[How-to] DNS queries over openvpn/tinc (site-to-site)

rs232 · Apr 23, 2014

No questions in this thread, just a little howto + explanation.
I'll start this post all the way around: with the solution first

To be able to run DNS queries between two or more vpn sites you need to add the tunnel interfaces in the dnsmasq configuration.

Example:
interface=tun11,tun12,tun21,tun22
coupled with the server directive to direct the queries:

DNSMASQ site1:
interface=tun11,tun12,tun21,tun22
server=/.site2.localdomain/192.168.2.1

DNSMASQ site2:
interface=tun11,tun12,tun21,tun22
server=/.site1.localdomain/192.168.1.1

This allows the DNS delegation to works properly. e.g. You can run an nslookup on site1 LAN (192.168.1.x) like
nslookup dell-laptop.site2.localdomain
and get in answer the ip address of the dell-laptop host sitting on site2 (192.168.2.x)

now my points:

1) The above commands allow the tunnel interfaces to be queried, without specifying the tunnel interfaces it does not work.

2) Or better it works client towards server if the "Respond to DNS" flag has been set on the GUI. It doesn't in opposite direction though.

3) It appears that this "Respond to DNS" flag adds the tunnel interface in the dnsmasq config file (/etc/dnsmasq.conf) e.g.
interface=tun21. Achieving:

a) dnsmasq to listen to that tunnel interface
b) add a rule to the iptables to allow dns traffic in input

4) I have enabled "log-queries" on both devices and I can see that running a query from LAN1 (linux client) to ask the the IP of a host on LAN2 (using FQDN) the site2 tomato receive this very same query from the tunnel IP of tomato1, even though NAT is not enabled on the tunnel. Why is this happening? It's the DNS caching, LAN client asks tomato, tomato asks wherever it knows (tunnel interface is the closest destination to LAN2

I just wanted to share my afternoon of investigation and my findings in case somebody else gets stuck with this configuration.

HTH
rs232

tekbuster · May 9, 2014

This post helped me with a problem that I had for over a week.

Thanks for "unrequested" help!!!

rs232 · Jan 9, 2018

Just adding to the OP:

1) Make sure the option Prevent DNS-rebind attacks is unchecked or it will not work.

2) For tinc (rather than OpenVPN) the interface parameter must be set to:
interface=tinc

eibgrad · Jan 9, 2018

Thanks.

Note, you can also use a wildcard instead for the interface:

Code:

interface=tun*

A smidgen easier in terms of maintenance.

blackantt · Mar 29, 2018

rs232 said:
No questions in this thread, just a little howto + explanation.
I'll start this post all the way around: with the solution first

To be able to run DNS queries between two or more vpn sites you need to add the tunnel interfaces in the dnsmasq configuration.

Example:
interface=tun11,tun12,tun21,tun22
coupled with the server directive to direct the queries:

DNSMASQ site1:
interface=tun11,tun12,tun21,tun22
server=/.site2.localdomain/192.168.2.1

DNSMASQ site2:
interface=tun11,tun12,tun21,tun22
server=/.site1.localdomain/192.168.1.1

This allows the DNS delegation to works properly. e.g. You can run an nslookup on site1 LAN (192.168.1.x) like
nslookup dell-laptop.site2.localdomain
and get in answer the ip address of the dell-laptop host sitting on site2 (192.168.2.x)

now my points:

1) The above commands allow the tunnel interfaces to be queried, without specifying the tunnel interfaces it does not work.

2) Or better it works client towards server if the "Respond to DNS" flag has been set on the GUI. It doesn't in opposite direction though.

3) It appears that this "Respond to DNS" flag adds the tunnel interface in the dnsmasq config file (/etc/dnsmasq.conf) e.g.
interface=tun21. Achieving:

a) dnsmasq to listen to that tunnel interface
b) add a rule to the iptables to allow dns traffic in input

4) I have enabled "log-queries" on both devices and I can see that running a query from LAN1 (linux client) to ask the the IP of a host on LAN2 (using FQDN) the site2 tomato receive this very same query from the tunnel IP of tomato1, even though NAT is not enabled on the tunnel. Why is this happening? It's the DNS caching, LAN client asks tomato, tomato asks wherever it knows (tunnel interface is the closest destination to LAN2

I just wanted to share my afternoon of investigation and my findings in case somebody else gets stuck with this configuration.

HTH
rs232

it's useful. can you give me more hint?
assume:
vps-server1-tinc-tun0: public ip is 47.8.8.8 , tinc ip is 10.0.1.1
openwrt-clent1-tinc-tun0: lan ip is 192.168.10.1, tinc ip is 10.0.1.2 ,
so , how to forward the dns request of client1 to server1 via 10.0.1.1 and get dns responds from server1?

rs232 · Mar 29, 2018

blackantt said:
it's useful. can you give me more hint?
assume:
vps-server1-tinc-tun0: public ip is 47.8.8.8 , tinc ip is 10.0.1.1
openwrt-clent1-tinc-tun0: lan ip is 192.168.10.1, tinc ip is 10.0.1.2 ,
so , how to forward the dns request of client1 to server1 via 10.0.1.1 and get dns responds from server1?

Is this tomato or openwrt?

blackantt · Mar 29, 2018

vps-tinc is linux server, tinc-client is on openwrt/tomato , now the traffic of openwrt/tomato has gone to vps via tinc, I want to forward dns traffic of openwrt/tomato to vps via tinc?

rs232 · Mar 30, 2018

blackantt said:
vps-tinc is linux server, tinc-client is on openwrt/tomato , now the traffic of openwrt/tomato has gone to vps via tinc, I want to forward dns traffic of openwrt/tomato to vps via tinc?

Untested but try in the DNSMASQ config to replace the domain name as per OP with * only ?

server=/*/10.0.1.1

[How-to] DNS queries over openvpn/tinc (site-to-site)

rs232

Super Moderator

tekbuster

Networkin' Nut

rs232

Super Moderator

eibgrad

Forum Guru

blackantt

Networkin' Nut

rs232

Super Moderator

blackantt

Networkin' Nut

rs232

Super Moderator

We value your privacy