EdgeRouter - DNS Forwarding Setup & Options


Overview


This article will explain DNS forwarding and give some basic DNS forwarding options and examples using the CLI of EdgeOS. There are currently limited DNS forwarding options in the GUI.

NOTES & REQUIREMENTS:
This article applies to all EdgeOS version and EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required.
 
There are many different configuration options available for dnsmasq, which are made available by directly editing files such as dnsmasq.conf and resolv.conf. However, manually editing these files is beyond the scope of this article.

Table of Contents


  1. Introduction
  2. Initial Setup
  3. Customized DNS Forwarding Options
  4. Testing & Verification
  5. Related Articles

Introduction


Back to Top

EdgeOS includes a DNS forwarding service based on dnsmasq. The dnsmasq service runs in the background and will ultimately forward all DNS queries to the specified DNS server. Keep in mind that if your DHCP server is handing out a global DNS server address (like Google’s 8.8.8.8 DNS server), or if the client has a global DNS server address that has been manually entered in the client's network settings, the client will directly resolve these addresses from that global server.

Instead of using a global DNS server, you can benefit from the local DNS cache on the EdgeRouter and forwarding options as explained in this article. In this case, your client device will need to use a DNS server address of your router IP address. This DNS server address could be assigned by DHCP or manually added to the networks settings of the client. With the cached DNS information, if one client has previously resolved the IP of a URL, the next client will be able to access that IP slightly faster by resolving the address locally from the EdgeRouter rather than remotely from a global DNS server.

Another benefit of using local DNS forwarding in EdgeOS is the option to obtain local hostnames easily when also using dnsmasq for DHCP. This is explained further in our EdgeRouter - Using dnsmasq for DHCP Server article.


Initial Setup


Back to Top

These steps are implemented when using a setup wizard to configure your router, however, they are detailed here for further explanation. These steps may also be useful to further customize your EdgeOS configuration after running the initial setup wizard.

1. Cache Size

The default cache size is 150. It is possible to increase this cache-size to 1000 or higher to allow a larger cache of more locally answered queries using this command:

set service dns forwarding cache-size 3000

2. DHCP

Some ISPs will provide DNS servers to your WAN settings using DHCP. This command will use those DNS servers for DNS forwarding if available. (This setting is added by default when configuring a WAN based on DHCP from the setup wizard.)

set service dns forwarding dhcp eth0

3. Listen-on Interfaces

Each LAN interface that will forward requests to the assigned DNS server will need to be added in the configuration using the following command:

set service dns forwarding listen-on eth1

In this example eth1 is LAN. This could also be switch0, or eth1.200 when using an EdgeRouter with a switch interface or if VLANs are being utilized.

4. Interface Exceptions (added in firmware 1.9.7 and higher)

The default dnsmasq forwarding configuration will listen on all interfaces including WAN. However, the default firewall rules when running a setup wizard will block all Internet traffic to the router. If needed, in firmware v1.9.7 and higher there is now the option to exclude interfaces from listening.

set service dns forwarding except-interface eth0

When doing this you will also need to remove the interface from the listen-on interfaces if the LAN interface is present there. Instead of manually entering all LAN interfaces for DNS forwarding, this will configure the router to listen on all interfaces except the ones specified under except-interface.

delete service dns forwarding listen-on eth1

5. Name Servers

For all DNS requests from LAN, the EdgeRouter will forward these requests to a global DNS server (if not already present in the local DNS cache). These DNS servers will need to be defined, if not added in the setup wizard. This could be Google’s global DNS servers 8.8.8.8 or 8.8.4.4, your supplied ISP’s DNS servers, OpenDNS servers, etc.

set service dns forwarding name-server 8.8.8.8

6. System

The DNS forwarding name servers can be set manually like in the previous step, or alternatively can be set to use the defined system name servers.

set service dns forwarding system
NOTE: If the system name server has been set to a loopback address it will use the router DNS forwarding options rather than a global DNS server.

Customized DNS Forwarding Options


Back to Top

This section will show a few DNS forwarding options possible using the EdgeOS CLI commands. This is not a fail-safe way to block or filter all traffic to a specific address.

A. Forwarding URL to a specific IP

This example would forward all traffic to youtube.com to an internal IP of 10.0.100.155 which could be a web server or any other device.

set service dns forwarding options address=/youtube.com/10.0.100.155

B. Forwarding a domain to another DNS server

This example allows all DNS queries from a specific domain, like a local domain of home.lan to resolve using a specific DNS server, either global or local.

set service dns forwarding options server=/home.lan/10.0.9.12
NOTE: If you wish to delete a DNS forward, use the following command: delete service dns forwarding nameserver x.x.x.x, and substitute x.x.x.x with the IP address.

Testing & Verification


Back to Top

1. View Forwarding Statistics

ubnt@edgerouter:~$ show dns forwarding statistics
----------------
Cache statistics
----------------
Cache size: 3000
Queries forwarded: 28
Queries answered locally: 23
Total DNS entries inserted into cache: 109
DNS entries removed from cache before expiry: 0

---------------------
Nameserver statistics
---------------------
Server: 10.0.9.12
Queries sent: 0
Queries retried or failed: 0

Server: 8.8.8.8
Queries sent: 7
Queries retried or failed: 0

Server: 8.8.4.4
Queries sent: 21
Queries retried or failed: 0

2. View Name Servers

ubnt@edgerouter:~$ show dns forwarding nameservers
-----------------------------------------------
  Nameservers configured for DNS forwarding
-----------------------------------------------
8.8.4.4 available via 'statically configured'
8.8.8.8 available via 'statically configured'
/home.lan/10.0.9.12 available via 'optionally configured'

-----------------------------------------------
Nameservers NOT configured for DNS forwarding
-----------------------------------------------
127.0.0.1 available via 'system'

3. View Dig Results

To ensure addresses are resolving using the router address, you can use the dig tool to verify the server that is being used to resolve addresses and verify that the URL is resolving to the address set using the DNS forwarding options. In this case, it shows our router address of 10.0.20.1 rather than a global DNS server like 8.8.8.8.

system:~ admin$ dig youtube.com

; <<>> DiG 9.8.3-P1 <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48021
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;youtube.com. IN A

;; ANSWER SECTION:
youtube.com. 0 IN A 10.0.100.155

;; Query time: 5 msec
;; SERVER: 10.0.9.1#53(10.0.9.1)
;; WHEN: Mon Jul 24 14:45:33 2017
;; MSG SIZE  rcvd: 45

Related Articles


Back to Top

EdgeRouter - Using dnsmasq for DHCP Server

EdgeRouter - EdgeOS Feature Backends

EdgeRouter - Beginners Guide to EdgeRouter

Intro to Networking - How to Establish a Connection Using SSH