OpenVPN Client can't resolve DNS

Discussion in 'Tomato Firmware' started by wycf, Mar 9, 2012.

  1. wycf

    wycf Network Guru Member

    Hello, All,

    My router is ASUS RT-N16 flashed with Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6. I use OpenVPN client on the router to connect to my office. Everything works fine except the DNS. In my office we have a internal DNS server to resolve local name/IP. For example, we have a internal website at

    In the Advanced tab of the OpenVPN Client setting, there is a "Accept DNS configuration". I tried all 4 options and none of them works. I ssh login the router and try:

    I can ping our DNS server from the router .

    I know this is not our DNS server problem. Because I tried using my notebook directly connect to office using OpenVPN GUI and I can resolve internal name via our DNS server.

    Please help me to solve this problem. Thanks.
  2. wycf

    wycf Network Guru Member

    This is the log when I set the VPN to "Relaxed". It shows it got the "PUSH" from the server.
    Now at router:

    Everyting sames fine. But I just can't success on resolve any internal name using our office DNS server!
  3. wycf

    wycf Network Guru Member

    More info:

    On our DNS server in the office, I use tcpdump to monitor port 53 and I don't see anything when I do a query on my home router!
  4. GavinP

    GavinP Network Guru Member

    Are you using the automatic or custom firewall ?

    Is DNSMasq running on the router ?

    Is iptables configured to forward the necessary traffic ?

    It might be worth changing the default forwarding to "ACCEPT" temporarily to see if it is a firewall issue.


  5. wycf

    wycf Network Guru Member

    I am using "Automatic".

    root@pine:/tmp/home/root# ps | grep dnsmasq
    24306 nobody 1044 S dnsmasq -c 1500 --log-async
    24314 root 1700 S grep dnsmasq

    Here is the iptable list, please have a look and let me know if anything wrong:
  6. GavinP

    GavinP Network Guru Member

    As previously stated, I would suggest temporarily adding a single line to the Administration\Scripts - Firewall tab:

    iptables -P FORWARD ACCEPT

    Reboot the router and see if this does the trick.

    The other thing I would try is disabling DNSMASQ temporarily to see if this is where the issue lies.


  7. wycf

    wycf Network Guru Member

    OK, I added the line in the Firewalltab, save it and reboot. Now I try to use ping hostname in the Tools, then I check the Log I've got:
    Mar 12 08:55:35 pine2011 daemon.warn dnsmasq[845]: possible DNS-rebind attack detected:

    Test nslookup in ssh at router got the same result: can'y resolve ''

    How can I disable dnsmasq? I tried to kill the process in the ssh terminal but it restarted right away.

  8. wycf

    wycf Network Guru Member

    Hi, Gavin,

    I am still have this problem so I kept poking around. I think I found something interesting:

    In the TomatoUSB Advanced-DHCP.DNS tab, there are few options:
    Use internal DNS [checked by default]
    Use received DNS with user-entered DNS [unchecked by default]
    Prevent DNS-rebind attacks [checked by default]

    So I changed the above setting to:
    Use internal DNS [unchecked]
    Use received DNS with user-entered DNS [checked]
    Prevent DNS-rebind attacks [unchecked]
    Now I can see all the DNS request sent to our office DNS server and of course the name can be resolved. But I only want use office DNS server to resolve our office local hosts. Another problem is I have a Linux server behind the router which use the Tomato router/gateway as DNS resolver, with this setting all DNS request failed!

    I am confused here on the setting of DNS here. Please help.

    Thanks a lot.

  9. GavinP

    GavinP Network Guru Member

    I think you are now at the stage of having to look at the man pages for DNSMASQ:

    I suspect the best way to do this is to specify "special servers" for particular domains ?

    Using special servers.

    Dnsmasq has the ability to direct DNS queries for certain domains to specific upstream nameservers. This feature was added for use with VPNs but it is fully general. The scenario is this: you have a standard internet connection via an ISP, and dnsmasq is configured to forward queries to the ISP's nameservers, then you make a VPN connection into your companies network, giving access to hosts inside the company firewall. You have access, but since many of the internal hosts aren't visible on the public internet, your company doesn't publish them to the public DNS and you can't get their IP address from the ISP nameservers. The solution is to use the companies nameserver for private domains within the company, and dnsmasq allows this. Assuming that internal company machines are all in the domain and the companies nameserver is at then the optionserver=/ will direct all queries in the internal domain to the correct nameserver. You can specify more than one domain in each server option. If there is more than one nameserver just include as many server options as is needed to specify them all.

    Failing that, maybe setting the strict order setting will help ? Setting your internal DNS server as first server and then specify an external server to use if it doesn't find a match ? Not as efficient as the first method but should work.

    -o, --strict-orderBy default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf
  10. skyanvi1

    skyanvi1 Addicted to LI Member

    Leave the domain name empty under Identification.
    Add entries to the Dnsmasq Custom configuration along the lines of:
    #tell dnsmasq to forward all DNS requests for '*.mydomain.local' to 192.168.1.x (x=theLocalDnsServerIp)
    #any non domain net devices not registered with the local DNS server are hard coded e.x.
    # everything else is forwarded to the dnsservers configured in dhcp
    # fix for Win7 DHCPINFORM logger flood
    oopse, gavin I think we cross posted.
  11. wycf

    wycf Network Guru Member

    Basic--Identification--Domain: <empty>

    VPN Client--Advanced--Accept DNS configuration: Relexed

    Advanced -- DNS/DHCP:
    • Use internal DNS: checked
    • Use received DNS with user-entered DNS: Uncheckd
    • Dnsmasq Custom configuration:

    With the above settings, I still can't resolve internal name, except beta.mycompany.lan, which it listed in the "address" line in the dnsmasq conf.

    When doing a nslookup on the router, it just kept looking for

    Here is the dnsmasq.conf:

  12. wycf

    wycf Network Guru Member

    One more question:

    The pushed DNS options (nameserver saved in /etc/resolv.dnsmasq

    But the /etc/resolv.conf always has one line only:

    Is the /etc/resolv.dnsmasq ever get used?
  13. skyanvi1

    skyanvi1 Addicted to LI Member

    Leave `Prevent DNS-rebind attacks` unchecked to allow dnsmasq to respond to the vpn connected computers.

    To debug what dnsmasq processing (i.e. DNS queries/responses) in real time place the following in your `Dnsmasq Custom configuration`:
    Then ssh into your router ( user: root(not admin) pw: yourpassword )

    and watch the log in real time using the command:
    tail -f /var/log/messages

    *be sure to clear the local dns cache of the local test computer as often it caches `not found` entries too.
  14. skyanvi1

    skyanvi1 Addicted to LI Member

    I may have found your problem... i was just rereading your log:

    Mar 9 11:34:40 pine dnsmasq[22963]: using nameserver
    Mar 9 11:34:40 pine dnsmasq[22963]: using nameserver
    Mar 9 11:34:40 pine dnsmasq[22963]: using nameserver
    Mar 9 11:34:40 pine dnsmasq[22963]: using nameserver

    these tell dnsmasq to use the listed name-servers in round robin load balancing... i.e.

    unique (non cached) dns query 1: uses
    unique (non cached) dns query 2: uses
    unique (non cached) dns query3: uses
    unique (non cached) dns query4: uses
    unique (non cached) dns query 5: uses

    so the first two non cached queries to your local domain will fail... eventually as the "failed/unreachable/not found" entries in the cache time out you'll get lucky and hit the local dns server with a query target of the local domain.

    this line takes the place of: nameserver

    try removing your local dns servers from your dhcp configuration.
  15. wycf

    wycf Network Guru Member

    Thank you skyanvi1 and Gavin. Now it's working. Uncheck the "Prevent DNS-rebind attacks" made it work!

    So, here is how to configure OpenVPN tunnel client to use remote private DNS server to resolve hostname:
    1. On VPN Tunneling --> Client --> Set "Accept DNS configration" to "Relaxed";
    2. On Advanced --> DHCP/DNS:
    2-1: enable "Use internal DNS";
    2-2: uncheck "Use received DNS with user-entered DNS" and "Prevent DNS-rebind attacks";
    2-3: in "Dnsmasq Custom configuration" put a line "server=/vpnserver.localnet.domain/<remote DNS server IP>". for example : server=/mycompany.lan/

    another stupid question: how to label this thread subject [Solved] ?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice