Internal DNS Server

Discussion in 'Tomato Firmware' started by bdf0506, Aug 28, 2014.

  1. bdf0506

    bdf0506 Serious Server Member

    I'm trying to setup an internal DNS server, which is a standalone server on my network. I can get it to work fine when I manually point clients to it, but Tomato won't really acknowledge it for extended periods. I have the DNS server in my man set as the static DNS. I can check the box "use internal DNS" and save and tomato will use my internal DNS server for about 30 seconds, but then the setting will revert. The checkbox is then unchecked, almost as if there is a script that runs to revert the setting within a minute of saving.

    I still have tomato handling dhcp functions and I have reserved IP addresses for most clients on my LAN. Any help would be appreciated!
  2. koitsu

    koitsu Network Guru Member

    I'm not completely sure what your issue is (well, aside from the "it works for 30 seconds and then stops working" part -- strange, but let's get to that eventually), so here's my anecdotal experience:

    I run two both caching and authoritative DNS servers on my LAN:

    * master -- ISC BIND (named) running on on a FreeBSD box with (obviously) a static IP address (
    * slave -- ISC BIND (named) running on my RT-N66U router with (obviously) a static IP address (

    And when I say static, I mean truly hard-coded static, not "static DHCP".

    To get ISC BIND on the RT-N66U, I use Entware with packages bind-server, bind-tools, and bind-nslookup.

    I'll spare you the named.conf details because it's very simple: the master is configured to know the root zone (ex. "."), and 2 other zones for my home LAN: "home.lan" and "" (for reverse DNS). The master is configured to allow AXFRs (zone transfers) from Notifies are enabled on the master (notify yes globally and also-notify {; }; per-zone (I could omit this if my zones had NS records that pointed to both servers, maybe I'll fix that eventually)), but disabled on the slave (notify no globally, since the slave shouldn't be sending notifies), so that if I make a change to a zone on the master, the slave gets it immediately.

    On the client side (e.g. desktop PCs, laptops, mobile phone, etc.) I use DHCP exclusively. 90% of the devices have static mappings (IP-to-MAC) so they always get the same IP (makes port forwarding entries reliable).

    I happen to use ISC's DHCP server on just because it's the daemon I prefer/like, but I'm absolutely certain this is doable using dnsmasq on TomatoUSB.

    The DHCP server is configured so that clients get two DNS servers to use: and (and in that order!).

    The idea here is that is the primary DNS server for clients, so they can do recursive lookups (e.g. Internet queries) and the DNS server will cache the results, as well as do lookups for anything in the home.lan domain and get back a result (ex. workstation.home.lan. IN A, and the same goes for reverse DNS (ex. IN PTR workstation.home.lan.), and that can act as a secondary DNS server if the primary is down (such as when I do maintenance on my FreeBSD box) -- otherwise without the secondary, I have to manually configure DNS servers on each client while my FreeBSD box is offline. (I operated like that for years until I realised Entware had ISC BIND available).

    Now, finally, for the TomatoUSB router itself (as a client): under Basic / Network, I set Static DNS to That way if any programs on the router itself try to do DNS, they'll use the FreeBSD box as a DNS server. /etc/resolv.conf on the router contains nameserver which is all that's needed.

    All this works reliably. I only have a couple configuration issues I need to fix (mainly shutting off dnsmasq entirely; it still binds to INADDR_ANY for TCP and UDP ports 53, while named does the same but for and, yet there isn't any bind(2) call conflict -- I find that very suspicious. I need to disable dnsmasq entirely to be safe...)
  3. Siff

    Siff Serious Server Member

    @bdf0506: Which Tomato build are you using? Shibby's build 119 (and probably some of the earlier builds) has an issue with the DNS settings page, which might be the reason why your settings are "reverted". This is fixed in build 120, so if you are using 119 or earlier, I would suggest upgrading to 120 or 121.

    Hope this helps.
  4. bdf0506

    bdf0506 Serious Server Member

    @Siff : I'm actually using AdvancedTomato which is based off of Shibby build 120. After further testing, it seems like the settings take, they get written into NVRAM, and then the gui just shows them as blank. I'll probably need to upgrade to a version that uses 121 to eliminate the errors that I'm seeing on the GUI.

    @koitsu : Thanks for such a detailed response. What I really want to happen is to have the tomato router to serve all DHCP functions, but send all DNS functions to this other server. I think I actually figured out what I needed to do. I added the following option to dnsmasq custom config:

    This was then written to "dnsmasq_custom" in nvram. .1 is my router, and .10 is my DNS server. By adding that, my clients all pickup my static DNS by default in their configurations, while still recognizing .1 as the router. Previously, my clients were only picking up the .1 as the DNS. I did try to set it at first as tag:br0,3, but when I did that, the clients kept thinking that .10 was the gateway, when in fact .1 was. I'm still unsure what the 3 actually resembles though.

    I believe this will work without much issue, unless there is something about dnsmasq that I don't know that would cause this not to work correctly.
  5. koitsu

    koitsu Network Guru Member

    The "3" refers to DHCP option 3, which is the list of routers. Whoever wrote that should be ashamed -- dnsmasq understands DHCP options by name. Why so many people don't use this I do not understand (it's a recurring sore point and maybe I'm just OCD about it, but it's ridiculous to use arbitrary numbers when it comes to such key software). To get a list of dnsmasq DHCP option names, use dnsmasq --help dhcp (this is not a typo!) from the command line. Here's the list as of this writing:

    root@gw:/tmp/home/root# dnsmasq --help dhcp
    Known DHCP options:
      1 netmask
      2 time-offset
      3 router
      6 dns-server
      7 log-server
      9 lpr-server
    13 boot-file-size
    15 domain-name
    16 swap-server
    17 root-path
    18 extension-path
    19 ip-forward-enable
    20 non-local-source-routing
    21 policy-filter
    22 max-datagram-reassembly
    23 default-ttl
    26 mtu
    27 all-subnets-local
    31 router-discovery
    32 router-solicitation
    33 static-route
    34 trailer-encapsulation
    35 arp-timeout
    36 ethernet-encap
    37 tcp-ttl
    38 tcp-keepalive
    40 nis-domain
    41 nis-server
    42 ntp-server
    44 netbios-ns
    45 netbios-dd
    46 netbios-nodetype
    47 netbios-scope
    48 x-windows-fs
    49 x-windows-dm
    60 vendor-class
    64 nis+-domain
    65 nis+-server
    66 tftp-server
    67 bootfile-name
    68 mobile-ip-home
    69 smtp-server
    70 pop3-server
    71 nntp-server
    74 irc-server
    77 user-class
    93 client-arch
    94 client-interface-id
    97 client-machine-id
    119 domain-search
    120 sip-server
    121 classless-static-route
    125 vendor-id-encap
    255 server-ip-address
    Thus, you can replace that line with this (I think you omitted the dhcp-option part of it so I've added it):

    Which is a heck of a lot more clear.

    Note to anyone reading this: before tinkering around with these, make sure you read 1) the actual DHCP options list (RFCs, etc.) to ensure that you're setting the right DHCP option, and 2) that you examine the "router default" settings in /etc/dnsmasq.conf, as any you add to the dnsmasq Custom Configuration section of the GUI will get appended to that list. Having two lines of the same thing may confuse dnsmasq (it might take the most recent line as what to apply, but I'm not sure).

    So for example if you wanted to delegate a list of NTP servers to your clients (assuming their DHCP clients use this information), you could do this:

    Likewise, to delegate a list of DNS servers to your clients, you can use this:

    For these particular options, by the way, you should use IP addresses, not FQDNs (hostnames).

    For details of the syntax, see the dnsmasq documentation (search for dhcp-option). You do not need to specify the -- (hyphen-hyphen) on the front of flags when entering things into the dnsmasq Custom Configuration part of the GUI, i.e. use dhcp-option not --dhcp-option.

    You already understand how the tag stuff works so I don't need to talk about it here.
    Last edited: Aug 29, 2014
  6. bjd223

    bjd223 Reformed Router Member

    Doesn't "use internal DNS" mean internal to the router, IE Dnsmasq. The way you mention it, it sounds like you are saying "use internal DNS (server to the LAN, not external over internet)". If you DO NOT want the router caching DNS at all you should uncheck that box.

    I run a Server 2012R2 DC/DNS server and I have "Use internal DNS" unchecked, I added my DNS server to DNS under Basic > Network. I have and defined (Third spot is

    I also have strict-order added to my Dnsmasq custom configuration (could be added by default in your build, not sure) so it enforces DNS lookups in the order specified. By default it will set the primary as which ever responds first when the router is rebooted (which will almost always be your internal server, but who knows).

    I added as a backup incase I need to reboot my server, I don't want DNS requests to fail. All requests that go over will be un-cached. I don't run 2 DNS servers for redundancy, which is recommended but obviously you need another computer for that.

    If you enable "use internal DNS" your router will start caching DNS, which is fine but if you have defined and an issue happens with your internal DNS server, those results could get cached on the router. This doesn't really matter, unless you are running Active Directory with a real domain name that you own, that has an external web IP.

    Anyway I was having issues with "Intercept DNS port (UDP 53)" checked, as I think some kind of DNS loop was occurring. So I would uncheck that.

    After everything make sure to flushdns then release & renew on each of the clients. Rebooting doesn't hurt either.

    I can verify that this is working well, because Active Directory is working fine, which relies on DNS working correctly to function.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice