dns

DNS not resolving local IP

root

2 min read
DNS not resolving local IP

My ISP doesn't allow hairpinning and drops packets that I try to send to myself.  So if I own example.com for the sake of routing to my network I can only use it externally (assuming I have a DNS record of pointing at my IP (say, 23.45.56.76).  If I try to access example.com locally my ISP drops it!

So I set up a DNS record on my Raspberry Pi PiHole to route example.com to 192.168.0.1. My router was set to forward DNS queries to the PiHole.

Yet I couldn't always access example.com locally - it seemed spurradic! It turns out my DNS queries weren't always resolving.

Breakdown of setup:

  • Public IP: 23.45.56.76 - to access my network remotely
  • Private IP of router: 192.168.0.1 (this can forward DNS queries)
  • IP of PiHole: 192.168.0.9 (this is my local DNS provider)
  • 23.45.56.76: where I want example.com to point when I'm remote
  • 192.168.0.1: where I want example.com to point when I'm local

Again, if I my ISP/ISP's router supported hairpinning then example.com pointing to 23.45.56.76 would be fine as long as the appropriate ports were forwarded!

Debugging dropped DNS

I finally identified the actual cases:

$ nslookup example.com 192.168.0.1
Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
*** Can't find example.com: No Answer
DNS is totally dropped by router - confusing!
$ nslookup example.com 8.8.4.4
Server:		8.8.4.4
Address:	8.8.4.4#53

Non-authoritative answer:
Name:	example.com
Address:	23.45.56.76
Public IP returned by querying Google's DNS server - as expected
$ nslookup example.com 192.168.0.9
Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
Name:	example.com
Address:	192.168.0.1
Private IP returned by querying PiHole - as expected

I examined my DD-WRT router and found this under Status > Syslog

daemon.warn dnsmasq[14162]: possible DNS-rebind attack detected: example.com

My router was the cause of the issue! It turns out some routers prevent domains from being bound to local IP's!  

Fixing "No DNS Rebind"

I could disable the option "No DNS Rebind" but that felt less safe than trying to fix this one domain. Turns out I could just use

rebind-domain-ok=/example.com/

under Services> Services > Additional Dnsmasq Options

Sign up for more like this.

Enter your email
Subscribe