Back to post index

 Resolving DNS through OpenVPN
Tags: [openvpn] [dnsmasq]
Published: 19 Oct 2016 21:46

I have OpenVPN on my home’s OpenWRT router configured so all traffic is sent through the tunnel, and this includes DNS requests. But, any DNS query using just a machine’s hostname did not work:

jwm@magnus:~ [] $ ping capablanca
ping: unknown host capablanca

This works when the machine is a part of the LAN, why doesn’t it work when the machine is asking from the VPN?

netcat showed an interesting error I had never seen before:

jwm@magnus:~ [] $ nc -v 192.168.1.1 53
192.168.1.1: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.1.1] 53 (domain) open

I installed tcpdump on the router:

root@OpenWrt:~# opkg install tcpdump

and ran the same netcat query again. tcpdump on the router showed:

root@OpenWrt:~# tcpdump -vvvv -i tun0 'port 53'
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
00:41:52.564473 IP (tos 0x0, ttl 64, id 32590, offset 0, flags [DF], proto UDP (17), length 70)
    10.8.0.6.45049 > OpenWrt.lan.domain: [udp sum ok] 41268+ PTR? 1.1.168.192.in-addr.arpa. (42)

So - the inital DNS packet is reaching OpenWRT but dnsmasq isn’t responding to it.

The problem is the localservice directive in /etc/config/dhcp which creates local-service in /var/etc/dnsmasq.conf.

option localservice '1'

where local-service means:

--local-service
    Accept DNS queries only from hosts whose address is on a local
    subnet, ie a subnet for which an interface exists on the
    server. This option only has effect is there are no --interface,
    --except-interface, --listen-address or --auth-server options.
    It is intended to be set as a default on installation, to allow
    unconfigured installations to be useful but also safe from being
    used for DNS amplification attacks.

Adding the following options tell dnsmasq to listen on the VPN as well as the local interface:

list interface 'tun0'
list interface 'br-lan'

Restart dnsmasq, and it worked:

jwm@magnus:~ [] $ ping capablanca
PING capablanca (192.168.1.107) 56(84) bytes of data.

netcat also showed the familiar connection verification:

jwm@magnus:~ [] $ nc -v 192.168.1.1 53
OpenWrt.lan [192.168.1.1] 53 (domain) open