A specific question of mine is this: a client on 10.0.3.X/24 network cannot reach subdomain.site.com. How can I make clients on 10.0.2.X/24 and 10.0.3.X/24 able to resolve 10.0.1.4 when calling subdomain.site.com?
I'd like to get my DNS resolution working for my web server LAN using the WAN-side domain name e.g. subdomain.site.com such that n clients on any of the LAN sub networks can just type subdomain.site.com or site.com and be routed appropriately (scalable, so /etc/hosts is out of the question).
My LAN has multiple subnets created with LEDE (network .1) and OpenWRT (network .2 and network .3):
10.0.1.X/24 Main puppy with WAN interface facing internet and NAT, web server fixed at 10.0.1.4 with ports forwarded
10.0.2.X/24 Auxiliary router with WAN interface facing 10.0.1.X/24 (routed)
10.0.3.X/24 Auxiliary router with WAN interface facing 10.0.1.X/24 (routed)
I do not want any hairpin NAT/loopback NAT solutions. I'd prefer a solution using DNS and here is why:
The problem with this data flow is that it is not efficient to leave the LAN and contact a global DNS server for an IP addr. when the server is a local peer (on the same side of NAT and in my case not necessarily within the same local subnet). Why even leave LAN when the client and server are local peers? A nice explanation of a loopback NAT flow can be found here, https://unix.stackexchange.com/a/282094/33386.
I know it is possible to achieve what I want using DNS split-horizons or whatever hip term some people are calling it these days. Also a local naming server that takes precedence over the global naming servers in certain instances would solve this. How can I implement this in OpenWRT or LEDE when using multiple subnets (multiple DHCP+DNS servers)? Somebody has to have done this already.
Currently, clients on 10.0.1.X/24 can reach subdomain.site.com with a corresponding dnsmasq setting /etc/config/dhcp but I have no clue why, because I thought this does not cover subdomains:
config domain
option name 'site.com'
option ip '10.0.1.4' # LAN address of web server
I had to add two things to my dnsmasq configuration on the aux routers in the file /etc/config/dhcp:
list server '10.0.1.1'# Clients will still get 10.0.3.1 as dns server
list rebind_domain 'subdomain.site.com' # Allow rebind to web server
The list server makes dnsmasq forward dns queries to the server at 10.0.1.1 (the main router dnsmasq server). The list rebind_domain allows rebinding for specific sites such that dns rebinding protection can be left on. Thank you "jow" here. Another option is to completely disabled dns rebinding protection. Alternatively, it might be possible to use option rebind_localhost 1, but I did not test this. Without this step, I could not ping subdomain.site.com.
Add the following entry to /etc/dnsmasq.conf on the main router.
address=/.site.com/10.0.1.4
Note the placeholder . for any subdomains. This change might also be possible in /etc/config/dhcp, but I am not sure how.
This was my original solution, which I have since abandoned. I added an entry (10.0.1.4 subdomain.site.com) into the /etc/hosts file of the main router, which has the limitation that there are no placeholders for subdomains or extended URLs like when using webdav.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.1.4 subdomain.site.com
Test this by adding logqueries 1 to /etc/config/dhcp to log all DNS queries. Something like the following will be shown, which indicates that /etc/hosts was the source:
Fri Jan 5 14:11:20 2018 daemon.info dnsmasq[7368]: 73 10.0.3.149/64299 /etc/hosts subdomain.site.com is 10.0.1.4
It surprised me that the following /etc/config/dhcp configuration on the main router only worked within the 10.0.1.X/24 subnet:
config domain
option name 'site.com'
option ip '10.0.1.4'
config domain
option name 'subdomain.site.com'
option ip '10.0.1.4'
If anybody can shed light on this, I'd love to know why! Perhaps a problem?
It would seem that adding option dns 10.0.1.1 to /etc/config/network on aux routers did not really help my situation either.
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '10.0.2.1'
option netmask '255.255.255.0'
option dns '10.0.1.1'
config interface 'wan'
option ifname 'eth0.2' # Comment this out if connecting as sta using wlan
option proto 'dhcp'
option netmask '255.255.255.0'
option gateway '10.0.1.1'
option dns '10.0.1.1'
Adding this option makes an entry show up in cat /tmp/resolv.conf.auto. However, list server 10.0.1.1, as explained above, adds nameserver 10.0.1.1 for the WAN interface.
Adding dhcp_options to /etc/config/dhcp on aux routers did not help.
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '72h'
option ra 'server'
#list 'dhcp_option' '3,10.0.1.1' # SET DEFAULT GATEWAY, CAUTION CAN BREAK STUFF
#list 'dhcp_option' '6,10.0.1.1' # SEND DNS SERVER ADDR TO CLIENTS, CAUTION CAN BREAK STUFF
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加