Topic: dns isp resolution 3g/4g lease

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

jxtrem

11 Jul 2017, 17:36

Hi again

I have next situation: I set a new interface 3g modem working OK in Chaos Calmer 15.05.1

3g-3g Type: 3g
Address: xx.201.21.163
Netmask: 255.255.255.255
Gateway: xx.64.64.64
DNS 1: 172.18.254.37
Connected: 0h 2m 26s

However the issue appears when the clients (laptop,phones) need the original DNS of the ISP (in this case 172.18.254.37) to resolve some specific url, for example to buy data MB, GB, to use internet.

the closest fix or more simple I used to resolve url in all clients is set list dhcp_option '6

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,172.18.254.37'

But, using this option I lost the resolution of hostname of devices in lan. Also I would like that dhcp_option 6 search automatically the DNS of provider to use in DHCP lease

How can I fix this issue (lease the DNS of ISP to client lan AND no lost the resolution of hostname in lan)

Thanks

Post #2

eduperez

11 Jul 2017, 23:04

I do not understand why do clients need to use the ISP's DNS directly, if the router is already configured to use the ISP's DNS.

Post #3

jxtrem

12 Jul 2017, 00:01

I also dont understand why the default dns config doesnt works, but I checked than when my data plan of 100 GB is all consumed I can not enter to the site of company to buy more data to complete the month. So I checked when I put the modem 3g/4G in my laptop I can do it. I can enter to site to buy more data.
Finally I tested again use the modem 4g/3g in the router but using the ISP DNS in DHCP leasing and I could enter to the site Captive portals I believe is called.

so my question was, what is the correct config for router can search and set automatically the dns of isp in dhcp without configure manually (because i think it is dynamic) and also the clients can resolve the hostname of devices in lan.

using list dhcp_option '6,172.18.254.37, 192.168.1.1' the second dns doesnt work. I can not access to router using hostname

Thanks a lot for read

Post #4

eduperez

12 Jul 2017, 07:28

I do not think it is possible to tell your clients to use one DNS for one domain and the other DNS for the rest of the requests. And announcing two DNS does not work because the first one is answering with a "not a domain"; it should fail to answer at all for the client to use the second DNS.

I would try to figure out why using DNSMASQ as a cache is causing this trouble. Configure DNSMASQ to log all DNS queries, configure your clients to use the DNS at the router, and try to access the site. Perhaps this will give you some info on why it fails.

Post #5

jxtrem

12 Jul 2017, 19:20

I enable log of querys when I am using the dns 192.168.1.1 in DHCP lease and I can find the line nameserver 172.18.254.37 refused to do a recursive query

Do you know how fix it ?

Sun Jan 31 14:52:22 2016 daemon.info dnsmasq[2385]: query[AAAA] 3.openwrt.pool.ntp.org from 127.0.0.1
Sun Jan 31 14:52:22 2016 daemon.info dnsmasq[2385]: forwarded 3.openwrt.pool.ntp.org to 172.18.254.37
Sun Jan 31 14:52:23 2016 daemon.warn dnsmasq[2385]: nameserver 172.18.254.37 refused to do a recursive query
Sun Jan 31 14:52:23 2016 daemon.info dnsmasq[2385]: reply 3.openwrt.pool.ntp.org is NODATA-IPv6
Sun Jan 31 14:52:23 2016 daemon.info dnsmasq[2385]: query[A] 3.openwrt.pool.ntp.org from 127.0.0.1
Sun Jan 31 14:52:23 2016 daemon.info dnsmasq[2385]: forwarded 3.openwrt.pool.ntp.org to 172.18.254.37
Sun Jan 31 14:52:23 2016 daemon.warn dnsmasq[2385]: possible DNS-rebind attack detected: 3.openwrt.pool.ntp.org
Sun Jan 31 14:52:23 2016 daemon.info dnsmasq[2385]: query[AAAA] time.windows.com from 127.0.0.1
Sun Jan 31 14:52:23 2016 daemon.info dnsmasq[2385]: forwarded time.windows.com to 172.18.254.37
Sun Jan 31 14:52:24 2016 daemon.warn dnsmasq[2385]: nameserver 172.18.254.37 refused to do a recursive query
Sun Jan 31 14:52:24 2016 daemon.info dnsmasq[2385]: reply time.windows.com is NODATA-IPv6
Sun Jan 31 14:52:24 2016 daemon.info dnsmasq[2385]: query[A] time.windows.com from 127.0.0.1
Sun Jan 31 14:52:24 2016 daemon.info dnsmasq[2385]: forwarded time.windows.com to 172.18.254.37
Sun Jan 31 14:52:24 2016 daemon.warn dnsmasq[2385]: possible DNS-rebind attack detected: time.windows.com
Sun Jan 31 14:52:26 2016 daemon.info dnsmasq[2385]: query[A] google.com from 192.168.1.112
Sun Jan 31 14:52:26 2016 daemon.info dnsmasq[2385]: forwarded google.com to 172.18.254.37
Sun Jan 31 14:52:26 2016 daemon.warn dnsmasq[2385]: possible DNS-rebind attack detected: google.com
Sun Jan 31 14:52:30 2016 daemon.info dnsmasq[2385]: query[AAAA] 3.openwrt.pool.ntp.org from 127.0.0.1
Sun Jan 31 14:52:30 2016 daemon.info dnsmasq[2385]: forwarded 3.openwrt.pool.ntp.org to 172.18.254.37
Sun Jan 31 14:52:31 2016 daemon.warn dnsmasq[2385]: nameserver 172.18.254.37 refused to do a recursive query
Sun Jan 31 14:52:31 2016 daemon.info dnsmasq[2385]: reply 3.openwrt.pool.ntp.org is NODATA-IPv6
Sun Jan 31 14:52:31 2016 daemon.info dnsmasq[2385]: query[A] 3.openwrt.pool.ntp.org from 127.0.0.1
Sun Jan 31 14:52:31 2016 daemon.info dnsmasq[2385]: forwarded 3.openwrt.pool.ntp.org to 172.18.254.37
Sun Jan 31 14:52:31 2016 daemon.warn dnsmasq[2385]: possible DNS-rebind attack detected: 3.openwrt.pool.ntp.org
Sun Jan 31 14:52:31 2016 daemon.info dnsmasq[2385]: query[AAAA] time.windows.com from 127.0.0.1
Sun Jan 31 14:52:31 2016 daemon.info dnsmasq[2385]: forwarded time.windows.com to 172.18.254.37

Post #6

eduperez

13 Jul 2017, 07:31

Have a look at the answer at the official DNSMASQ's FAQ: http://www.thekelleys.org.uk/dnsmasq/docs/FAQ

The nameserver at 172.18.254.37 cannot be used to query sites other than those owned by your ISP. Do your clients work properly (can they reach any external site) when configured to use that DNS?

Post #7

jxtrem

13 Jul 2017, 17:09

NO, can not resolve external site, because I think after the data plan is consumed the dns change somehow, because also change the IP from public to one of type 10.xxx.xxx.xxx.
All external sites are forwarded to portal cautive site of company, but I dont understand why only its happen when I set the dns of dhcp lease as ISP dns and not 192.168.1.1
Probably then when I will buy a data plan extra using the ISP dns of type authoritative , then I will not surf on internet, I will have to change again the dns server as default.
It is not a hard task, but rest of family are ignorant about linux or networking and routers... maybe there are not solution simply

(Last edited by jxtrem on 13 Jul 2017, 17:27)

Post #8

eduperez

14 Jul 2017, 08:48

I do not understand why it does not work when DNSMASQ makes the request instead of when a client makes the request, and I think the key is here. I would try to figure out what exact answer is the DNS at the ISP sending when you are out of quota. There are a couple of utilities ("nslookup" and "dig") that can query a DNS and show the answer. Perhaps you could give it a try.

Post #9

jxtrem

14 Jul 2017, 15:10

yes off course, Also i want to know WHY
but I'm not expert. I will try figure out the answer

... I got the next register using dig and nslookup command

USING DNS of DHCP LEASE like 192.168.1.1

root@openwrt:~# nslookup google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

nslookup: can't resolve 'google.com': Name or service not known


root@openwrt:~# logread -f
Thu Jul 13 18:21:03 2017 daemon.info dnsmasq[2514]: query[AAAA] google.com from 127.0.0.1
Thu Jul 13 18:21:03 2017 daemon.info dnsmasq[2514]: forwarded google.com to 172.18.254.37
Thu Jul 13 18:21:03 2017 daemon.warn dnsmasq[2514]: nameserver 172.18.254.37 refused to do a recursive query
Thu Jul 13 18:21:03 2017 daemon.info dnsmasq[2514]: reply google.com is NODATA-IPv6
Thu Jul 13 18:21:03 2017 daemon.info dnsmasq[2514]: query[A] google.com from 127.0.0.1
Thu Jul 13 18:21:03 2017 daemon.info dnsmasq[2514]: forwarded google.com to 172.18.254.37
Thu Jul 13 18:21:04 2017 daemon.warn dnsmasq[2514]: possible DNS-rebind attack detected: google.com

-----------------------------------------------------------------------------------------------------------

artg@debian:~$ dig google.com

; <<>> DiG 9.9.5-9+deb8u12-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14781
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 810 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jul 14 11:42:58 XXX 2017
;; MSG SIZE  rcvd: 39

-----------------------------------------------------------------------------------------------------------

C:\Users\artg>nslookup google.com
Servidor:  openwrt.lan
Address:  192.168.1.1

*** No hay registros internal type for both IPv4 and IPv6 Addresses (A+AAAA) disponibles para google.com

USING DNS of DHCP LEASE like 172.18.254.37

root@openwrt:~# nslookup google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

nslookup: can't resolve 'google.com': Name or service not known

-----------------------------------------------------------------------------------------------------------
root@openwrt:~# logread -f
Thu Jul 13 18:28:36 2017 daemon.info dnsmasq[2857]: query[AAAA] google.com from 127.0.0.1
Thu Jul 13 18:28:36 2017 daemon.info dnsmasq[2857]: forwarded google.com to 172.18.254.37
Thu Jul 13 18:28:36 2017 daemon.warn dnsmasq[2857]: nameserver 172.18.254.37 refused to do a recursive query
Thu Jul 13 18:28:36 2017 daemon.info dnsmasq[2857]: reply google.com is NODATA-IPv6
Thu Jul 13 18:28:36 2017 daemon.info dnsmasq[2857]: query[A] google.com from 127.0.0.1
Thu Jul 13 18:28:36 2017 daemon.info dnsmasq[2857]: forwarded google.com to 172.18.254.37
Thu Jul 13 18:28:36 2017 daemon.warn dnsmasq[2857]: possible DNS-rebind attack detected: google.com

-----------------------------------------------------------------------------------------------------------

artg@debian:~$ dig google.com

; <<>> DiG 9.9.5-9+deb8u12-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56325
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             10800   IN      A       172.29.220.8

;; AUTHORITY SECTION:
.                       10800   IN      NS      172.18.254.37.

;; ADDITIONAL SECTION:
172.18.254.37.          10800   IN      A       172.29.220.8

;; Query time: 2141 msec
;; SERVER: 172.18.254.37#53(172.18.254.37)
;; WHEN: Fri Jul 14 11:48:38 XXX 2017
;; MSG SIZE  rcvd: 97

-----------------------------------------------------------------------------------------------------------

C:\Users\artg>nslookup google.com
Servidor:  UnKnown
Address:  172.18.254.37

Nombre:  google.com.lan
Address:  172.29.220.8

3G interface

Network
IPv4 WAN Status    

3g-3g    Type: 3g
Address: 10.28.XXX.7
Netmask: 255.255.255.255
Gateway: 10.64.XX.6X
DNS 1: 172.18.254.37
Connected: 0h 22m 7s

Conclusion, the forwarded dns queries using router never will get answer AND the direct query to DNS of ISP from client device always will translate all domains like 172.29.220.8 (site to buy extra data plan, I think)

But I dont know more about DNS or what there is inside of package sended to filter queries, I'm sorry.

(Last edited by jxtrem on 14 Jul 2017, 16:36)

The discussion might have continued from here.

Page 1 of 1