to change the static IPs in the future, no need to remember to update hosts file.
    • If I need to access these machines by hostname from devices other than my main PC, it will just work.
    Is this possible?
     
  2. pegasus123

    pegasus123 Addicted to LI Member

    I can access my devices by hostname defined in the static page flawlessly. Can you ping the hostname and see whether you are getting the IP?
     
  3. PetervdM

    PetervdM Network Guru Member

    if you use dnsmasq as your dns provider in advanced - dns/dhcp tick "use internal dns" and in the custom configuration enter lines like:
    host-record=xxxxx.yyyyyy.com,192.168.aaa.bbb
     
    AndreDVJ likes this.
  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    One could also create static DHCP leases for all of them, which also creates DNS records. Provided you add host & domain names to basic -> identification it should work. Ideally to make less work for yourself you should create static leases then switch the clients to DHCP so you don't have to futz around with making sure each host and domain name matches on each system.

    The only devices I have static IPs on are routers, switches, and (for some reason) DHCP servers. For those I do create static DNS entries.
     
    Last edited: Oct 7, 2017
  5. Nazgulled

    Nazgulled Reformed Router Member

    That was it guys, this was already working and I didn't know it.

    Sorry about that and thank you all.
     
  6. Nazgulled

    Nazgulled Reformed Router Member

    Hello again.

    One additional question still related to this...

    How can I broadcast static IPs hostnames to a device connected to my router VPN? What server/clients options do I need so that VPN clients recognize the network hostnames?

    Do I need a private DNS server for this and use that on each VPN client or is there any other alternative? If not, is it easy to setup a free and private DNS server on Tomato?
     
  7. PetervdM

    PetervdM Network Guru Member

    make sure your vpn clients use your router's dnsmasq server through the tunnel
     
    Nazgulled likes this.
  8. Nazgulled

    Nazgulled Reformed Router Member

    How exactly do I do that @PetervdM ? Do I just use the router's network IP as the DNS server?
     
  9. PetervdM

    PetervdM Network Guru Member

    do as stated in my #3 post,
    make sure your dhcp server is configured to hand out the router lan ip address as the dns server to the client,
    in your openvpn client click or enter in the config ( if possible ):
    • register-dns // make sure the client side dns cache is cleared on creating the tunnel
    • block-outside-dns // re-route hardcoded dns queries to the dnsmasq server
    for more info rtfm: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
     
    Nazgulled likes this.
  10. Nazgulled

    Nazgulled Reformed Router Member

    Is there a way to push the DNS server onto ALL the clients without exception so that I don't have to configure that manually per client?
     
  11. PetervdM

    PetervdM Network Guru Member

    configuring on the client seems the best way to me, but you might try:

    on windows clients:
    push "dhcp-option DNS xx.xx.xx.xx"
    push "block-outside-dns"
    push "register-dns"

    on *nix clients:
    push "dhcp-option DNS xx.xx.xx.xx"

    where xx.xx.xx.xx is the ip address of the dnsmasq server
    untested, your mileage may vary
     
    Last edited: Oct 17, 2017
    Nazgulled likes this.
  12. Nazgulled

    Nazgulled Reformed Router Member

    Just not sure what you mean with "windows clients" and "*nix clients" since this is supposed to be configured on the router (which is *nix based).

    Are you saying that I'll need those 2 extra lines in the "windows clients" if I have windows clients connecting to my VPN?
     
  13. PetervdM

    PetervdM Network Guru Member

    sorry, i mashed up. you don't need push "dhcp-option DNS xx.xx.xx.xx"

    in creating the tunnel, the client will request network settings by dhcp, so if the dnsmasq dhcp server is set to use itself as a dns server the client is automatically configured with the right dns server. so nothing else has to be configured at the openvpn client.
    if however an application on the machine running the openvpn client performs a rogue dns query to fi 8.8.8.8 it might pass dnsmasq and gets resolved at 8.8.8.8. to stop this you might try if ticking "intercept dns port" in tomato advanced, dhcp/dns server helps.

    if your openvpn client is running on a windows system you might try in addition in the custom config on the openvpn server at tomato:

    push "block-outside-dns"
    push "register-dns"

    this intercepts and blocks rogue requests at the client side.

    openvpn clients on *nix systems may not allow this.

    fwiw you do route all traffic through the tunnel? you might post your openvpn server and client configs here.
     
  14. Nazgulled

    Nazgulled Reformed Router Member

    Ok, it's better if I post my setup and use cases.

    I have setup a VPN server on my router for 2 things: a) access my home network services while on the go b) route all traffic through the VPN while accessing public Wi-Fi hotspots. I am the only person accessing the VPN for the time being but I have 4 different client configurations, each with their own private/public key pairs.

    Basically, 2 client configurations for my laptop and 2 client configurations for my mobile phone. I have 2 configurations for each device because one of them is configured to route all the traffic through the tunnel while the other is not. In other words, when I just want to access my home network I use client A, when I want to route all the traffic while on a public Wi-Fi hotspot, I use client B.

    My laptop is Windows only and I use Viscosity as a VPN client. For my Android phone, I use the official OpenVPN Android app (kinda ugly, but it does the job). I don't have access to all my configurations right now, so I'll post them later if you don't mind.
     
  15. Nazgulled

    Nazgulled Reformed Router Member

    I've attached 2 screenshots with my server configuration. I'll post the clients configuration later. Sorry.

    nazgulled_vpn_1.png
    nazgulled_vpn_2.png
     
  16. PetervdM

    PetervdM Network Guru Member

    OK. this server config translates to:

    # Automatically generated configuration
    daemon
    server 10.8.0.0 255.255.255.0
    proto udp
    port 1194
    dev tun22
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    cipher AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route < your network > < your subnet mask>"
    push "dhcp-option DOMAIN <your domain>"
    push "dhcp-option DNS <your dnsmasq server>"
    status-version 2
    status status

    # Custom Configuration


    this routes only the traffic with destination "your network" into the tunnel. all regular dns queries goto your dnsmasq, however rogue dns queries may bypass the tunnel and are resolved locally. for windows machines you can prohibit this by inserting into the custom config field of the windows laptops:

    push "block-outside-dns"
    push "register-dns"

    afaik there is no way to prohibit rogue dns lookups for your unrooted android phone in this setup. maybe there is a way for rooted phones. let's consider this client A.


    your other client B is basically the same but you have to activate "Redirect Internet traffic" as it is called in tomato, i don't know the viscosity wordings. this translates into:

    redirect-gateway def1

    in the client config. this modifies your client's routing table with 2 lines which make your client route all traffic - including dns queries, regular and rogue - into the tunnel, bypassing the default route. now you can block those rogue queries in tomato: in advanced, dhcp / dns tick "Intercept DNS port". this intercepts the rogue dns queries and lead them to dnsmasq.
    as this is client independent it works for both your android, windows and all other clients.

    if preventing this dns leakage is important to you i should minimize the use of client A on your android phone.
     
  17. Nazgulled

    Nazgulled Reformed Router Member

    I'm so sorry, but I'm getting a bit confused by all this since there's differences between the client's OS and configuration, so let's go step by step and start over if you don't mind. I really appreciate the time you're taking with this, but I really want to understand how things work.

    Let's forget Windows and Viscosity for now (it's what I use less) and focus on the OpenVPN Android clients. Sorry I took this long but these are my current configurations

    Client A (WITHOUT traffic redirection):
    Code:
    client
    dev tun
    proto udp
    remote vpn.myhomenetwork.net 1194
    float
    cipher AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    ns-cert-type server
    resolv-retry infinite
    nobind
    
    Client B (WITH traffic redirection):
    Code:
    client
    dev tun
    proto udp
    remote vpn.myhomenetwork.net 1194
    float
    cipher AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    ns-cert-type server
    resolv-retry infinite
    nobind
    redirect-gateway def1
    dhcp-option DNS 8.8.8.8
    dhcp-option DNS 8.8.4.4
    Client A is the one I use most of the time to access my home network and Client B is used to redirect all my traffic through my home Internet connection while I'm on some public Wi-Fi hotspot. I might still access some services on my home network while using Client B - no point in disconnecting B to connect A and access those services - but this is not something I normally do (most of the time I just use Client A to access my home network).

    All my static IP hostnames are in the form of "hostname.nazgulled.home" and while connected on my home network (Wi-Fi or Ethernet) I can successfully connect to them by hostname. But through the VPN connection, doing an nslookup for "nasbox.nazgulled.home" (for instance) doesn't return anything.

    This is what I'm trying to achieve, access my home network machines through hostname instead of IP. How can I achieve this on both of the VPN client connections above on my Android phone? And, of course, if there's any other configuration change you recommend, I'm all ears. Especially that DNS leakage you mentioned, which I'm not sure I'm currently affected by these client configurations.
     
  18. PetervdM

    PetervdM Network Guru Member

    OK. from what i see is the client B config faulty, and it is easier to start with client A. i presume client A is able to resolve fi www.google.com but not nasbox.nazgulled.home and you can reach nasbox.nazgulled.home by it's ip address. correct?
    if so, openvpn doesn't seem the problem, but your dnsmasq configuration. got to the tomato advanced, dhcp/dns configuration page, and note all existing settings and config rules. then, if not already so:
    • tick "use internal DNS"
    • leave "Use received DNS with user-entered DNS", maybe we have to alter it later.
    • tick "Prevent DNS-rebind attacks"
    • tick "Intercept DNS port"
    • untick "Use user-entered gateway if WAN is disabled"
    • in Dns Custom Configuration enter at least the next lines:
      • host-record=nasbox,nasbox.nazgulled.home, xx.xx.xx.xx
      • domain-needed
      • clear-on-reload
    • click save
    now try to resolve nasbox, nasbox.nazgulled.home and fi www.microsoft.com ( not www.google.com, it might be still be in the android cache )
    post the results, and tell me whether "Use received DNS with user-entered DNS" is ticked or not, which other lines are in Dns Custom Configuration and ofcourse the results of the tests above.
     
    Nazgulled likes this.
  19. Nazgulled

    Nazgulled Reformed Router Member

    Correct :)

    It was already ticked.

    Not sure what you meant with "leave" but it's currently unticked and I'll leave it like that.

    It was already ticked too.

    It wasn't ticked so I ticked it.

    It was already unticked.

    I believe I posted similar questions with different wording (sorry for that, I though I was asking different things) on these forums and someone else helped me with my dnsmasq configuration which ended up like this:

    Code:
    domain=nazgulled.home,192.168.0.0/24,local
    domain-needed
    bogus-priv
    I just tested the configuration above (including the new "intercept dns port" setting you suggested) with Client A and everything seemed to work fine. I could nslookup/ping any *.nazgulled.home device (as long as I had a static IP with a hostname configured in Tomato that is) along with any www.google.com or www.microsoft.com domain. Unless I'm not understanding this properly, I believe this is now working.

    But should I still add your clear-on-reload option? What about the host-record one? I'd rather not need individual host-record entries for each static host IP I have defined, which I believe is solved through domain, domain-needed and bogus-priv (as recommended on the other thread).

    Do you want me to test anything else for Client A?
     
  20. Nazgulled

    Nazgulled Reformed Router Member

    Actually, it's NOT working with the configuration above. I don't have much more time right now to continue this so please wait for my next post.

    By the way, I use this app on my phone:
    https://play.google.com/store/apps/details?id=ua.com.streamsoft.pingtools

    Which has a device discovery functionality that seems to discover all my static hosts while I'm connected throught Wi-Fi. But If connect through my data plan, connect through the VPN with Client A, they are no longer discovered. I guess this is an easy way to understand if we are on the right path or not?
     
  21. Nazgulled

    Nazgulled Reformed Router Member

    Ok, I've added this configuration:

    Code:
    host-record=testbox1,testbox1.nazgulled.home,192.168.0.98
    domain=nazgulled.home,192.168.0.0/24,local
    domain-needed
    clear-on-reload
    bogus-priv
    Tried to ping, nslookup, used the Android app I mentioned above, nothing. Can't resolve testbox1 or textbox.nazgulled.home. I specifically used that name hostname (which I never used before) to avoid anything that might be cached.
     
  22. Nazgulled

    Nazgulled Reformed Router Member

    I don't get it, now it's working...

    but do I really need individual host-record entries for each static host? :/
     

    Attached Files:

  23. PetervdM

    PetervdM Network Guru Member

    OK. congrats.
    there are two name resolution systems in your network. the first is WINS. it is a microsoft thing but widely supported on other platforms. it is self-learning, but has drawbacks: only simple names fi TESTBOX, 1 to 1 relation, so 1 name is related to 1 ip address and most of all, it is NOT routeable, so in your case it is confined to 192.168.0.0/24. tomato doesn't have a WINS stack, but windows machines and fi nas have it.
    the other one is DNS. this is the defacto standard for name resolution in networks. it is n to n - multiple names can resolve to 1 ip address ( fi multiple websites on one machine ) and one name can resolve to multiple ip addresses ( load balancing ). it is very versatile, but the drawback is that you have to populate the system with dns records.

    so yes, you have to enter a host-record line for each name you want to be resolved. maybe, very maybe WINS crosses a TAP openvpn setup instead of the TUN setup you're using now. if you have a TAP vpn you get an ip address handed out by your dhcp server in the 192.168.0.0/24 subnet. as far as i know there is only one openvpn client that supports tap, openvpn client by colluci-web.it. i have no intent to try WINS over TAP, i stear as much away from WINS as i can.

    - the domain record supplies the client with the domain name by dhcp. if you query textbox and resolving is unsuccessful, textbox.<domain> is queried, in your case textbox.nazgulled.home
    - domain-needed prohibits querying a single name - without dots - to be queried upstream
    - bogus-priv prevents reverse lookups of private addresses upstream
    - clear-on-reload clears the cache on dnsmasq on reload. dns uses a cache for as well results as failures. so if you are experimenting and get a failure a subsequent request - after you have fi added the requested record - isn't queried at all but answered from the failure cache. without clear-on-reload saving and restarting dnsmasq doesn't clear the cache.
    rtfm: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
     
    Nazgulled likes this.
  24. Nazgulled

    Nazgulled Reformed Router Member

    First, how could you tell I had 2 resolution name systems in the network? What gives it away?

    Second, I do use Windows but I don't think it's the one having WINS. I use OpenMediaVault on my NAS and I do have one box ticked that says "Enable WINS Server". I can disable it and try again. I'd rather be dependent on a single name resolution system.

    I understand that but what I don't understand is why the host-record option is required when I have setup my static hosts through Tomato's GUI. Aren't they supposed to do that for me already? Is there a way I can output (through SSH or something) the full dnsmasq configuration being used on my router?

    My VPN currently hands out IPs in the 10.8.0.0/255.255.255.0 subnet, as specified by one of the VPN configuration options on the Tomato GUI.

    So I should just keep using it, right?

    You say "fi" a lot of times and I'm getting confused, what do you mean by that?

    I try to, I like to learn. But sometimes, if you are not somewhat versed in the specific technology, it may be hard to understand a few things. Networking was never my strong suit.

    You said this in your previous post... So, what exactly would be the right Client B configuration to:
    • Redirect ALL my traffic through the VPN while connected to Client B?
    • Redirect ALL DNS queries to whatever DNS servers I have defined on my router?
    Why is the following extra 3 lines (that's the only difference between Client A and B) faulty?

    Code:
    redirect-gateway def1
    dhcp-option DNS 8.8.8.8
    dhcp-option DNS 8.8.4.4
     
  25. PetervdM

    PetervdM Network Guru Member

    what gives it away is that you said you have a windows pc - it is not obvious how to shut down WINS in windows - and a nas - which usually have WINS enabled. in windows you can easily shutdown the possibility that this system becomes the server ( called the "master browser" ) by stopping and disabling the "computer browser" service. the WINS client service is part of the "server" service which can't be stopped without running into all kinds of trouble.

    you mean the basic, Static DHCP/ARP/IPT page? did you enter the FULL name there? if not you might have to enter the domainname in basic, identification. remember that the domain line in the dnsmasq config is a DHCP thing and only gives the client a second chance ( in windows: if in the adapter ipv4 properties, advanced, dns, append primary and .... is ticked ). your full dnsmasq configuration is a textfile: /etc/dnsmasq.conf. it is generated upon boot or when you click save, so there is no use in editing it, but you can use a ssh session or a windows tool like winscp.

    keeping clear-on-reload is your choice, but while experimenting with dnsmasq i strongly suggest that you enable it. remember that it clears the cache upon boot - at that time the cache is empty anyway - and on clicking save - why would you do that in normal use? - so i think the pro's outweigh the contra's, but it's your ballgame.

    fi? sorry, it means for instance, i thougt it was a regular expression, but i am not a native speaker.

    OK client B. the client starts with the config you provide and can be completed by options provided by the server by means of push statements. as far as i know those replace the ones in the client config file if they conflict. one exception: you may have upto 2 dhcp-option DNS lines in your running config.
    remember in post #16 i rebuild your server config and that showed the line: push "dhcp-option DNS <your dnsmasq server>". so which 2 of the 3 prevail: <your dnsmasq server>, 8.8.8.8 or 8.8.4.4?
    only the first has knowledge of your internal network, the second and third not, so they can't answer, and that failure is cached too.
    to remedy this you have to get rid of the dhcp-option DNS lines in your client config to make it work, although the tick in "Intercept DNS port" might intercept the queries to 8.8.8.8 and 8.8.4.4 and divert them to your dnsmasq server. the key to routing all traffic through the tunnel is the redirect-gateway def1 line.
     
    Last edited: Oct 20, 2017
    Nazgulled likes this.
  26. Nazgulled

    Nazgulled Reformed Router Member

    I will stop it on OpenMediaVault at least.

    No, I only entered the hostname and I removed the domain name from Basic ยป Identification as per the recommendations on this thread.

    I don't want to edit, just want to read and learn from the full configuration generated by Tomato.

    I'll leave it on while testing changes to dnsmasq configuration and remove it when it's all done.

    I'm not one either and never heard of that expression :)

    I understand that the redirect-gateway def1 line is the most important one to redirect all traffic through the tunnel, but I'm still not sure about the exact options I need to add to Client B to redirect all DNS queries through the tunnel too, while having Client A just accessing the internal network hosts and nothing else.
     
  27. Nazgulled

    Nazgulled Reformed Router Member

    I've been experimenting with dnsmasq, reading documention and whatnot and I believe I now have the configuration I need for all my VPN clients. I thank you very much for your time @PetervdM, thanks for bearing with me :)
     
  28. PetervdM

    PetervdM Network Guru Member

    i read the other thread, and value the knowledge of @Sean B. very much, but in his #4 post he confines the validity of the domain to 192.168.x.0 - he didn't know about your vpn yet - while your tun address has an other ip subnet, @Monk E. Boy addressed that part in post #6. he also wasn't very clear that the domain line in the config is an option for the dhcp part of dnsmasq, giving the DNS CLIENTS the possibility to query the full name by appending the domain name to the query when the short name is entered. contrary to what he states in post #7 it is a dns client thing, not a dnsmasq server thing. the problem is you never can be sure when you enter the short name. if fi the windows system is a server, it is likely to have a fixed ip address and it might, or might not have the same domain name configured in its setup as your client system has received by dhcp. always presume WINS running, and in an apple environment bonjour too. querying a short name may result in them answering first. so the only way to be sure in all circumstances is to always use the full name ( FQDN ) in queries, especially when testing. if the full name works, test the shortname, AFTER clearing the cache!

    the only thing you need for client B to work is to get rid of the push "dhcp-option DNS x.x.x.x" lines, anyhow, anyway! however there are some optimalisations and safeguards you can add to the ( windows ) client B config:
    • block-outside-dns ; self explainatory, also handy if you can't get rid of those lines,
    • register-dns ; to clear the global dns cache of the client system after creating the tunnel,
     
  29. Nazgulled

    Nazgulled Reformed Router Member

    I'm still not sure if I should make any other change based on post #6...

    I don't intend to ever use the short name, only the full name :)

    Will take all that into consideration.
     
  30. Sean B.

    Sean B. LI Guru Member

    Correct. I wasn't aware of the VPN.

    Incorrect, it's very much a server thing. Quote from the dnsmasq man page:

    As I had stated in the post, the config line I provided @Nazgulled creates DNS records for forward and reverse queries ( they will resolve for both single label hostnames as well hostname.domain.com ) , sends the domain in the DHCP exchange, and prevents forwarding of any queries for said domain to upstream servers. It is not for setting DHCP option of domain de-evolution ( whether or not clients will break down fqdn's to single label names etc ), domain search list, dynamic update, or any others ( other than sending the domain itself, obviously ). To set options would be a dhcp-option line, for example:

    Code:
    dhcp-option=tag:br0,option:dns-server,1.2.3.4
    Would change the DNS server sent by dnsmasq in the DHCP exchange from the default ( The IP of the machine dnsmasq is running on ) to 1.2.3.4 .

    The only part of DHCP my config line is related to is that it will create those DNS records automatically for any host which has obtained a DHCP lease from dnsmasq, and sending the domain itself.
     
    Last edited: Oct 20, 2017
    Nazgulled likes this.
  31. PetervdM

    PetervdM Network Guru Member

    @Sean B.
    as a test i edited the domain line in my config with a alternate domain name , started wireshark and did a dhcp request. the alternate domain name shows up as option #15 in the dhcp ack, and is shown as connection-specific dns suffix in ipconfig. on a WINS free system the query of a non-existent shortname is first expanded to the full name with the system provided domain name, which obviously fails. next the shortname is expanded with the dhcp provided domain name, which ofcourse also fails.
    the domain line has server side effects as you state and quoted from the manual, but i was in this case more interested in the client side effect, because it works at the source of the request. i should have worded it that way.

    as i stated earlier, using shortnames only is not a good habbit for reasons mentioned earlier.
     
  32. Sean B.

    Sean B. LI Guru Member

    I'm not following what you're getting at:

    1: Yes, the domain config line sends the domain in the DHCP exchange as I have stated. Are you saying that somehow makes it a client only line even though hosts file and DNS records are all on the server?

    2: WINS is not DNS, it's NetBIOS, and completely unrelated to what that domain line does. So not following what that's about.

    3. The DNS query examples you gave would have resolved properly with the domain config line in place, so not sure what's with the fails either. You are sending the DNS queries to dnsmasq, right? As it should go without saying, this is a local configuration and DNS queries for said domain will fail if sent to anywhere other than the IP for dnsmasq of which has the config line. Hence, clients must be configured to use dnsmasq as their primary DNS server either via DHCP or static manual configuration.


    ***EDIT*** Perhaps you're referring to single label names and their use in a multihomed environment? In which case setting the "dhcp-fqdn" flag in the dnsmasq config would prevent any conflicts.
     
    Last edited: Oct 20, 2017
  33. PetervdM

    PetervdM Network Guru Member

    this is about the ts computing environment and the use of a shortname for name resolution.
    as he has also a windows pc and a nas in his network it is almost certain that there is also a wins server or master browser present in the network. in fact he acknowledged having a wins server on the nas, and even tomato has a wins server and master browser as part of the samba package, though not standard activated.

    if on the windows pc implicit name resolution is required, fi by "ping laptop", the short name "laptop" has to be resolved into an ip address. if the shortname is not the pc hostname, and it is not in the hosts file and it is not in the netbios cache, then in a standard windows configuration the pc will try to resolve this shortname by a netbios broadcast. if this isn't successful the system domain name will be appended and the configured dns server queried. if this isn't successful either, the connection specific domain name provided by dhcp is appended and the configured dns server queried.
    appending the domain names is necessary because the dns protocol requires a fully qualified domain name as input for an "A" query, the short name is not sufficient and never sent in a dns query by its own. so back to your quote of the manual: the reason "laptop" is resolved is not an action of dnsmasq appending the domain name "thekelleys.org.uk" internally within the dnsmasq server, but of the windows pc dns client appending the connection specific domain name supplied by dnsmasq dhcp before sending the query to the dnsmasq dns server. hence my remark that it is more a client thing.

    in the ts environment using short names for name resolution can lead to unpredictable results. you never know whether the netbios environment is consistent with the dns environment.
     
  34. Sean B.

    Sean B. LI Guru Member

    I believe I see where the confusion is here. With DNS in a global environment, you're correct. However dnsmasq is designed for local, often smaller networks as well as having the capability to be delegated global authoritative zones. It will resolve shortnames. Here's the hosts file from my dnsmasq without a domain:

    Code:
    127.0.0.1  localhost
    192.168.1.1  Storage Storage-lan
    192.168.2.1  Storage-lan1
    ::1  localhost
    2601:1c0:xxxx:xxxx::1  Storage
    If I was running a domain, dnsmasq would still resolve those single label names the same way. However, it would internally append the domain part to those single label names if a query came in, for instance, as storage.home.lan. Whether Windows appends the adapter suffix to a domain or not is irrelevant to the configuration, because either single label names or fqdn will resolve correctly. Give it a shot with wireshark.. do nslookup for single name and watch the query hit dnsmasq and receive a response. Same with the fqdn.

    Here is the description for the dhcp-fqdn flag I mentioned before. This would be used if the functionality of resolving single label names would be a conflict. This also clearly shows that dnsmasq and the DNS protocol do resolve single label names:

    Note it specifically states "inserts unqualified names of DHCP clients into the DNS".

    And this line: "To ensure that all names have a domain part, there must be at least --domain without an address specified when --dhcp-fqdn is set." Shows that the domain part will be internally added by dnsmasq even if the host computer does not do it itself.

    Hopefully this clearly addresses your points.

    P.S: By default, NetBIOS is only used for hostname resolution if DNS resolution fails. Your concern of conflicting NetBIOS vs DNS addressing is outdated. This used to be the case back when NetBIOS ( aka netBEUI ) was much more prevalent and DNS was still unreliable. Quote from Microsoft technet:

     
    Last edited: Oct 21, 2017
  35. Sean B.

    Sean B. LI Guru Member

    @Nazgulled , this concept here is very simple. The configuration I gave you in the other thread is correct and valid for your use case. In order to have the same functionality from it over a VPN, all that needs to be done is extend the netmask for your domain= config line to include the subnet you've configured the VPN to use. Then the VPN clients simply need to obtain their VPN IP address via DHCP from the dnsmasq router. This will add their hostnames to the nazgulled.home domain as well as configure the clients to use dnsmasq as their DNS server.

    **NOTE**: To provide a more descriptive explanation on the change to the domain= line:
    If your VPN uses an IP range within the same block as your LAN (IE: LAN=192.168.1.x / VPN=192.168.5.x ) then changing the netmask for the domain= line from 192.168.1.0/24 to 192.168.0.0/16 would be all that's needed. However, if the VPN IP range is not within the same block as your LAN (IE: LAN=192.168.1.x / VPN=10.1.10.x ) then one of two changes need to be done.

    A: the domain= line accepts multiple addresses. However, I'm not positive it accepts multiple address/netmask combinations. So you could try changing the line to: domain=nazgulled.home,192.168.1.0/24,10.1.10.0/24,local and see if it's accepted. If not, dnsmasq will get pissed off and you'll see tons of errors in the system log.

    B: Add a duplicate domain= line for the 10.1.10.0/24 range.

    If using a subnet of the LAN address block, and hosting the VPN on the dnsmasq router then this is a quick and basic change to have it work. If using a different address block than your LAN and/or hosting the VPN via a remote server.. it will be tricky, if at all doable, to have the hosts dynamically added to dnsmasq for your domain. It may very well require you to manually add them via host lines.
     
    Last edited: Oct 21, 2017
    Nazgulled likes this.
  36. PetervdM

    PetervdM Network Guru Member

    i did so, and several other scenarios involving every day applications like web browsers ( IE, edge and chrome ), and activated both wireshark and dnsmasq logging. bottom line: on a windows system ( win 7 and win 10 ) the single name is never sent to dnsmasq unless i use a dns test tool, and that tool doesn't a retry by appending the domain name. even nslookup appends the domain name prior to sending the single name query.
    of the 3 web browsers on my android 7 phone, one - ghostery - doesn't accept a single name and turns it into a search engine query. the other two send the full name first, and only send the single name when full name resolving is not successful. only a network tool sends the single name and doesn't append the domain name either.

    so yes, you are right that a single name can be sent to the dnsmasq server, but not by means of common applications. they probably query the os for name resolution, not specific for dns.
     
  37. Sean B.

    Sean B. LI Guru Member

    [​IMG]

    [​IMG]

    [​IMG]

    Lets just agree to disagree then.
     
    Last edited: Oct 22, 2017
  38. Nazgulled

    Nazgulled Reformed Router Member

    There's one thing I don't get. Without the extra configuration for the VPN, it was already working most of the time. Sometimes it took a bit of time o get a result from pinging one of those FQDN but most of the time I believe it worked just fine.

    Anyway...

    Changed to domain=home,192.168.0.0/24,10.8.0.0/24,local but it didn't work (as you guessed, a bunch of errors).

    Added domain=home,10.8.0.0/24,local instead and this one worked. But I don't see much of a difference with and without that line. Am I getting this wrong?
     
  39. Sean B.

    Sean B. LI Guru Member

    What do you mean by working? In order for the clients on the remote end of the VPN to resolve hostnames and/or fqdn's of clients on the local ( the tomato router ) end, all that need happen is the remote clients use the tomato router as their DNS server, which they likely were already.. but possibly as a secondary. Including the remote hosts into the domain and dnsmasq's known hostname/fqdn records takes a bit more.
     
  40. Nazgulled

    Nazgulled Reformed Router Member

    @Sean B.

    This is my current configuration:

    Code:
    domain=home,192.168.0.0/24,local
    domain-needed
    bogus-priv
    
    cname=homepage.dev.nazbox.home,nazbox.home
    My VPN subnet/netmask is configured as 10.8.0.0/255.255.255.0 but as you can see there's no domain=home,10.8.0.0/24,local line on my configuration. But everything seems to be working, check screenshot.
     

    Attached Files:

  41. Sean B.

    Sean B. LI Guru Member

    I don't follow. The screenshot shows a ping to shield.home at the IP of 192.168.0.95, which doesn't relate to the domain=home,10.x line. Shield.home is within the network range of the domain=home,192.x line. I assume you're sending that ping from a 10.x VPN host, if so then you have the concept backwards. As I stated before, in order for hosts on the 10.x VPN to resolve fqdns of hosts that are on the 192.x LAN all they need to do is use the dnsmasq router as a DNS server.. which they apparently are. The added domain line is not needed for this. That line is for the other way around, for hosts on the 10.x LAN to have their hostnames included into the home domain. IE: a host on the 10.x VPN has the hostname box, a host on the 192.x LAN trying to ping box.home.. DNS will not resolve. Also, unless your VPN is configured so the 10.x hosts receive a DHCP lease from the dnsmasq router, they would require hosts lines in the dnsmasq config to be resolveable as well.
     
  42. Nazgulled

    Nazgulled Reformed Router Member

    I might be a little confused by all this but in simple terms this is what I want:

    I have a box with the "shield" hostname in the "home" LAN with a static IP of 192.168.0.95. My VPN server is setup so that all clients get an IP on the 10.8.0.0/255.255.255.0. When I connect a client to the VPN, I want to be able to access the shield box by the "shield.home" hostname. That's it.

    This is effectively working with the configuration I mentioned on my previous post.
     
  43. Sean B.

    Sean B. LI Guru Member

    C
    That functionality is not related to the domain config lines. It comes from either A: your VPN clients are sending their DNS queries to the Tomato router of which knows the fqdns for your LAN clients. Or B: multicast name resolution works over a VPN tunnel and the hosts are learning each other. Either way, sounds like it's functioning as you want it to.
     
    Nazgulled likes this.
  44. Nazgulled

    Nazgulled Reformed Router Member

    Yes, everything seems to be working as I want it :)

    Thanks evernyone for your time.
     

Share This Page