Discussion:
[Dnsmasq-discuss] DNS queries only partly answered by dnsmasq
Benjamin Brücker
2015-10-14 22:09:10 UTC
Permalink
Hi,

For my small network with frequently changing guests I'd like to use dnsmasq, because I would like to block some domains by dnsmasq's address=/../.. feature (great!). For that purpose I have to ensure that all DNS requests are answered by dnsmasq -- what is just partly working. I don't know if I made mistake configuring dnsmasq or interface or iptables or if ipv6 could disorder my configuration.

This is my setup:

Internet (IPv6)
/|\
|
\|/
Router-from-ISP
192.168.0.1
/|\
|
\|/
192.168.0.253 (br0:1)
Ubuntu-Router (DNSMASQ)
192.168.1.1 (br0)
/|\
|
\|/
192.168.1.10-192.168.1.100.150
Clients (Windows, Android, Linux, wired, wireless)

Looks maybe a bit too complicate? Reason for that setup is, that I can not change the ISP router, because the cable provider only allow their own devices, and the ISP router doesn't has no functionality like adding routes or blocking domains.

This is configuration of Ubuntu-Router:

1. Interfaces, with ip tables rules, which are necessary because I cannot add routes on the ISP router:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports p1p1 wlan1
address 192.168.2.1
network 192.168.2.0
netmask 255.255.255.0
broadcast 192.168.2.255
auto br0:1
iface br0:1 inet static
address 192.168.0.253
netmask 255.255.255.0
broadcast 192.168.0.255
network 192.168.0.0
gateway 192.168.0.1
up /sbin/iptables -F
up /sbin/iptables -X
up /sbin/iptables -t nat -F
up /sbin/iptables -A FORWARD -o br0:1 -i br0 -m conntrack --ctstate NEW -j ACCEPT
up /sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
up /sbin/iptables -A POSTROUTING -t nat -j MASQUERADE
up /etc/init.d/hostapd restart
up /etc/init.d/dnsmasq restart

2. Resolv.conf:
nameserver 127.0.0.1
nameserver 192.168.0.1

3. dnsmasq.conf:
address=/double-click.net/127.0.0.1
address=/doubleclick.net/127.0.0.1
address=/doubleclickbygoogle.com/127.0.0.1
address=/doubleclickbygoogle.net/127.0.0.1
address=/google-analytics.com/127.0.0.1
address=/google-analytics.net/127.0.0.1
address=/ssl.google-analytics.com/127.0.0.1
address=/googleanalytics.com/127.0.0.1
address=/googleanalytics.net/127.0.0.1
address=/facebook.com/127.0.0.1
interface=lo
interface=br0
listen-address=127.0.0.1
listen-address=::1
listen-address=192.168.2.1
dhcp-range=192.168.2.200,192.168.2.250,255.255.255.0,12h
dhcp-option=121,192.168.2.0/24,192.192.168.2.1
log-queries
log-dhcp

4. syctrl.conf:
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.br0.disable_ipv6 = 1
net.ipv6.conf.br0:1.disable_ipv6 = 1

What happens now is something like this: If I connect one client via DHCP dnsmasq is logging this:

Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Klient stellt Name bereit: santorin
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 DHCPREQUEST(br0) 192.168.2.231 a0:88:b4:75:69:94
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Marken: br0
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 DHCPACK(br0) 192.168.2.231 a0:88:b4:75:69:94 santorin
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 1:netmask, 28:broadcast, 2:time-offset, 3:router,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 15:domain-name, 6:dns-server, 119:domain-search,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 12:hostname, 44:netbios-ns, 47:netbios-scope,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 26:mtu, 121:classless-static-route, 42:ntp-server,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 121:classless-static-route, 249, 33:static-route,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 252, 42:ntp-server
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Nächster Server: 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 1 option: 53 message-type 5
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 54 server-identifier 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 51 lease-time 12h
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 58 T1 6h
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 59 T2 10h30m
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 1 netmask 255.255.255.0
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 28 broadcast 192.168.2.255
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 3 router 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 6 dns-server 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 8 option: 12 hostname santorin

This looks to me very well. But if I browse the internet on the client, just some of DNS queries appear in the internet:

Oct 14 22:19:34 sithonia dnsmasq[1072]: query[A] button.flattr.com from 192.168.2.231
Oct 14 22:19:34 sithonia dnsmasq[1072]: forwarded button.flattr.com to 192.168.0.1
Oct 14 22:19:34 sithonia dnsmasq[1072]: reply button.flattr.com is 104.20.15.50

In this case the server was "taz.de" but just some buttons apper in the dnsmasq log. And I can browse "facebook.com" which I turned to Ubuntu-Routers IP.

I use dnsmasq version 2.68-***@Ubuntu server 14.04.3.

Any idea why DNS queries only partly answered by dnsmasq? What is wrong with my configuration?

Thx, Benjamin
Albert ARIBAUD
2015-10-15 06:47:49 UTC
Permalink
Bonjour Benjamin,

Le Wed, 14 Oct 2015 22:09:10 +0000, Benjamin Brücker
Post by Benjamin Brücker
Hi,
For my small network with frequently changing guests I'd like to use dnsmasq, because I would like to block some domains by dnsmasq's address=/../.. feature (great!). For that purpose I have to ensure that all DNS requests are answered by dnsmasq -- what is just partly working. I don't know if I made mistake configuring dnsmasq or interface or iptables or if ipv6 could disorder my configuration.
Internet (IPv6)
/|\
|
\|/
Router-from-ISP
192.168.0.1
/|\
|
\|/
192.168.0.253 (br0:1)
Ubuntu-Router (DNSMASQ)
192.168.1.1 (br0)
/|\
|
\|/
192.168.1.10-192.168.1.100.150
Clients (Windows, Android, Linux, wired, wireless)
Looks maybe a bit too complicate? Reason for that setup is, that I can not change the ISP router, because the cable provider only allow their own devices, and the ISP router doesn't has no functionality like adding routes or blocking domains.
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports p1p1 wlan1
address 192.168.2.1
network 192.168.2.0
netmask 255.255.255.0
broadcast 192.168.2.255
auto br0:1
iface br0:1 inet static
address 192.168.0.253
netmask 255.255.255.0
broadcast 192.168.0.255
network 192.168.0.0
gateway 192.168.0.1
up /sbin/iptables -F
up /sbin/iptables -X
up /sbin/iptables -t nat -F
up /sbin/iptables -A FORWARD -o br0:1 -i br0 -m conntrack --ctstate NEW -j ACCEPT
up /sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
up /sbin/iptables -A POSTROUTING -t nat -j MASQUERADE
up /etc/init.d/hostapd restart
up /etc/init.d/dnsmasq restart
Maybe OT, but while I see a point to br0 (probably bridging the wired
and wireless parts of your LAN), I can't see that of br0:1, since on
your synoptic, the "br0:1" interfaces are different from the "br0"
interfaces -- IOW, the 192.168.0/24 subnet is between the cable router
and the Ubuntu router, and the 192.168.2/24 subnet is between the
Ubuntu router and the LAN+WLAN, so they should not share any common
interface.
Post by Benjamin Brücker
nameserver 127.0.0.1
nameserver 192.168.0.1
I assume it is the resolv.conf of the Ubuntu server? What about that of
the LAN+WAN clients?
Post by Benjamin Brücker
address=/double-click.net/127.0.0.1
address=/doubleclick.net/127.0.0.1
address=/doubleclickbygoogle.com/127.0.0.1
address=/doubleclickbygoogle.net/127.0.0.1
address=/google-analytics.com/127.0.0.1
address=/google-analytics.net/127.0.0.1
address=/ssl.google-analytics.com/127.0.0.1
address=/googleanalytics.com/127.0.0.1
address=/googleanalytics.net/127.0.0.1
address=/facebook.com/127.0.0.1
interface=lo
interface=br0
listen-address=127.0.0.1
listen-address=::1
listen-address=192.168.2.1
dhcp-range=192.168.2.200,192.168.2.250,255.255.255.0,12h
dhcp-option=121,192.168.2.0/24,192.192.168.2.1
log-queries
log-dhcp
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.br0.disable_ipv6 = 1
net.ipv6.conf.br0:1.disable_ipv6 = 1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Klient stellt Name bereit: santorin
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 DHCPREQUEST(br0) 192.168.2.231 a0:88:b4:75:69:94
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Marken: br0
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 DHCPACK(br0) 192.168.2.231 a0:88:b4:75:69:94 santorin
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 1:netmask, 28:broadcast, 2:time-offset, 3:router,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 15:domain-name, 6:dns-server, 119:domain-search,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 12:hostname, 44:netbios-ns, 47:netbios-scope,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 26:mtu, 121:classless-static-route, 42:ntp-server,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 121:classless-static-route, 249, 33:static-route,
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte Optionen: 252, 42:ntp-server
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Nächster Server: 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 1 option: 53 message-type 5
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 54 server-identifier 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 51 lease-time 12h
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 58 T1 6h
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 59 T2 10h30m
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 1 netmask 255.255.255.0
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 28 broadcast 192.168.2.255
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 3 router 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: 6 dns-server 192.168.2.1
Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 8 option: 12 hostname santorin
Oct 14 22:19:34 sithonia dnsmasq[1072]: query[A] button.flattr.com from 192.168.2.231
Oct 14 22:19:34 sithonia dnsmasq[1072]: forwarded button.flattr.com to 192.168.0.1
Oct 14 22:19:34 sithonia dnsmasq[1072]: reply button.flattr.com is 104.20.15.50
Not sure what's wrong here. flattr.com is not in any of your
dnsmasq's "address=" lines, so dnsmasq forwards queries for this domain
to its upstream, which replies. Were you expecting something else? Can
you post logs and annotate them, so that we know what went as
expected and what did not (and in the latter case, what you were
expecting)?
Post by Benjamin Brücker
In this case the server was "taz.de" but just some buttons apper in the dnsmasq log. And I can browse "facebook.com" which I turned to Ubuntu-Routers IP.
Can you provide annotated logs for facebook.com requests?
Post by Benjamin Brücker
Any idea why DNS queries only partly answered by dnsmasq? What is wrong with my configuration?
Thx, Benjamin
Amicalement,
--
Albert.
Brad Morgan
2015-10-15 15:34:45 UTC
Permalink
Post by Benjamin Brücker
Looks maybe a bit too complicate? Reason for that setup is, that I can not change the ISP router,
because the cable provider only allow their own devices, and the ISP router doesn't has
no functionality like adding routes or blocking domains.
You may be able to simplify this a bit by asking your ISP to put their router in "bridge mode". If configured that way, it will pass the external IP address, etc. on to your Ubuntu router. This way you can avoid the double-NAT.
Loading...