DNS, DDNS and access from local network

radekpribyl · August 5, 2018, 11:10am

Hi all,

I need a help as I’m running out of ideas on the following configuration:

Setup:

Dynamic public IP address assigned to the WAN interface on TO
VLAN (called DMZ) with Webserver (running as LXC container)
Using DDNS to access the TO or Webserver in DMZ - port 443 only. Let’s say I’m using myrouter.noip.me

Configuration:
From WAN - everything works fine and there is no problem with it.

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.13.130'
        option dest_port '443'
        option name 'HTTPS (WAN->DMZ)'

Now the challenge. I’d like devices within my own private networks to use also the myrouter.noip.me dns name. The IP however resolves to WAN interface of the router. So I created following rules:

config redirect
        option target 'DNAT'
        option src 'lan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dip '<assigned public ip address>'
        option src_dport '443'
        option dest_ip '192.168.13.130'
        option dest_port '443'
        option name 'HTTPS (LAN->DMZ)'

This approach works but has two limitations:

I cannot set up such a rule when using the dns name from the TO directly
More importantly as the public IP address it dynamic it stops working when the public IP address changes

Second approach I tried is to add 192.168.13.130 myrouter.noip.me to host file on TO and add corresponding firewall rules from other vlans to DMZ. It works however DDNS script doesn’t work as the myrouter.noip.me resolves to the local private IP address and not the public one.

Any suggestion on an approach which would work and wouldn’t have any limitations?

Thanks a lot for any hints.
Radek

anon50890781 · August 5, 2018, 12:27pm

Did you use lxc.uts.name = in the lxc container config? If not you may try it, say lxc.uts.name = webserver and than either in the hostfile or through the given resolver associate webserver with 192.168.13.130

ssdnvv · August 5, 2018, 1:13pm

I had a similiar need accessing my dedicated webserver from my guest-network (-> link).
For me the following combination worked

add 192.168.13.130 <your public domain> to /etc/hosts
add list hostname_config '/etc/hosts' to /etc/config/resolver in block config resolver 'kresd'
add firewall rule

config rule
	option name 'HTTPS (LAN->DMZ)'
	option src 'lan'
	option proto 'tcp'
	option dest 'dmz'
	option dest_ip '192.168.13.130'
	option dest_port '443'
	option target 'ACCEPT'

Restart resolver + firewall.
Now when accessing from lan you should be forwarded to the dmz-server.

radekpribyl · August 5, 2018, 2:12pm

This is what I tried (2nd approach) but then I had problems with DDNS update scripts as the public domain resolved to the local IP address and then it didn’t pick up the change of public IP address on wan interface.

ssdnvv · August 5, 2018, 2:19pm

Sounds to me like a ddns-issue - can you post your ddns config? (Of course leaving out all sensitive data).
ddns should not interfere with resolver…

radekpribyl · August 5, 2018, 4:03pm

The ddns config is:

config service 'noip'
        option interface 'wan'
        option ip_source 'network'
        option ip_network 'wan'
        option service_name 'no-ip.com'
        option enabled '1'
        option lookup_host '<mydomain>.noip.me'
        option domain '<mydomain>.noip.me'
        option username <username>
        option password <password>

I changed the resolver config right now so that I would have the logs now. First update looked fine even when you can see that the script detected the private ip address 192.168.13.130 for the domain.

173508       : verbose mode  : 0 - run normal, NO console output
 173508       : check interval: 600 seconds
 173508       : force interval: 259200 seconds
 173508       : retry interval: 60 seconds
 173508       : retry counter : 0 times
 173508       : No old process
 173508       : last update: 2018-08-02 19:54
 173508       : Detect registered/public IP
 173508       : #> /usr/bin/nslookup <my_domain>.noip.me  >/var/run/ddns/noip.dat 2>/var/run/ddns/noip.err
 173508       : Registered IP '192.168.13.130' detected
 173508  info : Starting main loop at 2018-08-05 17:35
 173508       : Detect local IP on 'network'
 173508       : Local IP '<public ip>' detected on network 'wan'
 173508       : Update needed - L: '<public ip>' <> R: '192.168.13.130'
 173508       : parsing script '/usr/lib/ddns/update_no-ip_com.sh'
 173508       : sending dummy IP to 'no-ip.com'
 173508       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=127.0.0.1'
 173509       : 'no-ip.com' answered:\ngood 127.0.0.1
 173510       : sending real IP to 'no-ip.com'
 173510       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=<public ip>'
 173511       : 'no-ip.com' answered:\ngood <public ip>
 173511  info : Update successful - IP '<public ip>' send
 173511  info : Forced update successful - IP: '<public ip>' send
 173511       : Waiting 600 seconds (Check Interval)

For the subsequent updates (every 10 mins) you can see the warning that the Update of IP address failed and the increasing number of retries. So the logging is kind of confusing as it says that the update failed but forced update successful. These warning are not in the logs when the resolver resolves the hostname to public IP. Also the warning messages are there and the number of retries increases with every run.

174511       : Detect registered/public IP
 174511       : #> /usr/bin/nslookup <my_domain>.noip.me  >/var/run/ddns/noip.dat 2>/var/run/ddns/noip.err
 174511       : Registered IP '192.168.13.130' detected
 174511  WARN : Updating IP at DDNS provider failed - starting retry 1/0
 174511       : Detect local IP on 'network'
 174511       : Local IP '<public ip>' detected on network 'wan'
 174511       : Update needed - L: '<public ip>' <> R: '192.168.13.130'
 174511       : parsing script '/usr/lib/ddns/update_no-ip_com.sh'
 174511       : sending dummy IP to 'no-ip.com'
 174511       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=127.0.0.1'
 174512       : 'no-ip.com' answered:\ngood 127.0.0.1
 174513       : sending real IP to 'no-ip.com'
 174513       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=<public ip>'
 174514       : 'no-ip.com' answered:\ngood <public ip>
 174514  info : Update successful - IP '<public ip>' send
 174514  info : Forced update successful - IP: '<public ip>' send
 174514       : Waiting 600 seconds (Check Interval)
 175514       : Detect registered/public IP
 175514       : #> /usr/bin/nslookup <my_domain>.noip.me  >/var/run/ddns/noip.dat 2>/var/run/ddns/noip.err
 175514       : Registered IP '192.168.13.130' detected
 175514  WARN : Updating IP at DDNS provider failed - starting retry 2/0
 175514       : Detect local IP on 'network'
 175514       : Local IP '<public ip>' detected on network 'wan'
 175514       : Update needed - L: '<public ip>' <> R: '192.168.13.130'
 175514       : parsing script '/usr/lib/ddns/update_no-ip_com.sh'
 175514       : sending dummy IP to 'no-ip.com'
 175514       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=127.0.0.1'
 175515       : 'no-ip.com' answered:\ngood 127.0.0.1
 175516       : sending real IP to 'no-ip.com'
 175516       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=<public ip>'
 175517       : 'no-ip.com' answered:\ngood <public ip>
 175517  info : Update successful - IP '<public ip>' send
 175517  info : Forced update successful - IP: '<public ip>' send
 175517       : Waiting 600 seconds (Check Interval)

protree · August 5, 2018, 5:24pm

I have a similar setup. I think (I am not at home atm) you can define which DNS Server should be used to resolve domains for ddns(e.g. Use 8.8.8.8 so your domain points to your wan ip), check it‘s LuCi Page. Or you can force the ddns script to look up a different domain (e.g. public.myrouter.noip.me) when using wilcard redirects in noip. Sorry I know these are no precise instructions but maybe it gives you a hint.

radekpribyl · August 5, 2018, 7:14pm

thank you @protree for a hint. noip unfortunately doesn’t offer wild domains like e.g. dynu and I was worried about atomic updates with multiple configurations both checking the same lookup host. However I solved it by creating another record and configured dnsomatic service as a single provider. dnsomatic then updates both entries hopefully at the same time.

ssdnvv · August 5, 2018, 9:53pm

Well, that seems to be an easy one (because I had it myself): do not choose “option ip_source ‘network’” + “option ip_network ‘wan’” but “option ip_source ‘web’” + “option ip_url ‘http://domains.google.com/checkip’”. For more information or more ip-urls check https://wiki.openwrt.org/doc/howto/ddns.client and https://wiki.openwrt.org/doc/uci/ddns.

radekpribyl · August 6, 2018, 8:32am

@ssdnvv I’m not sure this helps. the ip_source is used to define the ip address and this works fine in my setup - the wan interface returns the public IP address. The issue was with the lookup_host. According to https://wiki.openwrt.org/doc/uci/ddns the dns_server option could be used (as @protree mentioned too)

Thank you guys - it works for me now as it should

Phil · August 9, 2018, 9:26am

Hi @radekpribyl,

I have a setup similar to yours. To resolve myrouter.noip.me to 192.168.13.130 on the local network, I configured the DNS Knot resolver appropriately using its static hints module.

The main configuration file of Knot Resolver is /etc/config/resolver. This file is likely to be updated every time a new version of Knot Resolver is installed. So it’s better to add custom settings to a separated configuration file, for example /etc/kresd/custom.conf, which has then to be included in the main configuration file.

To include a custom configuration file to the main configuration file, add the following line in the config resolver 'kresd' section of the /etc/config/resolver file:

option include_config ‘/etc/kresd/custom.conf’

Then add the following directive to the /etc/kresd/custom.conf file to instruct Knot that is should resolve myrouter.noip.me to 192.168.13.130:

hints[‘myrouter.noip.me’] = ‘192.168.13.130’

This solution offers multiple advantages:

it should be faster to resolve myrouter.noip.me to 192.168.13.130 as the host name resolution is done by your TO instead of an external DNS server on the Internet
accessing to your DMZ web server from your local network should also be faster as your request does not have to go out of your LAN to re-enter by the WAN port once resolved by the external DNS server
the host name resolution works even if you Internet connection is down

Hope it helps.