Using hostnames in whole network

bring.fringe18 · 2023-11-17T19:35:35.278Z

2023-11-17 14_27_46-Using hostnames in whole network - Technical Support for Routers - GL.iNet - Bra582×501 33.8 KB

Note I don’t have Static Leases (DHCP/IP reservation) or Hostnames set within LuCI; the hostname originates fr the device itself. The DHCP range is stock 150 beginning w/ 192.168.8.100 to .249 (GL GUI → Network → Lan). ‘Less is more,’ and all that.

LupusE · 2023-11-17T20:34:50.500Z

Ping is something different. a ping sends an ICMP packet to the given address. If the address is an IP, it will be routed (via ARP blah blah blah), If it is a host name, it will be resolved first to an IP via DHCP.
The resolving works through UDP port 53 (important for firewall/routing!).
→ That is the reason, why I’d prefer nslookup to analyse DNS issues over ping.

The client got one or more DNS server. A DNS server can be any system that provides a DNS service.

In our case the GL-iNet Router provides a DNS service. Here I’ll test on the Beryl AX, Firmware 4.4.6 Release 2.

My host is named ‘kira’. Out of the box, I can resolve ‘kira’ just from getting a DHCP lease.

lupus@kira:~$ nslookup kira
Server:         192.168.8.1
Address:        192.168.8.1#53

Name:   kira.lan
Address: 192.168.8.168

Now I want another name for this host. So I go to ‘System - Advanced Settings’. Here I open the LuCI UI.
First I’ll check ‘Network - DHCP and DNS’. No changes needed here.
Now I switch to ‘Network - Hostnames’, that is in the same window another tab in your screenshot.
Here I add

‘lupuse’ for 192.168.8.168
‘zoe’ for 192.168.21.10
‘dora’ for 192.168.21.14.

lupus@kira:~$ nslookup lupuse
Server:         192.168.8.1
Address:        192.168.8.1#53

Name:   lupuse.lan
Address: 192.168.8.168

lupus@kira:~$ nslookup dora
Server:         192.168.8.1
Address:        192.168.8.1#53

Name:   dora.lan
Address: 192.168.21.13

lupus@kira:~$ nslookup zoe
Server:         192.168.8.1
Address:        192.168.8.1#53

Name:   zoe.lan
Address: 192.168.21.10

Works as expected.

And now ping:

lupus@kira:~$ ping -c2 lupuse
PING lupuse.lan (192.168.8.168) 56(84) bytes of data.
64 bytes from lupuse.lan (192.168.8.168): icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from lupuse.lan (192.168.8.168): icmp_seq=2 ttl=64 time=0.095 ms

--- lupuse.lan ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.039/0.067/0.095/0.028 ms
lupus@kira:~$ ping -c2 dora
PING dora.lan (192.168.21.13) 56(84) bytes of data.
64 bytes from dora.lan (192.168.21.13): icmp_seq=1 ttl=63 time=7.95 ms
64 bytes from dora.lan (192.168.21.13): icmp_seq=2 ttl=63 time=3.11 ms

--- dora.lan ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.109/5.530/7.952/2.421 ms
lupus@kira:~$ ping -c2 zoe
PING zoe.lan (192.168.21.10) 56(84) bytes of data.
From 192.168.21.169 (192.168.21.169) icmp_seq=1 Destination Host Unreachable
From 192.168.21.169 (192.168.21.169) icmp_seq=2 Destination Host Unreachable

--- zoe.lan ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1022ms
pipe 2

The DNS is not interested in the Network. It will stupid resolve all records, even if it does not know anything about the net 192.168.21.0/24.
As you can see this is a transfer network at my home with one host up.

Under Linux I can easily check the DNS server:

lupus@kira:~$ cat /etc/resolv.conf
search lan
nameserver 192.168.8.1

Under windows, it is somewhere in ‘ipconfig /all’ … If you have set and changed a lot on your windows, you may need a ipconfig /flushdns to start over. See ipconfig

Please make sure there is no personal firewall/security solution/vpn client active, that is messing with your DNS settings ‘for security’.

dieterlind · 2023-11-18T08:57:56.118Z

Hi!
my ipconfig /all gives me:

image844×355 10.8 KB

I also did ipconfig /flushdns
the “lan”-entry at the first line I just added … but it doesn’t make any difference

but the result of nslookup is still:

image733×115 3.01 KB

Doing it from another devices (linux) shows:

at least this devices knows the server … but computer isn’t found

dieterlind · 2023-11-18T09:04:58.178Z

this is maybe also of interest:

when I do this from the router itself I get

image984×282 9.61 KB

Obviously he knows the right IP but how can I interpret “Can’t find computer: No answer”??

LupusE · 2023-11-18T11:00:16.162Z

But you don’t have AdGuardHome active? This would mess with your DNS on the router.

So lets try to switch to the router: ssh root@192.169.8.1.

root@GL-MT3000:~# netstat -tulpen | grep :53 should show something like:

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      22125/dnsmasq
tcp        0      0 192.168.xxx.xxx:53       0.0.0.0:*               LISTEN      22125/dnsmasq
tcp        0      0 192.168.9.1:53          0.0.0.0:*               LISTEN      22125/dnsmasq
tcp        0      0 192.168.8.1:53          0.0.0.0:*               LISTEN      22125/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      22125/dnsmasq
tcp        0      0 fe80::20f1:5aff:xxxx:xxxx:53 :::*                    LISTEN      22125/dnsmasq

vim /etc/dnsmasq.conf unfortunately is complete commented.
so i go with the sledge hammer grep dora /etc/* -r and got /etc/config/dhcp: option name 'dora'

here are all my configurations:

config domain                
        option name 'console.gl-inet.com'  
        option ip '::ffff:192.168.8.1'                         
                                                     
config domain                  
        option name 'dora'          
        option ip '192.168.21.14'   
                                         
config domain                  
        option name 'lupuse'  
        option ip '192.168.8.168'

Please check with cat /etc/resolv.conf if nameserver 127.0.0.1 is set (cat /tmp/resolv.conf should be the same, in fact is /etc/resolve.conf a symlink to /tmp/resolv.conf in a normal OpenWrt Setup).
Than check with netstat -tulpen |grep 53 if the listening service on port 53 is dnsmasq.
Make sure at the GUI (admin Panel), that AdGuardHome and similar services are disabled.

At last step for this part, you could check if the configuration is written in /etc/config/dhcp

dieterlind · 2023-11-18T14:04:05.791Z

OK … found out what is happening …

When disabling the OpnVPN client it is working:

C:\Users\diete>nslookup computer
Server:  console.gl-inet.com
Address:  192.168.0.1

Name:    computer.lan
Address:  192.168.0.10

So how can I combine openvpn client with DNS to work??

LupusE · 2023-11-18T16:21:16.349Z

In the whole thread, you never mentioned OpenVPN. You are talking about DNS in your ‘network’.

Where did you disabled OpenVPN?
Client (Computer) or Router?
Where do you want resolve your hostnames?

This is a little more complex.

You need to make the dnsmasq available in your VPN. Or at least accessible.
You need a route, to make sure the devices can reach the DNS Server (to resolve the names) and a route to make sure the clients can access the resolved IPs.

dieterlind · 2023-11-18T17:15:17.774Z

Well, I didn’t realize that OpenVPN will have an impact on DNS … that is why I didn’t mention it …
I disabled OpenVPN client on my gl.inet-Router
Hostnames shall be resolved on the Router

Client is configured like this:

image1009×531 23.7 KB

Can you give me more hints on how to configure dnsmasq for VPN and how to make the right route??

Thanks!!

dieterlind · 2023-11-18T18:00:53.237Z

What I just figured out:
When I change the VPN policy from “defined by MAC address” to “global proxy” it is also working.
But actually I don’t want to route every traffic via VPN but just defined devices.

LupusE · 2023-11-18T19:37:36.723Z

Network1 (192.168.0.0/24): Internet - GL iNet Router - LAN
VPN: GL-iNet Router - Any OpenVPN Endpoint
Network2: Any OpenVPN Endpoint

I know OpenWrt could do this by manual configuration of the routes, but I am not sure if GL-iNet is the right choice here.
My GL-iNet travel router providing a secure route for all clients to a defined VPN Endpoint. As the Endpoint is at my home and I am allowing the VPN to access the LAN, the DNS (not on the router, it is a bigger solution in a VM) within my LAN can handle all requests.

The difference is, that all DNS and networking is handled at the VPN server side. As far as I can read, you want to make a VPN client as server. Not impossible, but I am out here.

bring.fringe18 · 2023-11-18T19:48:26.754Z

You may have stumbled on a bug. Post your device model, firmware version & ping @hansome .

GL GUI → System → Upgrade → Local Upgrade

dieterlind · 2023-11-18T21:05:35.231Z

Device: GL-AX1800
Firmware: 4.4.6, release 1

hansome · 2023-11-20T07:29:59.793Z

This is indeed an issue, the dns traffic for devices not using VPN will be redirected to upstream DNS server which will not know what the local domain is like.
We need to implement a new method for DNS traffic separation.

dieterlind · 2023-11-20T07:46:19.825Z

OK … thanks for the feedback.
If you have a fix to test just let me know.
Would really love to be able to use this functionality

bring.fringe18 · 2023-11-20T17:20:29.010Z

@hansome

Have you just considered updating the DNS side of the GL GUI to all handle it all by dnscrypt-proxy2? It plays very nicely w/ dnsmasq-full… & will allow you to finally dump stubby. It’d be nice to have the GUI handle user-defined .toml confs too (eg: Quad9).

Here’s the HOW-TO I followed on a Flint (GL-AX1800) w/ f/w 4.4.6-release1 & a Certa (GL-AR750), f/w 4.3.7-release4:

GitHub

Installation on OpenWrt

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols. - DNSCrypt/dnscrypt-proxy

hansome · 2023-11-21T01:26:36.404Z

dnscrypt-proxy2 is relatively big. We have it builtin if the device storage and RAM are enough.

bring.fringe18:

Have you just considered updating the DNS side of the GL GUI to all handle it all by dnscrypt-proxy2?

We’ll check if it’s possible.

bring.fringe18 · 2023-11-21T01:32:10.020Z

Yeah, I could see that being an issue. I happen to run extroot on my Certa (GL-AR750). One LAN client w/ dnscrypt-proxy2 takes 15.6 MB RAM. The Flint (GL-AX1800) in the same scenario is 13.5 MB. Both device’s firmware are current stable builds.

hansome · 2024-01-04T06:15:22.609Z

Update: this issue will be addressed in firmware 4.6. I sent dieterlind a test firmware by private message.

nascent · 2025-01-28T19:22:51.524Z

I discovered this thread as I've been having this exact issue. local DNS works and I can nslookup hostnames on my LAN until a VPN client client is enabled - in my cast wireguard client.
I see this was supposedly fixed a year ago on 4.0. I'm on 4.7.0 a year later and still have this issue.

hansome · 2025-02-05T07:18:24.844Z

Did you enable "AdGuard Home Handle Client Requests", it will intercept dns requests before dnsmasq.