Using an internal DNS server

EricS · November 5, 2017, 9:21am

After switching to LOS, I have problems using the DNS servers on my internal network. This is needed to be able to connect to internal servers by hostname.

All DNS queries seem to go to g*'s DNS server (8.8.8.8 and 8.8.4.4). I confirmed this by using host -v internal.dns.name which then reports that internal.dns.name is not found on one of those servers.

I tried using fixed WiFi IP in the WiFi settings but these seem ignored.
Checking getproperties shows the alternalive DNS servers. Seems to be ignored.
I found following: “Since Android 6.1.x you only can change the DNS for tether device and nothing else, everything else get ignored, no matter what you set or which app you’re use” which doesn’t seem very promising .

What is my use case ?

Run as much open source as possible
Use internal DNS server when either connected to my own WiFi (but not others) or when I have activated the VPN to tunnel to my internal network from elsewhere.

This worked out of the box on Android 5 FPOOS (haven’t tried 6).

I have been playing around with DNS66 but

I can’t seem to figure out how to use it for what I want
Will it be able to apply different rules for different settings ?
It works by setting up a VPN. Does that work when I set up a second VPN to my home network ?

I also tried AFWall+. That seemed more promising when using the customized scripts. I did create a script that seems to work when running it from ADB. However, using the same script in AFWall seems to confuse it and I regularly get blocked without any DNS service .

Is there something wrong with the script ?

Are there other alternatives ? I can think of

udev rules to run the mentioned script
get a notification on network setting changes and then run the script
cron job (shudder, what will that do to battery consumption ?)

Here’s the script:

IP6TABLES=/system/bin/ip6tables
IPTABLES=/system/bin/iptables

TRUSTED_DNS_SERVERS='213.73.91.35    Chaos Computer Club
85.214.20.141   Digitalcourse e.V.
194.150.168.168 AS250.net
84.200.69.80    dns.watch 1
84.200.70.40    dns.watch 2
204.152.184.76  ISC
208.67.222.222  resolver1.opendns.com
208.67.220.220  resolver2.opendns.com
208.67.222.220  resolver3.opendns.com
208.67.220.222  resolver4.opendns.com'

INTERNAL_NETWORK='192.168.99.'
INTERNAL_SERVER='192.168.99.33'
IN_SRV_PORT='99'
INTERNAL_DNS='192.168.99.66'
CHAIN_NAME='my_rules'

internal_network='no'

net=$(ip -o addr | grep '^[0-9]*:[[:space:]]*tun' | sed 's/.*inet \([0-9./]*\).*/\1/' | fgrep $INTERNAL_NETWORK)
if [[ -n "$net" ]]
then
  timeout 3 nc -q 2 -w 2 $INTERNAL_SERVER $IN_SRV_PORT >/dev/null 2>&1
  retval=$?
  if (( $retval == 142 ))
  then
    internal_network='yes'
  fi
fi

if [[ $internal_network == 'yes' ]]
then
  DNS1=$INTERNAL_DNS
  DNS2=$INTERNAL_DNS
else
  nr_servers=$(echo "$TRUSTED_DNS_SERVERS" | wc -l)
  DNS1=$(echo "$TRUSTED_DNS_SERVERS" | cut -c-16 | sed -n "$(( $RANDOM % $nr_servers + 1 ))p")
  DNS1=$(echo $DNS1) # strip spaces
  DNS2=$(echo "$TRUSTED_DNS_SERVERS" | cut -c-16 | sed -n "$(( $RANDOM % $nr_servers + 1 ))p")
  DNS2=$(echo $DNS2) # strip spaces
fi

$IPTABLES -t nat -D OUTPUT -j $CHAIN_NAME
$IPTABLES -t nat -F $CHAIN_NAME
$IPTABLES -t nat -X $CHAIN_NAME
$IPTABLES -t nat -N $CHAIN_NAME
$IPTABLES -t nat -I OUTPUT -j $CHAIN_NAME
$IPTABLES -t nat -A $CHAIN_NAME -p tcp --dport 53 -d 8.8.8.8 -j DNAT --to-destination $DNS1:53
$IPTABLES -t nat -A $CHAIN_NAME -p udp --dport 53 -d 8.8.8.8 -j DNAT --to-destination $DNS1:53
$IPTABLES -t nat -A $CHAIN_NAME -p tcp --dport 53 -d 8.8.4.4 -j DNAT --to-destination $DNS2:53
$IPTABLES -t nat -A $CHAIN_NAME -p udp --dport 53 -d 8.8.4.4 -j DNAT --to-destination $DNS2:53

# disallow any DNS query going to google
$IPTABLES -D OUTPUT -j $CHAIN_NAME
$IPTABLES -F $CHAIN_NAME
$IPTABLES -X $CHAIN_NAME
$IPTABLES -N $CHAIN_NAME
$IPTABLES -I OUTPUT -j $CHAIN_NAME
$IPTABLES -I $CHAIN_NAME -p tcp --dport 53 -d 8.8.8.8 -j REJECT
$IPTABLES -I $CHAIN_NAME -p udp --dport 53 -d 8.8.8.8 -j REJECT
$IPTABLES -I $CHAIN_NAME -p tcp --dport 53 -d 8.8.4.4 -j REJECT
$IPTABLES -I $CHAIN_NAME -p udp --dport 53 -d 8.8.4.4 -j REJECT

exit

Thanks for any help. This is driving me crazy.

chrmhoffmann · November 5, 2017, 10:15am

Does your dhcp server give out the DNS?

What does “getprop | grep -i dns” reply?

Chris

EricS · November 5, 2017, 10:16am

Mainwhile tried the suggestions on xda.

None of them seem to work, except the firewall one.

EricS · November 5, 2017, 10:58am

The dhcp server gives it out. No problems on Android 5 nor on my laptop.

# getprop | grep -i dns
[net.change]: [net.dns2]
[net.dns1]: [192.168.99.66]
[net.dns2]: [208.67.220.220]

That seems fine, but still no ping response.

chrmhoffmann · November 5, 2017, 11:10am

weird that you have two DNSs on different network segments. Does your dhcp give them out both?

chrmhoffmann · November 5, 2017, 11:11am

what does “route” say?

EricS · November 5, 2017, 11:14am

I guess the second on is still left from my previous tries
My router only passes out the first one.

chrmhoffmann · November 5, 2017, 11:15am

Well, if it uses the 2nd one, then no wonder your local addresses are not found.

EricS · November 5, 2017, 11:15am

route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.99.0 * 255.255.255.0 U 0 0 0 wlan0

ip route show

192.168.99.0/24 dev wlan0 proto kernel scope link src 192.168.99.40

chrmhoffmann · November 5, 2017, 11:17am

“host -v somelocalname” does not work for me either, you have to pass the DNS as 2nd argument.

host -v localserver 192.168.99.66

EricS · November 5, 2017, 11:19am

Hmm, it doesn’t seem to use either.

When I go to termux and type host -v internal.dns.name it get something like this:

Host internal.dns.name not found: 3 (NXDOMAIN)
Received 102 bytes from 8.8.8.8#53 in 61 ms
Received 102 bytes from 8.8.8.8#53 in 61 ms

Could I try something else to pinpoint the actually used DNS server ?

host command in adb shell seems to not support the -v option.

EricS · November 5, 2017, 11:21am

I guess that termux uses a different host command than the system one.

Setting a second argument will force host to use that DNS server. I want to know what it uses by default.

EricS · November 5, 2017, 11:22am

Strange, from adb shell as root I sometimes ping using the dns name.

Other times it doesn’t do that

chrmhoffmann · November 5, 2017, 11:29am

i would still blame your 2nd DNS entry that is “wrong”.

Chris

chrmhoffmann · November 5, 2017, 11:31am

Look at adb logcat output. You should see something like:

11-05 12:29:57.621 2314 3751 D ConnectivityService: Setting DNS servers for network 100 to [/myIPV6DNS, /192.168.0.15]

EricS · November 5, 2017, 11:37am

Indeed, I see a similar thing.

Doublechecked the WiFi settings → I see the second DNS is set the the ‘wrong’ one.

Setting it to the same and trying again.

EricS · November 5, 2017, 11:55am

Seems to work OK now. Both for the WiFi connection and via VPN over 4G

Removed AFWall and DNS66 (to have less moving parts).
Installed GmsCore as system app (related or not ? Mention for completeness)
Put the DNS servers the same for DNS1 & DNS2 on the WiFi

EricS · November 5, 2017, 11:59am

After switching the WiFi connection back to DHCP, it still works !

Not sure what caused the initial problems but it seems fixed now

@chrmhoffmann Thanks for the help.

Drezil · November 5, 2017, 4:01pm

If that problem is solved now: How can i set up that script on my FP2? Just run it as root?
Is the script in your first post already corrected? or still wrong?

m4lvin · November 5, 2017, 4:30pm

Yes, I also just learned this

The relevant file is /data/data/com.termux/files/usr/etc/resolv.conf