3

Our DNSMasq is not able to resolve A, CNAME nor Alias records from public domains that specify private IP addresses.

For example:

$ nslookup
> server 172.16.1.1
Default server: 172.16.1.1
Address: 172.16.1.1#53

> www.work-domain.com
Server:         172.16.1.1
Address:        172.16.1.1#53

Non-authoritative answer:
Name:   www.work-domain.com
Address: 55.77.XXX.XXX

> server-b.work-domain.com
Server:         172.16.1.1
Address:        172.16.1.1#53

Non-authoritative answer:
*** Can't find server-b.work-domain.com: No answer

But switching to a public DNS works fine:

$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53

> www.work-domain.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   www.work-domain.com
Address: 55.77.XXX.XXX

> server-b.work-domain.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   server-b.work-domain.com
Address: 10.1.XXX.XXX

Notice the server-b.work-domain.com entry properly resolvs to a non-routable IP address of 10.1.XXX.XXX? That's my problem, that does not work with my local dnsmasq on the local network.

These IP addresses are part of our Amazon AWS private subnets, and we have VPNs to gain access to them.

This is all 100% consistent of all 200+ servers registered with 4 different public domains across several subnets, all using a private non-routable IP address. But yet, all other records using public routable IP addresses work just fine, on the same domain!

Everything else is 100% working normally with local dnsmasq:

  • resolves all public domains
  • resolves all IP reverse lookups of public IPs
  • resolves all internal private domain and hosts
  • resolves all IP reverse lookups of private IPs and DHCP leases

It's just public records using private non-routable IPs.

I must be missing some option that I am unable to interrupt reading the MAN page.

Version:

Dnsmasq version 2.73 # (part of AdvancedTomato)

Configuration (removed sensitive entries, left example ones):

# dhcp-option=lan,3,172.16.1.1
cache-size=8192
log-async=25
strict-order
#local=/lan/
#domain=lan,172.16.1.0/24,local
expand-hosts
domain-needed

# network devices
address=/router-gateway.lan/172.16.1.1
address=/router-office.lane/172.16.1.2
...and so on x 70

# arpa entries
ptr-record=1.1.16.172.in-addr.arpa,"router-gateway.lan"
ptr-record=2.1.16.172.in-addr.arpa,"router-office.lan"
...and so on

Local resolvs on AdvancedTomato spits out:

# cat /etc/resolv.conf
nameserver 127.0.0.1

# cat /etc/resolv.dnsmasq
nameserver 8.8.8.8
nameserver 8.8.4.4

Again.. Everything works perfectly with local LAN on Windows, OSX and Linux clients resolving public and internal domains and LANs and even hosts without the domain suffix (server-xyz -> resolves to server-xyz.lan).

It's just public domains that use non-routable IPs.

Eric Duncan
  • 225
  • 3
  • 14
  • Where are the record for the 10.x.x.x systems stored ? – user9517 Nov 23 '16 at 21:43
  • 1
    I would assume that you will want to have a look at the rebind settings. http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html – Håkan Lindqvist Nov 23 '16 at 21:46
  • @Hanginoninquietdesperation they are stored in the same AWS Route53 using the same zonefile! Right next to each other. – Eric Duncan Nov 23 '16 at 21:49
  • @HåkanLindqvist ah hah! `--stop-dns-rebind Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.` that may be it! I am testing now... Make an Answer and if that is, i'll mark it! – Eric Duncan Nov 23 '16 at 21:50

1 Answers1

2

@HåkanLindqvist commented pointed me in the right direction. As soon as he answers, I'll mark his as the answer. Until then...

His comment pointed me to the rebind options for dnsmasq:

--stop-dns-rebind
    Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.
--rebind-localhost-ok
    Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.
--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
    Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains surrounded by '/', like the --server syntax, eg. --rebind-domain-ok=/domain1/domain2/domain3/

Armed with that knowledge, I see that is infact what is happening:

# cat /tmp/etc/dnsmasq.conf
...
rebind-localhost-ok
...

Then I added the following to my dnsmasq.conf to fix it:

rebind-domain-ok=/work-domain1.com/work-domain2.com/

Woohoo! It works!

My dnsmasq must have been compiled with a strict option to default with.

Eric Duncan
  • 225
  • 3
  • 14