DNSMasq not resolving domains with private IPs

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
xeen11
DD-WRT Novice


Joined: 31 Jan 2017
Posts: 2

PostPosted: Tue Jan 31, 2017 15:24    Post subject: DNSMasq not resolving domains with private IPs Reply with quote
Hi,

I've tried googling, but no luck. Every question there is concerning resolving hostnames on the local network, my question is different.

When I try to resolve a domain name that has a private ip, the dnsmasq service of DD-WRT refuses to return the result:
$ nslookup private.morestina.net
Server: 192.168.1.2
Address: 192.168.1.2#53

Non-authoritative answer:
*** Can't find private.morestina.net: No answer


This is a subdomain I have created for these test purposes. When resolving from google's DNS, or my ISP's DNS directly:

$ nslookup private.morestina.net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: private.morestina.net
Address: 10.20.30.40

I don't mind using DNSMasq on DD-WRT, but this is proving to be an issue as I have a lot of work related stuff that needs to be resolvable to private IPs that I'm using a VPN to access. I assume this is a security measure of some sort, or something is misconfigured, or something else?

Firmware: DD-WRT v24-sp2 (07/24/13) std
Hardware: TP-Link TL-WR841ND v8
Sponsor
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4354
Location: Germany

PostPosted: Tue Jan 31, 2017 16:36    Post subject: Re: DNSMasq not resolving domains with private IPs Reply with quote
xeen11 wrote:
Hi,

I've tried googling, but no luck. Every question there is concerning resolving hostnames on the local network, my question is different.

When I try to resolve a domain name that has a private ip, the dnsmasq service of DD-WRT refuses to return the result:
$ nslookup private.morestina.net
Server: 192.168.1.2
Address: 192.168.1.2#53

Non-authoritative answer:
*** Can't find private.morestina.net: No answer


This is a subdomain I have created for these test purposes. When resolving from google's DNS, or my ISP's DNS directly:

$ nslookup private.morestina.net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: private.morestina.net
Address: 10.20.30.40

I don't mind using DNSMasq on DD-WRT, but this is proving to be an issue as I have a lot of work related stuff that needs to be resolvable to private IPs that I'm using a VPN to access. I assume this is a security measure of some sort, or something is misconfigured, or something else?

Firmware: DD-WRT v24-sp2 (07/24/13) std
Hardware: TP-Link TL-WR841ND v8


Is 192.168.1.2 your router IP or this this an additonal DNS server? DNSmasq default config does not allow any private IP adresses for dns servers, for security reasons, which can be disabled in dnsmasq section "No DNS Rebind"

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
xeen11
DD-WRT Novice


Joined: 31 Jan 2017
Posts: 2

PostPosted: Tue Jan 31, 2017 18:14    Post subject: Re: DNSMasq not resolving domains with private IPs Reply with quote
<Kong> wrote:
Is 192.168.1.2 your router IP or this this an additonal DNS server? DNSmasq default config does not allow any private IP adresses for dns servers, for security reasons, which can be disabled in dnsmasq section "No DNS Rebind"


Yeah, 192.168.1.2 is the router address, not sure why it was setup this way, must have been a good reason, but I just kept it like this. Disabling "No DNS Rebind" did the trick. Thanks for your help!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Feb 01, 2017 4:40    Post subject: Reply with quote
Don't disable "No DNS Rebind". That's taking a sledgehammer to a problem that can be corrected w/ a scalpel. This feature is designed to protect you against known DNS vulnerabilities. Instead, be selective by using the rebind-domain-ok directive in Additional DNSMasq Options.

Code:
rebind-domain-ok=private.morestina.net


If you have more than one domain, use the same directive and separate them w/ forward slashes.

Code:
rebind-domain-ok=/private.morestina.net/someother.domain.com/
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum