Can't resolve DNS behind L3 switch

ginko · January 8, 2024, 2:40pm

Hi,

Hoping someone smarter than me knows the answer to this → I cannot resolve hostnames from the PC (ip: 10.0.20.50) connected to my network as depicted in the image.

I’ve set up a simple network with VyOS as firewall/dhcp server connecting to an L3 switch configured as a router (inter-vlan). Main points are:

The PC is physically connected to the switch.
DHCP from VyOS works. The PC receives it’s IP addresses (machine, gateway and dns server)
I can ping internet and resolve hostnames from both VyOS (10.0.255.254) and from within the switch (10.0.255.1) when connected through SSH.
I can ping internet from the PC if an address is entered but I cannot resolve hostnames … this part is eluding me still.

Some further info below on what works/doesn’t work from the PC
From client PC (ip: 10.0.20.80, gateway: 10.0.20.1, dns 10.0.20.1)

% nslookup examplehostname.com 10.0.255.254 → works
% ping ipddress (e.g. 8.8.8.8) → works
% nslookup examplehostname.com → doesn’t work → I get: “;; connection timed out; no servers could be reached”

VyOS config (running 1.4 RC1)

user@vyos:~$ show conf
firewall {
    global-options {
        all-ping enable
    }
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        hw-id xx:xx:xx:xx:xx:xx
    }
    ethernet eth1 {
        address 10.0.255.254/24
        description LAN
        hw-id xx:xx:xx:xx:xx:xx
    }
    ethernet eth2 {
        hw-id xx:xx:xx:xx:xx:xx
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface {
                name eth0
            }
            source {
                address 10.0.0.0/16
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 10.0.0.0/16 {
            next-hop 10.0.255.1 {
            }
        }
    }
}
service {
    dhcp-server {
        host-decl-name
        shared-network-name LAN {
            authoritative
            domain-name home.arpa
            subnet 10.0.255.0/24 {
                default-router 10.0.255.1
                range 0 {
                    start 10.0.255.50
                    stop 10.0.255.250
                }
            }
        }
        shared-network-name vl20_main {
            authoritative
            domain-name home.arpa
            subnet 10.0.20.0/24 {
                default-router 10.0.20.1
                name-server 10.0.20.1
                range 0 {
                    start 10.0.20.50
                    stop 10.0.20.250
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 10.0.0.0/16
            listen-address 10.0.255.254
            source-address 10.0.255.254
            system
        }
    }
    ntp {
        allow-client {
            address 0.0.0.0/0
            address ::/0
        }
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user user {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    name-server 10.0.100.1
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
}
user@vyos:~$

L0crian · January 8, 2024, 6:35pm

ginko:

        shared-network-name vl20_main {
            authoritative
            domain-name home.arpa
            subnet 10.0.20.0/24 {
                default-router 10.0.20.1
                name-server 10.0.20.1
                range 0 {
                    start 10.0.20.50
                    stop 10.0.20.250
                }
            }
        }
    }

In your DHCP config, it looks like you’re setting the name-server to the gateway on the L3 switch instead of 10.0.255.254.

ginko · January 8, 2024, 7:22pm

Thank you @L0crian you found the issue and it’s now fixed ! I think I was under the impression that the vlan gateway would resolve back to the LAN (eth1) on its own but clearly this wasn’t the case.

Here is the update to my prior config above showing the change to the name-server for the benefit of the community:

        shared-network-name vl20_main {
            authoritative
            domain-name home.arpa
            subnet 10.0.20.0/24 {
                default-router 10.0.20.1
                name-server 10.0.255.254
                range 0 {
                    start 10.0.20.50
                    stop 10.0.20.250
                }
            }
        }

L0crian · January 8, 2024, 8:35pm

No worries, glad you got it working!

I have one suggestion; host whatever IP you want to use for the DNS forwarder on a dummy interface. This ensures you have an always up interface to use for that. If you add remote-access VPNs or additional LAN interfaces later, they could potentially have DNS fail if eth1 were to go down.

ginko · January 9, 2024, 3:29am

@L0crian thank you for the suggestion to use dummy, never thought of that use case. Interface dum1 created and applied )

system · February 8, 2024, 3:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.