3

I have configured my DGN2200v2 to do the following:

  • Reserve the LAN address for my mac to 10.0.0.11
  • Use 10.0.0.11 as primary DNS server, and 8.8.8.8 as secondary

Now I would expect the router to ask my computer for DNS requests, but it seems to just skip the 10.0.0.11 server and uses 8.8.8.8...(I checked using Wireshark and my computer isn't getting any requests, and the pages load so I guess that's what's happening)

Is there something I am missing here? I have checked using ipconfig and I indeed have the IP of 10.0.0.11.

Amit Gold
  • 93
  • 9
  • You have a DNS server configured on your desktop? If you do, set the forwarder to a public DNS so the request can go somewhere. Can you ping 10.0.0.11 from your router? – Citizen May 28 '16 at 02:21
  • @Citizen for some reason there's 100% packet loss... http://prntscr.com/b9drhg I checked using wireshark, and this is what's going on: http://prntscr.com/b9dry4 – Amit Gold May 28 '16 at 08:30
  • That's a routing problem. Destination unreachable. Part of the ICMP suite with ping and tracert. It's your first hop router or your default gateway, saying that it can't get the destination you are attempting to get to. – Citizen May 28 '16 at 08:37
  • @Citizen I don't really understand what you said, but what do I do now? – Amit Gold May 28 '16 at 10:38
  • 2
    Well, by default Windows have firewall enabled and will block ping (and others)... – Tom Yan Jun 01 '16 at 17:54
  • Your Windows already has a DNS service that will cache DNS entries, so no need really. After the first resolution, your computer will use the cache. – Sun Jun 01 '16 at 18:59
  • Are you by a chance trying to achieve that the other DHCP enabled devices in network use your computer as a DNS server? – Vojtěch Dohnal Jun 06 '16 at 10:04
  • This could be helpful? http://superuser.com/q/45789/285900 – Vojtěch Dohnal Jun 06 '16 at 11:22
  • @VojtěchDohnal yep. – Amit Gold Jun 06 '16 at 13:12
  • Try to decribe your problem in better detail - what other devices you have in the network and what is the expected behavior, now it seems, that you want to have just DNS server on your computer to be used by the router, which does not make sense. – Vojtěch Dohnal Jun 06 '16 at 13:28
  • Also when debugging DNS use command line `nslookup` and `server 10.0.0.11`, you can also use `set debug`. – Vojtěch Dohnal Jun 06 '16 at 13:30
  • 1
    @VojtěchDohnal How does it not make sense? I want my router to forward DNS requests to a computer on the network instead of the ones that my ISP tells it to or `8.8.8.8`, and then my computer might return some junk IP or might ask `8.8.8.8`. Right now I can use `nslookup` with server as `10.0.0.11` and it works and the server logs the action, but when asking `10.0.0.138` which is supposed to in turn forward to `10.0.0.11`, the server doesn't log anything and the requests don't get filtered... – Amit Gold Jun 06 '16 at 16:08
  • 1
    @VojtěchDohnal to clarify, I am doing both nslookups from another device which is connected to the same router. – Amit Gold Jun 06 '16 at 16:08
  • Perhaps it would be easier to configure DHCP server on the router to give 10.0.0.11 as primary DNS to the clients? – Vojtěch Dohnal Jun 06 '16 at 16:35
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/40783/discussion-between-amit-gold-and-vojtch-dohnal). – Amit Gold Jun 06 '16 at 16:51

2 Answers2

2

Reserve the LAN address for my mac to 10.0.0.11. So you did something like this:

enter image description here

It is not really relevant to your issue though. Anyway, you can certainly ping this address from your PC:

enter image description here

(I actually wonder if an OS would even route it to your router when it can easily recognize this is its own address)

However, with your Windows Firewall on, you won't be able to ping from your router to your PC:

enter image description here

Once your have configured it properly, or have it disabled (for testing), it will ping fine:

enter image description here

Use 10.0.0.11 as primary DNS server, and 8.8.8.8 as secondary; I am not sure how exactly you did that, but certainly, you can configure on the client side statically:

enter image description here

Or through the LAN-side DHCP server setting:

enter image description here

But certainly, first of all you need to have a DNS server built up on your PC:

enter image description here

Tom Yan
  • 9,075
  • 2
  • 17
  • 36
  • So basically my testing is bad I guess, I will try actually making a query from another computer and see if it works. I am not at home right now though so expect updates :D – Amit Gold Jun 05 '16 at 16:57
  • @AmitGold Btw, beware of [bad DHCP server implementation on some routers](http://community.linksys.com/t5/Wireless-Routers/EA6900-bugged-bad-implementation-of-quot-Static-DNS-quot-in/td-p/1032809)... – Tom Yan Jun 06 '16 at 15:10
0

I think there is a misconception here : DNS queries are not part of the router services - all the router does is only to communicate the IPs of the two specified DNS servers to your computer, and it is your computer that issues the DNS queries.

So what happens is that your computer tries to forward DNS queries to itself, but unfortunately by using its external IP address, which means that the connection is done through the router. A connection of this type usually cannot work except via the loopback interface on IP 127.0.0.1 (localhost), which does not pass through the router.

Most consumer-grade routers do not support loopback, which is a computer addressing itself via the router. Such a router will either protect itself against the risk of looping eternally in a circular manner, or its firmware will simply not have the code required to keep track of loopback connections.

The end-result is that the DNS server at address 10.0.0.11 is quickly marked as unusable by your computer when it boots, or on the first DNS query, so is probably already being ignored when you launch Wireshark.

Conclusion : The router is working properly for a consumer-grade router.

Remark :

In general, it is not useful to have two DNS servers, one primary and the other secondary, since Windows will only use one. The secondary DNS server is the backup in case that the first one fails. You will need to define these DNS servers on your computer, not on the router, but Windows will only use the first that answers.

The local DNS server must be defined by the IP address of 127.0.0.1 (localhost). If a local DNS server is to be used by Windows, then this server needs to know how to fall back to the Google server at 8.8.8.8 if it cannot find an answer locally, because Windows will not do this automatically.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • That sounds correct to me. How are you making these dns requests? If the requests are coming from the same computer, that's a loop. The router shouldn't need to make dns queries unless it's for a completely different thing. If there are other devices that need dns, I would think they should be pointing to the dns server directly. If your router is advertising dhcp, the internal dns should be what is advertized. – BloodyEl Jun 01 '16 at 21:40
  • It seems to me what you want to do should be doable, with the exception of the "consumer-grade" part. If you have hardware lying around you could also just use a linux box as a router and firewall without it costing anything and without proprietary compromises. – BloodyEl Jun 01 '16 at 21:44
  • So basically Windows is protecting itself because it understands that I am trying to address myself? How does it know that the router uses itself, if the configuration of the DNS server is on the router's settings? – Amit Gold Jun 02 '16 at 13:26
  • Windows is not protecting itself - it's starting a connection for the DNS query, but the connection times-out because the router doesn't cooperate, so Windows just gives up on it. It's the router that either is protecting itself or is simply not programmed to handle self-loops. – harrymc Jun 02 '16 at 13:38
  • 1
    AFAIK it's only common that a "consumer-grade" router does not support being addressed from the LAN with its WAN side IP address (port forwarded or not). I have never seen "loopback issue" as what you've described. – Tom Yan Jun 04 '16 at 03:40
  • @TomYan: "loopback issue" ? I described ? No comprendo. – harrymc Jun 04 '16 at 09:29
  • `So what happens is that your computer tries to forward DNS queries to itself, but unfortunately by using its external IP address. A self-reference like this usually cannot work except via the loopback interface on IP 127.0.0.1 (localhost), which does not pass through the router.` – Tom Yan Jun 04 '16 at 09:45
  • @TomYan: Explain please what's wrong with this scenario, if the user did specify his WAN address as DNS server. AFAIK Windows doesn't check the IP address for "correctness" but tries it out and will use it if there is an answer. – harrymc Jun 04 '16 at 11:03
  • @harrymc `if the user did specify his WAN address as DNS server` clearly he did not according to the two bullet points in the OP? – Tom Yan Jun 04 '16 at 12:59
  • Instead of what you described, he could have set `Use 10.0.0.11 as primary DNS server, and 8.8.8.8 as secondary` in the Internet side setting instead of the LAN-side DHCP server setting though... – Tom Yan Jun 04 '16 at 13:07
  • @TomYan: I still don't understand anything in what you say. I describe nothing except what happens when he did exactly what you claim he should have done, and it didn't work. Please delete your comments above since they are not constructive. – harrymc Jun 04 '16 at 13:58
  • 1
    So you are trying to say that when he writes `ping 10.0.0.11` on his PC, it will fail because of his router? Never seen this too. – Vojtěch Dohnal Jun 06 '16 at 11:29
  • @VojtěchDohnal: DNS is more complex than ping. – harrymc Jun 06 '16 at 11:43
  • Perhaps, but the packets do not even get to the router's interface, so it does not matter anyway. Your theory is just false, that is it. – Vojtěch Dohnal Jun 06 '16 at 13:11
  • @VojtěchDohnal: This is not theory but fact. I think you miss it - the fact that one can ping something is absolutely not the same as pinging oneself *through the router* as third party. The router will not cooperate because it's only built to connect local-router-internet. Only sophisticated routers can do paths like local-router-local-router-internet. – harrymc Jun 06 '16 at 14:39
  • A simple 5 minutes empiric test: 1. install DNS (Simple DNS plus just few clicks) on a PC with 10.0.0.11. 2. Setup one zone `test.com` with one A record there `www`. Disconnect ethernet cable. 3. Try `nslookup` `server 10.0.0.11` and try `www.test.com`4. then do `server 127.0.0.1` - behavior is the same and both can translate the name correctly. Your theory is falsified by this test, because there is no router connected at all. – Vojtěch Dohnal Jun 06 '16 at 15:00
  • Let's eventually continue here: http://superuser.com/questions/1086068/is-there-a-chance-that-an-ip-packet-with-the-the-same-source-and-destination-ip – Vojtěch Dohnal Jun 06 '16 at 15:23
  • @VojtěchDohnal: Please finally understand - **the problem is when going through the router**. Again : The poster's problem is when going through the router. Please read the post before bombarding with out-of-subject comments. – harrymc Jun 06 '16 at 18:04
  • You probably meant this: `Many DSL routers/modems prevent loopback connections as a security feature. This means that a machine on your local network (e.g. behind your DSL router/modem) cannot connect to a forward facing IP address (such as 199.149.252.44) of a machine that it also on your local network. Connecting to the local IP address (such as 192.168.2.40) of that same machine works fine.` ? – Vojtěch Dohnal Jun 07 '16 at 09:51
  • 1
    @VojtěchDohnal: Yes, I thought this was clear from my answer. If you think it's unclear, feel free to add to it. Although this is not only a security feature - the router needs to be able to keep track of it and a simple router will not have the code for it. – harrymc Jun 07 '16 at 10:08