DNS lookup for domain routing through IP

Discussion in 'Tomato Firmware' started by ElementOmicron, Jun 5, 2019.

Tags:
  1. ElementOmicron

    ElementOmicron Connected Client Member

    I have a computer on my network that is set up to route all traffic through it (ICS). I have this working properly and if I ping an IP it works properly. I have this in the static route table

    Destination Gateway Subnet Metric Interface Description
    172.0.0.0 192.168.75.2 255.0.0.0 1 LAN3 WORK

    The problem is that I want DNS to resolve through this as well for a specific domain, but I can't seem to get it working. I have the following in my DNSMasq

    #strict-order
    rebind-domain-ok=.workdomain.net
    server=/.workdomain.net/172.100.100.12
    address=/dc.workdomain.net/172.100.100.12

    what do I need to add to get it working?

    Thanks!

    EDIT: BTW here is my DNS page options in case it matters

    [​IMG]
     
  2. Sean B.

    Sean B. Network Guru Member

    When you say ping works, did you run pings from the computer that is acting as your gateway, from a different computer on your LAN, from a shell in the router, or all of the above?
     
  3. ElementOmicron

    ElementOmicron Connected Client Member

    from a different machine on the LAN AND from the machine that is acting as the gateway. The gateway machine is on a separate VLAN as well - not sure if that matters in this case either but regardless yes, I as long as I use IP's I can successfully navigate from the LAN0 --> LAN3 gateway --> work. It's just DNS lookups do not working.
     
  4. Sean B.

    Sean B. Network Guru Member

    Log into the router using SSH/telnet and attempt to ping a client in the 172 network.
     
  5. Sean B.

    Sean B. Network Guru Member

    Try this:

    Code:
    server=/workdomain.net/172.100.100.12@192.168.75.1|br3
    This assumes the IP address for the routers interface on LAN3 ( br3 ) is 192.168.75.1 . If not then change accordingly.
     
  6. ElementOmicron

    ElementOmicron Connected Client Member

    Hmm - that seemingly did nothing
     
  7. Malakai

    Malakai Addicted to LI Member

    Just a guess but try this :
    server=/workdomain.net/192.168.75.2

    Also you should explain what these ip addresses are for :
    192.168.75.2
    172.100.100.12
     
  8. ElementOmicron

    ElementOmicron Connected Client Member

    Yeah removing the period doesn't fix it either. I have the period on there because there is subdomains under workdomain.net and I read that using the period will allow for resolving in all subdomains (?).

    192.168.75.2 = The local machine with the ICS serving as the gateway to work
    172.100.100.12 = The domain controller at work serving DNS
     
  9. jerrm

    jerrm Network Guru Member

    "server=/workdomain.net/172.100.100.12" should be all that is needed.

    You don't need the leading dot (but I don't think it hurts).

    Can you talk directly to the work dns server using nslookup from router, non-gateway pc, and gateway pc?
     
  10. Sean B.

    Sean B. Network Guru Member

    Did you log into the router and try a ping as I asked in the previous post?
     
  11. ElementOmicron

    ElementOmicron Connected Client Member

    Ah sorry - didn't do that cause of your other post. Just tried and I'm not able to nslookup from the router either.
    So just to recap

    nslookup from gateway machine - works fine
    ping from gateway machine - works fine

    nslookup from router - nope
    ping from router using FQDN - nope
    ping from router using IP - works fine

    nslookup from LAN pc - nope
    ping from LAN pc using FQDN - nope
    ping from LAN pc using IP - works fine
     
  12. ElementOmicron

    ElementOmicron Connected Client Member

    Actually one other thing if I use:

    server=/workdomain.net/172.100.100.12

    then I get:
    nslookup server.workdomain.net
    Server: HomeRouter.AURORA
    Address: 192.168.1.1

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to HomeRouter.AURORA timed-out

    If I use

    server=/workdomain.net/172.100.100.12@192.168.75.1|br3

    then I get

    *** HomeRouter.AURORA can't find server.workdomain.net: Non-existent domain
     
  13. jerrm

    jerrm Network Guru Member

    If you can't talk dns directly to the work dns server with nslookup then it is not a dnsmasq issue.
     
  14. Sean B.

    Sean B. Network Guru Member

    If pings work from the router to an IP on the work network then routing through the LAN computer is working. Can you run wireshark captures on the LAN client gateway? I would venture to guess either your LAN gateway is not forwarding the queries ( firewall blocking 53? ) or the work side DNS server is not responding to queries with a return address outside of its domain ( LAN gateway has a local IP to the work side, while the rest of your home LAN does not, unless it's NATting the traffic and not just routing as you stated ).
     
  15. jerrm

    jerrm Network Guru Member

    Can you talk DNS with nslookup to 192.168.75.2 from the router? From some quick googling it looks like ICS proxies DNS (whether it is proxying the correct DNS is a windows issue). @Malakai's "server=/workdomain.net/192.168.75.2" is likely the correct answer.

    Bottom line this is probably an ICS issue.

    Post the results of running the following from the router:
    Code:
    ping -c1 172.100.100.12
    ping -c1 192.168.75.2
    
    nslookup server.workdomain.com 172.100.100.12
    nslookup server.workdomain.com 192.168.75.2
    nslookup server.workdomain.com 127.0.0.1
    
    nslookup tinytuba.com 172.100.100.12
    nslookup tinytuba.com 192.168.75.2
    nslookup tinytuba.com 127.0.0.1
    
     
    Last edited: Jun 7, 2019
  16. ElementOmicron

    ElementOmicron Connected Client Member

    I apologize - had to leave the country for a week. Getting back to this - so if I do this:

    nslookup server.workdomain.com 172.100.100.12

    OR

    nslookup server.workdomain.com 192.168.75.2

    it resolves just fine from a machine on my LAN, but DOES NOT work from the router (gets "can't resolve'"). This leads me to think it can't be a firewall issue for a machine on my LAN but perhaps the router needs something?

    Doing:

    nslookup server.workdomain.com

    gives me non-existent domain on a LAN machine and "can't resolve" from the router.

    I have these in my firewall rules, perhaps I need to allow access for the router to access port 53 (DNS) on 192.168.75.2 and/or my work LAN?

    Code:
    WORK_WAN="VLAN6"
    
    # Allow Desktop to access WORK
    iptables -t filter -I FORWARD 1 -o WORK_WAN -s 192.168.75.2 -d 172.100.100.0/24 -j ACCEPT
    
    #Allow Laptops to access WORK
    iptables -t filter -I FORWARD 2 -o WORK_WAN -s 192.168.1.31 -d 172.100.100.0/24 -j ACCEPT
    iptables -t filter -I FORWARD 3 -o WORK_WAN -s 192.168.1.32 -d 172.100.100.0/24 -j ACCEPT
    iptables -t filter -I FORWARD 4 -o WORK_WAN -s 192.168.1.33 -d 172.100.100.0/24 -j ACCEPT
    iptables -t filter -I FORWARD 5 -o WORK_WAN -j DROP #Do this one last
    
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice