[How-to] DNS queries over openvpn/tinc (site-to-site)

Discussion in 'Tomato Firmware' started by rs232, Apr 23, 2014.

  1. rs232

    rs232 Network Guru Member

    No questions in this thread, just a little howto + explanation.
    I'll start this post all the way around: with the solution first

    To be able to run DNS queries between two or more vpn sites you need to add the tunnel interfaces in the dnsmasq configuration.

    coupled with the server directive to direct the queries:

    DNSMASQ site1:

    DNSMASQ site2:

    This allows the DNS delegation to works properly. e.g. You can run an nslookup on site1 LAN (192.168.1.x) like
    nslookup dell-laptop.site2.localdomain
    and get in answer the ip address of the dell-laptop host sitting on site2 (192.168.2.x)

    now my points:

    1) The above commands allow the tunnel interfaces to be queried, without specifying the tunnel interfaces it does not work.

    2) Or better it works client towards server if the "Respond to DNS" flag has been set on the GUI. It doesn't in opposite direction though.

    3) It appears that this "Respond to DNS" flag adds the tunnel interface in the dnsmasq config file (/etc/dnsmasq.conf) e.g.
    interface=tun21. Achieving:
    a) dnsmasq to listen to that tunnel interface
    b) add a rule to the iptables to allow dns traffic in input
    4) I have enabled "log-queries" on both devices and I can see that running a query from LAN1 (linux client) to ask the the IP of a host on LAN2 (using FQDN) the site2 tomato receive this very same query from the tunnel IP of tomato1, even though NAT is not enabled on the tunnel. Why is this happening? It's the DNS caching, LAN client asks tomato, tomato asks wherever it knows (tunnel interface is the closest destination to LAN2

    I just wanted to share my afternoon of investigation and my findings in case somebody else gets stuck with this configuration.

  2. tekbuster

    tekbuster Network Newbie Member

    This post helped me with a problem that I had for over a week.

    Thanks for "unrequested" help!!!
    rs232 likes this.
  3. rs232

    rs232 Network Guru Member

    Just adding to the OP:

    1) Make sure the option Prevent DNS-rebind attacks is unchecked or it will not work.

    2) For tinc (rather than OpenVPN) the interface parameter must be set to:
  4. eibgrad

    eibgrad Network Guru Member


    Note, you can also use a wildcard instead for the interface:

    A smidgen easier in terms of maintenance.
  5. blackantt

    blackantt Serious Server Member

    it's useful. can you give me more hint?
    vps-server1-tinc-tun0: public ip is , tinc ip is
    openwrt-clent1-tinc-tun0: lan ip is, tinc ip is ,
    so , how to forward the dns request of client1 to server1 via and get dns responds from server1?
  6. rs232

    rs232 Network Guru Member

    Is this tomato or openwrt?
  7. blackantt

    blackantt Serious Server Member

    vps-tinc is linux server, tinc-client is on openwrt/tomato , now the traffic of openwrt/tomato has gone to vps via tinc, I want to forward dns traffic of openwrt/tomato to vps via tinc?
  8. rs232

    rs232 Network Guru Member

    Untested but try in the DNSMASQ config to replace the domain name as per OP with * only ?

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice