This article will explain DNS forwarding and give some basic DNS forwarding options and examples using the CLI of EdgeOS. There are currently limited DNS forwarding options in the GUI.
Applicable to all EdgeOS versions. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required.
There are many different configuration options for dnsmasq, made available by editing files such as dnsmasq.conf and resolv.conf. However, manually editing these files is beyond the scope of this article.
Table of Contents
- Initial Setup
- Customized DNS Forwarding Options
- Testing & Verification
- Related Articles
EdgeOS includes a DNS forwarding service based on dnsmasq. The dnsmasq service runs in the background and will ultimately forward all DNS queries to the specified DNS server. Keep in mind that if your DHCP server is handing out a global DNS server address (like Google’s 184.108.40.206 DNS server), or if the client has a global DNS server address that has been manually input in the client's network settings, the client will directly resolve these addresses from that global server.
Instead of using a global DNS server, you can benefit from the local DNS cache on the EdgeRouter and forwarding options as explained in this article. In this case, your client will need to use the DNS address of your router, whether assigned by DHCP or manually added to the networks settings of the client. With the cached DNS information, if one client has previously resolved the IP of a URL, the next client will be able to access that IP slightly faster.
Another benefit of using local DNS forwarding in EdgeOS is the benefit of obtaining local hostnames easily when also using dnsmasq for DHCP explained more in our EdgeRouter - Using dnsmasq for DHCP Server article.
These steps are covered when using a setup wizard, however, they are detailed here for an explanation and they may be required with further building your EdgeOS configuration after the wizard.
A. Cache Size
The default cache size is 150. It is possible to increase this cache-size to 1000 or higher to allow more locally answered queries using this command:
set service dns forwarding cache-size 1000
Setting a large cache size of 1000 or greater could consume more than expected memory on the EdgeRouter. Make sure there is enough available memory when setting a large cache size.
Some ISPs will provide DNS servers to your WAN settings using DHCP. This command will use those DNS servers for DNS forwarding if available. (This setting is added by default when configuring a WAN based on DHCP from the setup wizard.)
set service dns forwarding dhcp eth0
C. Listen-on Interfaces
Each LAN interface that is to be used to forward requests to the assigned server will need to be added in the configuration using the following command:
set service dns forwarding listen-on eth1
In this example eth1 is LAN. This could also be switch0, or eth1.2 when using an EdgeRouter with a switch interface or if VLANs are being utilized.
D. Interface Exceptions (added in firmware 1.9.7 and higher)
The default dnsmasq forwarding configuration will listen on all interfaces including WAN, however the default firewall rules when running a setup wizard will block all Internet traffic to the router. If needed, in firmware v1.9.7 and higher there is now the option to exclude interfaces from listening.
set service dns forwarding except-interface eth0
When doing this you will also need to remove the interface from the listen-on interfaces if the interface is present there.
delete service dns forwarding listen-on eth1
E. Name Servers
The DNS server to forward the internal request will need to be assigned if not added in the setup wizard. This could be Google’s global DNS servers 220.127.116.11 or 18.104.22.168, your supplied ISP’s DNS servers, OpenDNS servers, etc.
set service dns forwarding name-server 22.214.171.124
The DNS forwarding name servers can be set manually like in the previous step, or alternatively can be set to use the system name servers.
set service dns forwarding system
|Note: If the system name server has been set to a loopback address it will use the router DNS forwarding options rather than a global DNS server.|
Customized DNS Forwarding Options
There are many different configuration options for dnsmasq, made possible by editing files such as dnsmasq.conf and resolv.conf, however manually editing these files is beyond the scope of this article. This section will show a few DNS forwarding options from the CLI commands. This is not a fail-safe way to block or filter all traffic to a specific address.
A. Forwarding URL to a specific IP
This example would forward all traffic to youtube.com to an internal IP of 10.0.100.155 which could be a web server or any other device.
set service dns forwarding options address=/youtube.com/10.0.100.155
B. Forwarding a domain to another DNS server
This example allows all DNS queries from a specific domain, like a local domain of home.lan to resolve using a specific DNS server, either global or local.
set service dns forwarding options server=/home.lan/10.0.9.12
NOTE: If you wish to delete a DNS forward, use the following command:
Testing & Verification
1. View Forwarding Statistics
[email protected]:~$ show dns forwarding statistics
Cache size: 1000
Queries forwarded: 28
Queries answered locally: 23
Total DNS entries inserted into cache: 109
DNS entries removed from cache before expiry: 0
Queries sent: 0
Queries retried or failed: 0
Queries sent: 7
Queries retried or failed: 0
Queries sent: 21
Queries retried or failed: 0
2. View Name Servers
[email protected]:~$ show dns forwarding nameservers
Nameservers configured for DNS forwarding
126.96.36.199 available via 'statically configured'
188.8.131.52 available via 'statically configured'
/home.lan/10.0.9.12 available via 'optionally configured'
Nameservers NOT configured for DNS forwarding
127.0.0.1 available via 'system'
3. View Dig Results
To ensure addresses are resolving using the router address, you can use the dig tool (apart of dnsutils) to verify the server that is being used to resolve addresses and verify that the URL is resolving to the address set using the DNS forwarding options. In this case, it shows our router address of 10.0.20.1 rather than a global DNS server like 184.108.40.206.
system:~ admin$ dig youtube.com
; <<>> DiG 9.8.3-P1 <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48021
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 0 IN A 10.0.100.155
;; Query time: 5 msec
;; SERVER: 10.0.9.1#53(10.0.9.1)
;; WHEN: Mon Jul 24 14:45:33 2017
;; MSG SIZE rcvd: 45