1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS queries over openvpn (site-to-site)

Discussion in 'Tomato Firmware' started by rs232, Apr 23, 2014.

  1. rs232

    rs232 Network Guru Member

    No questions in this thread, just a little howto + explanation.
    I'll start this post all the way around: with the solution first

    To be able to run DNS queries between two or more vpn sites you need to add the tunnel interfaces in the dnsmasq configuration.

    coupled with the server directive to direct the queries:

    DNSMASQ site1:

    DNSMASQ site2:

    This allows the DNS delegation to works properly. e.g. You can run an nslookup on site1 LAN (192.168.1.x) like
    nslookup dell-laptop.site2.localdomain
    and get in answer the ip address of the dell-laptop host sitting on site2 (192.168.2.x)

    now my points:

    1) The above commands allow the tunnel interfaces to be queried, without specifying the tunnel interfaces it does not work.

    2) Or better it works client towards server if the "Respond to DNS" flag has been set on the GUI. It doesn't in opposite direction though.

    3) It appears that this "Respond to DNS" flag adds the tunnel interface in the dnsmasq config file (/etc/dnsmasq.conf) e.g.
    interface=tun21. Achieving:
    a) dnsmasq to listen to that tunnel interface
    b) add a rule to the iptables to allow dns traffic in input
    4) I have enabled "log-queries" on both devices and I can see that running a query from LAN1 (linux client) to ask the the IP of a host on LAN2 (using FQDN) the site2 tomato receive this very same query from the tunnel IP of tomato1, even though NAT is not enabled on the tunnel. Why is this happening? It's the DNS caching, LAN client asks tomato, tomato asks wherever it knows (tunnel interface is the closest destination to LAN2

    I just wanted to share my afternoon of investigation and my findings in case somebody else gets stuck with this configuration.

  2. tekbuster

    tekbuster Network Newbie Member

    This post helped me with a problem that I had for over a week.

    Thanks for "unrequested" help!!!
    rs232 likes this.

Share This Page