Posted: Fri Aug 19, 2022 21:57 Post subject: [SOLVED] DNS Resolution with Double-NAT
Symptom:
In a double-NAT scenerio DNS host names are resolved correctly by only one of the two routers (See "Actual Behaviour" below). Resolution of DNS host names via DNS Servers provided by ISP DHCP work correctly.
Puzzle:
Before upgrading router hardware and upgrading DD-WRT from v24-sp2 (01/01/09) mega to DD-WRT v3.0-r49599 std (07/30/22) with this same double-NAT configuration DNS worked correctly (see "Desired Behaviour" below).
Also note I have had no other problems with my double-NAT scenario... everything else works as required/expected.
Configuration: Router B: Netgear R6350
DD-WRT v3.0-r49599 std (07/30/22)
Static local IP address of Router 10.168.24.1
WAN IP Provided by Router A via DHCP (Static Lease 172.16.0.2)
DHCP & DNS Server On
Local DNS 10.168.24.1
Local Static Leases e.g.
MAC BC:A5:11:0D:4B:75 has host name RouterB static IP address 10.168.24.1
MAC e8:fc:af:e6:92:c0 has host name NAS1 static IP address 10.168.24.240
MAC 64:A5:C3:61:08:C1 has host name Computer1 static IP 10.168.24.100
Router A: Netgear R6350
DD-WRT v3.0-r49599 std (07/30/22)
Static Local IP address of Router 172.16.0.1
WAN IP Provided by ISP via DHCP
WAN DNS Provided by ISP via DHCP
DHCP & DNS Server On
Local DNS 172.16.0.1
Local Static Leases e.g.
MAC 00:18:F8:C9:49:90 has host name RouterA IP address 172.16.0.1
MAC 00:16:cb:a3:85:64 has host name WebServer1 IP address 172.16.0.240
MAC f0:82:61:3f:c1:30 has host name Computer2 Static IP address 172.16.0.100
Wired Connections
Router B WAN port is connected to a LAN port of Router A
NAS1 and Computer1 are connected to LAN ports of Router B
Router A WAN port is connected to ISP VDSL Modem
WebServer1 and Computer2 are connected to LAN ports of Router A
Desired behaviour from Computer 1 attached to Router B LAN port using ssh:
nslookup RouterB -> 10.168.24.1 from DNS Server 10.168.24.1
nslookup NAS1 -> 10.168.24.240 from DNS Server 10.168.24.1
nslookup Computer1 -> 10.168.24.100 from DNS Server 10.168.24.1
nslookup RouterA -> 172.16.0.1 from DNS Server 172.16.0.1
nslookup WebServer1 -> 172.16.0.240 from DNS Server 172.16.0.1
nslookup Computer2 -> 172.16.0.100 from DNS Server 172.16.0.1
nslookup google.com -> 172.217.13.142 from DNS Server 8.8.8.8
i.e from Computer1 I want it to be able to resolve the static leases from RouterB, RouterA, and any host name via the DNS servers provided by ISP DHCP (in that order)
Actual behaviour from Computer 1 attached to Router B LAN port using ssh:
naslookup RouterB -> 10.168.24.1 from DNS Server 10.168.24.1
nslookup NAS1 -> 10.168.24.240 from DNS Server 10.168.24.1
nslookup Computer1 -> 10.168.24.100 from DNS Server 10.168.24.1
nslookup RouterA -> no address found
nslookup WebServer1 -> no address found
nslookup Computer2 -> no address found
nslookup google.com -> 172.217.13.142 from DNS Server 8.8.8.8
i.e. from computer 1 it can resolve static leases from RouterB (as expected) and any host name via the DNS servers provided by ISP DHCP (as expected), but it *CAN'T* resolve static leases from Router A!!!
Note: Desired and Actual behaviour from Computer 2 attached to Router A LAN port using ssh:
nslookup RouterB -> 172.16.0.1 from DNS Server 172.16.0.1
nslookup WebServer1 -> 172.16.0.240 from DNS Server 172.16.0.1
nslookup Computer 2 -> 172.16.0.100 from DNS Server 172.16.0.1
nslookup google.com -> 172.217.13.142 from DNS Server 8.8.8.8
i.e from Computer2 it is able to resolve the static leases from RouterA, and any address via the DNS Servers provided by ISP
Question/Request:
Does anyone have any idea how enable the desired behaviour - i.e. computer1 attached to LAN port of Router B can resolve the static leases from RouterB, RouterA, and any host name via the DNS servers provided by ISP DHCP from Computer1?[/i]
Posted: Wed Aug 24, 2022 21:15 Post subject: No DNS Rebind
So... solution turned out to be to disable "No DNS Rebind" GUI -> Services -> Dnsmasq Infrastructure on Router B.
Since Router A still has No DNS Rebind enabled I believe I'm still protected against DNS rebinding attacks as traffic to the internet goes via this router.
You an also use rebind-localhost-ok and/or rebind-domain-ok=/domain1/domain2/domain3/ in additional dnsmasq configs with "No DNS rebind" enabled.
https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio