1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Make dnsmasq respond to internet lookups

Discussion in 'Tomato Firmware' started by andsens, May 20, 2009.

  1. andsens

    andsens Addicted to LI Member

    Hi everybody, I'm new in the forum but have been following some threads for quite some time.
    Using SgtPepperKSU mod for vpn, nice job btw! :thumbup:
    I have started using an openID from myopenid.com, they offer to register your own host name with them so you can have a login name like username.yourowndomain.com (anders.ingemann.de in my case) instead of username.myopenid.com, which I think is pretty cool.
    In order for this to work, they require you to point the CNAME record of *.ingemann.de at myopenid.com.

    However, I already have anders.ingemann.de pointing to my router (and some other subdomains pointing elsewhere). But I do want anders.ingemann.de to be my username.
    Currently anders.ingemann.de is simply pointing at my router with an A record.
    What I thought of was the following:
    Set the NS record of anders.ingemann.de to be the hostname of my dsl connection.
    Port forward UDP 53 on my router to my routers internal ip address (, this way dnsmasq should respond to external dns requests
    This way I can add some SRV records specifically for:
    VPN, which can still point to the router
    web, which will have to point at myopenid.com, in order for my account to work

    Additionally, I thought I would be able to add my internal network hostnames with the same external ip address. This way I could still access my internal web, ftp, etc. server. (Like say andersmacosx.anders.ingemann.de. If that were to be looked up, I could return the external IP, but no SRV records. So every request would go to the router.)

    However! I can't reach the dnsmasq server from the outside! It simply does not respond, not with traceroute, nslookup or anything!
    Another question is: Is this actually doable, have I missed something here? :confused:
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You'll need to tell dnsmasq to listen to the WAN interface (probably vlan1). Add the following to your Dnsmasq custom configuration (Advanced->DHCP/DNS):
    Also, you don't want to do a port forward. Instead, just put the following in your firewall script (Administration->scripts):
    iptables -I INPUT -i vlan1 -p udp --dport 53 -j ACCEPT
    I just tried it, and it worked :smile:
  3. andsens

    andsens Addicted to LI Member

    W0000T it works, awesome!!! Thx!
    Now I simply gotta find out how to configure the rest of dnsmasq :biggrin: (gotta love man pages)
    I will post my findings here when and if I reach my goal.
  4. andsens

    andsens Addicted to LI Member

    Alright, this is quite a bump in the road.
    I need dnsmasq to respond differently wether a request comes from the outside or the inside.
    This means:
    Return external ip A records on external hostname requests (like andersmacosx.anders.ingemann.de)
    Return internal ip A records on internal hostname requests

    Is this even possible without running two instances of dnsmasq?
    oh, btw: The SRV is cool, but support sucks! Not one browser for example really uses the directive.
    They've been talking about it over at mozilla dev for 10 years now... link

    EDIT: Found a nice list of services you can specifiy btw http://www.dns-sd.org/ServiceTypes.html
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I was wondering what kind of dnsmasq-fu you were planning on pulling off to do that :wink:. I think you'd need two instances (but that's doable).

    However, I think I would just carve off a sub-domain for the openid (I've considered doing this myself before, but I haven't run across enough sites I wanted to use OpenID on...) such as openid.ingemann.de or openid.anders.ingemann.de. Or, alternatively, for the router (eg, router.ingemann.de or home.ingemann.de).

    At least in my case, relying on the ISP-assigned DNS name not ever changing sounds like trouble waiting to happen. If it were to change, you'd have to manually change it with your domain registrar, and everything would fail until you do. Maybe that's relevant for you, though.

    Following the off-topic: I use SRV records for xmpp-client and xmpp-server, but I'd never seen the complete list of registered services! Some of them are rather intriguing (by the way, I don't see VPN listed anywhere in there). Though, alas, it requires clients and servers to actually use them before they become useful (decent Jabber clients/servers do use them).
  6. andsens

    andsens Addicted to LI Member

    Haha, yeah not really a standard config I'm aiming for there. But I'd say the idea itself is solid.
    How cool would it be to be able to have more than one instance of a service on one IP. Like http. All servers running on port 80 behind the router.
    The router then has some SRV records pointing to different external ports on the external ip which are routed to the corresponding ips on the internal net.
    Like this
    (External port 8081 is then forwarded to PC1 port 80)
    ... You get the picture
    All the necessary configuration could happen automatically I think.

    Agreed, I think I will have to admit defeat on this one. Even after pointing my openID url to myopenid.com, it still didn't work. The protocol is probably looking for other dns entries as well.

    Nope me neither, too bad. I wonder how long it'll take until the http, vpn, ftp and all the likes will get proper support in the applications for this.
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That type of situation is what really piqued my attention, too. Except I'd be happy with even a single entry: my ISP blocks port 80, so I have to give out URLs like http://subdomain.example.com:8080/... (which I forward to port 80 on the LAN, which handles several such subdomains itself). With this I could drop the :8080 and let the SRV record take care of it.
    If you're dead-set on this, it should be possible. dnsmasq is fully capable of running multiple instances bound to different interfaces.

    However, none of the SRV benefits require that the DNS server is on the router. In fact, I don't think that it even gets you anything. Everything that can be accomplished by having the DNS server on the router, can be done just as easily having the DNS records elsewhere. What were you planning on gaining by doing that? Maybe we can still address that need.

    Though, I think the easiest (and cleanest) approach would be to use openid.example.com/user or user.openid.example.com as your OpenID.
  8. andsens

    andsens Addicted to LI Member

    Regarding the port 8080 issue, I'm afraid you won't be able to do that since no browser really supports the SRV entries yet.

    The reason I wanted my router to act as a DNS was simply for the ease of configuration. My domain is currently hosted at 1and1. They don't really allow any fancy DNS settings, except CNAME, A record and a different primary nameserver.
    But you're right, the cleanest approach would be your solution.
    Thought about moving the whole domain to DynDNS, I believe they have some nice configuration options with their custom dns solution.
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Understood. This was the first time I'd seen the _http service record, and I was just relating my own "wouldn't it be nice if" moment. :)

    For what it's worth, I have my DNS records hosted at EditDNS and have found it very easy to configure, and they have a redundant server configuration. I have 16 SRV records, 9 CNAME records, 7 MX records, 3 A records with DynDNS-type updater service, 2 URL forwards, 3 NS records, and a TXT record serving as an SPF record - all for free. You might check that out. I've never noticed them going down or having any other problems.
  10. carlric

    carlric Networkin' Nut Member

    I did all the steps but is not working for me.
    I've tried from this page: http://ping.eu/port-chk/ to port 53 but is says that is "closed"...
    What else could be wrong?
    I've a linksys WRT54GL with tomatoVersion 1.25.8025

    Thanks for you help:confused::confused::confused::confused:

Share This Page