Dnsmasq .lan domain while still using knot resolver

I like dnsmasq’s automatic *.lan automatic hostnames and I wanted to continue using them, but I didn’t want to get rid of the knot resolver. dnsmasq automatically generates the hostnames based off the dhcp request hostname as well as any static hosts you’ve defined.

I set dnsmasq’s DNS port to 54 in LuCI’s Network > DHCP and DNS > Advanced Settings > DNS Server Port

I created the file /etc/kresd/custom.conf:

local lan_rule = policy.add(policy.suffix(policy.FORWARD(''), policy.todnames({'lan','168.192.in-addr.arpa'})))
table.insert(policy.rules, 1, lan_rule)

I’m forwarding all of reverse dns to dnsmasq, if you need instead use “10.in-addr.arpa” instead of “168.192.in-addr.arpa”

This forwards *.lan and the reverse DNS queries for your local subnet to port 54, which is handled by dnsmasq

I then changed /etc/config/resolver:

config resolver 'kresd'
        option rundir '/tmp/kresd'
        option log_stderr '0'
        option log_stdout '0'
        option forks '1'
        option include_config '/etc/kresd/custom.conf'

The other lines should already be there, just add the include_config line at the end of the kresd section.

End result:

$ host turris.lan
turris.lan has address
$ host beaglebone.lan
beaglebone.lan has address
$ host domain name pointer turris.lan

Edit: update for the custom kresd config, credit to @eman


I am wondering why this isn’t the default shipping config. (Although I prefer port 5353 over 54)

1 Like

Is there a way to resolve also reverse DNS records?

I tried to add similar line with “domain” 168.192.in-addr.arpa (both with and without closing . (dot), but it didn’t work.

Dnsmasq on port 53535 properly resolve it:

$ dig +short -x @ -p 53535

But Knot not:

$ dig +short -x @
1 Like

Yes, this is possible but slightly harder.

The file /usr/lib/kdns_modules/policy.lua includes a list of reverse DNS to deny. You can comment out or delete the line for 168.192.in-addr.arpa

Then add that to your list of forwarded domains:

echo "policy.add(policy.suffix(policy.FORWARD(''), policy.todnames({'lan','201.168.192.in-addr.arpa'})))" >>$CONFIGFILE
echo "policy.add(policy.suffix(policy.DENY, policy.todnames({'168.192.in-addr.arpa'})))" >>$CONFIGFILE

Great! it works as expected :slight_smile:, Thanks!

Just question about denying the rest of the 192.168.* network for reverse DNS lookup, is it necessary?
I used just following part 168.192.in-addr.arpa in the first command, because I have more networks that just the 201 and didn’t used the second (DENY) command at all and it seems it works properly. So just want to know, if there is some reason for denying the unused part of the 192.168.* network .

1 Like

It’s considered nice to not forward those queries on to the general internet. You don’t strictly have to filter it, but the people receiving all this junk DNS traffic would appreciate less of it.

Ah, ok … so when I have forward to dnsmasq the whole private range (168.192.in-addr.arpa) it is ok, because it will not be forwarded outside, right?

Yup, that’s fine. dnsmasq’s setting Network > DHCP and DNS > Advanced Settings > Filter private (Do not forward reverse lookups for local networks) is on by default

Thanks for explanation! :slight_smile:

1 Like

Thanks alot for explaining how to fix the local name resolution. I was really wondering why something so basic like local DNS lookup wasn’t working out of the box.

It’s a basic feature and needs to be fixed fast. There should be definitly a way to configure it via web-ui and not only via shell.

Well, now I feel dumb, since I spent all night yesterday on disabling kresd and making dnsmasq be the default resolver. The problem is there seem to be a couple of custom scripts cz.nics ships that make sure kresd is the resolver that run periodically.

@dpdrown Do I need something special to make sure kresd forwards these queries for AAAA records as well? (if we take into account that dnsmasq will look at /tmp/hosts/odhcpd)

1 Like

Set the dnsmasq server port to 5353 and added the adapted line to /etc/init.d/kresd. Does not work for me, after that kresd does not start anymore. No message in /var/log/messages :frowning:

After swichting from openwrt router to turris omnia it would be fine, to have back local domain name resolving!

Hopefully cz.nic will bring update soon…

it is not adapted - it’s additional line which needs to be inserted. Can you post the whole init_header() function?

I know. I added after line 38 I following line:

echo “policy.add(policy.suffix(policy.FORWARD(‘’), policy.todnames({‘pigdom’})))” >> $CONFIGFILE

For explanation, I changed my local domain from ‘lan’ to ‘pigdom’. dnsmasq runs on port 5353

Not sure about the line number - I added it as line #40 and it works fine - see below

init_header() {
    echo "--Automatically generated file; DO NOT EDIT" > $CONFIGFILE
    echo "modules = {" >> $CONFIGFILE
    config_get_bool prefetch common prefetch 0
    echo "    'policy'" >> $CONFIGFILE
    if [ "$prefetch" \!= 0 ]; then
            echo "  , 'stats'" >> $CONFIGFILE
            echo "  , predict = {" >> $CONFIGFILE
            echo "        window = 30 -- 30 minutes sampling window" >> $CONFIGFILE
            echo "      , period = 24*(60/30) -- track last 24 hours" >> $CONFIGFILE
            echo "  }" >> $CONFIGFILE
    echo "}" >> $CONFIGFILE
    echo "policy.add(policy.suffix(policy.FORWARD(''),  policy.todnames({'home'})))" >>$CONFIGFILE
1 Like

Thanks! Added to line #41 and it works now

kresd forwards AAAA records, but dnsmasq’s automatic AAAA record creation (the ra-names flag on the dhcp-range option) isn’t enabled.

Any ideas where is that config file actually spawned?

check the /etc/init.d/kresd script and you can see:


1 Like

Yes, I could have checked it, but I’m currently away from my omnia… :wink: