Jump to content
Not connected, Your IP: 18.221.157.203
Sign in to follow this  
hoturekube

DNS resolution on debian with IP forwarding (virtual machines)

Recommended Posts

I have troubles understanding DNS resolution with AirVPN on debian using IP forwarding. My setup is as follows:

 

  • One debian 9 virtual machine (VM1), acting as the gateway, is connected to two network interfaces: one (enp0s3) is NAT (connected to the host) and the other (enp0s8) is an internal network named "VPN". The gateway connects to AirVPN using openvpn configuration files. Its /etc/network/interfaces is:
auto lo
iface lo inet loopback

allow-hotplug enp0s3
iface enp0s3 inet dhcp

allow-hotplug enp0s8
iface enp0s8 inet static
    address 192.168.42.10
    netmask 255.255.192.0
  • One debian 9 virtual machine (VM2) acts as the client and is only connected to the internal network "VPN". /etc/network/interfaces:
auto lo
iface lo inet loopback

allow-hotplug enp0s3
iface enp0s3 inet static
    address 192.168.42.11
    gateway 192.168.42.10
    netmask 255.255.192.0

 

Through iptables rules, the VM1 (gateway) transparently forwards traffic from the VM2 (client) to its tun0 interface (AirVPN):

 

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s8 -o tun0 -j ACCEPT

However, I have found that these rules do not forward DNS traffic (why? I don't know), so after searching around, I have also added the following rules to forward DNS traffic to tun0 (AirVPN) DNS resolver (or so it seems?):

iptables -t nat -A PREROUTING -i enp0s8 -p udp --dport 53 -j DNAT --to-destination 10.5.0.1
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 53 -j DNAT --to-destination 10.5.0.1

Everyhting seems to work fine, but I don't understand how DNS resolution works. If I test DNS leaks on websites such as ipleak.net, I see that DNS server is AirVPN (=no leak). If I change the abovementioned rules to Google DNS:

iptables -t nat -A PREROUTING -i enp0s8 -p udp --dport 53 -j DNAT --to-destination 8.8.8.8
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8

I see on ipleak.net that DNS resolution is done by Google DNS servers (=leaks). This seems to indicate that DNS resolution is correctly done by the gateway (VM1), which correctly redirects it through tun0 interface and AirVPN DNS.

 

The problem is that the client (VM1) still seems to at least try to resolve DNS itself: if I leave its /etc/resolv.conf file blank, it fails to resolve anything and fails to connect to any website. But if I write

nameserver 10.0.2.3

which is the default VirtualBox NAT gateway, everything works fine. Why? Why does the client try to resolve DNS queries locally when all its traffic is supposed to be forwarded to the virtual gateway (VM1)? Does it act like a "dummy" DNS resolver that debian needs in order to work? Same goes for the gateway (VM1): if I leave its /etc/resolv.conf file empty, it cannot resolve anything, if I leave the default NAT VirtualBox entry (as above, nameserver 10.0.2.3), it works properly. Why? Isn't AirVPN supposed to replace the default entry in /etc/resolv.conf by its own (10.5.0.1)?

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...