NETGEAR DGN2200v2 router's DNS server not working properly

I have configured my DGN2200v2 to do the following:

Reserve the LAN address for my mac to 10.0.0.11
Use 10.0.0.11 as primary DNS server, and 8.8.8.8 as secondary

Now I would expect the router to ask my computer for DNS requests, but it seems to just skip the 10.0.0.11 server and uses 8.8.8.8...(I checked using Wireshark and my computer isn't getting any requests, and the pages load so I guess that's what's happening)

Is there something I am missing here? I have checked using ipconfig and I indeed have the IP of 10.0.0.11.

Amit Gold

Posted 2016-05-27T14:13:15.507

Reputation: 93

You have a DNS server configured on your desktop? If you do, set the forwarder to a public DNS so the request can go somewhere. Can you ping 10.0.0.11 from your router? – Citizen – 2016-05-28T02:21:33.907

@Citizen for some reason there's 100% packet loss... http://prntscr.com/b9drhg I checked using wireshark, and this is what's going on: http://prntscr.com/b9dry4

– Amit Gold – 2016-05-28T08:30:11.937

That's a routing problem. Destination unreachable. Part of the ICMP suite with ping and tracert. It's your first hop router or your default gateway, saying that it can't get the destination you are attempting to get to. – Citizen – 2016-05-28T08:37:19.420

@Citizen I don't really understand what you said, but what do I do now? – Amit Gold – 2016-05-28T10:38:20.463

2Well, by default Windows have firewall enabled and will block ping (and others)... – Tom Yan – 2016-06-01T17:54:48.273

Your Windows already has a DNS service that will cache DNS entries, so no need really. After the first resolution, your computer will use the cache. – Sun – 2016-06-01T18:59:13.153

Are you by a chance trying to achieve that the other DHCP enabled devices in network use your computer as a DNS server? – Vojtěch Dohnal – 2016-06-06T10:04:23.457

This could be helpful? http://superuser.com/q/45789/285900

– Vojtěch Dohnal – 2016-06-06T11:22:50.900

@VojtěchDohnal yep. – Amit Gold – 2016-06-06T13:12:23.850

Try to decribe your problem in better detail - what other devices you have in the network and what is the expected behavior, now it seems, that you want to have just DNS server on your computer to be used by the router, which does not make sense. – Vojtěch Dohnal – 2016-06-06T13:28:08.573

Also when debugging DNS use command line nslookup and server 10.0.0.11, you can also use set debug. – Vojtěch Dohnal – 2016-06-06T13:30:54.963

1@VojtěchDohnal How does it not make sense? I want my router to forward DNS requests to a computer on the network instead of the ones that my ISP tells it to or 8.8.8.8, and then my computer might return some junk IP or might ask 8.8.8.8. Right now I can use nslookup with server as 10.0.0.11 and it works and the server logs the action, but when asking 10.0.0.138 which is supposed to in turn forward to 10.0.0.11, the server doesn't log anything and the requests don't get filtered... – Amit Gold – 2016-06-06T16:08:04.290

1@VojtěchDohnal to clarify, I am doing both nslookups from another device which is connected to the same router. – Amit Gold – 2016-06-06T16:08:37.293

Perhaps it would be easier to configure DHCP server on the router to give 10.0.0.11 as primary DNS to the clients? – Vojtěch Dohnal – 2016-06-06T16:35:43.347

Let us continue this discussion in chat.

– Amit Gold – 2016-06-06T16:51:02.953

Answers

Reserve the LAN address for my mac to 10.0.0.11. So you did something like this:

It is not really relevant to your issue though. Anyway, you can certainly ping this address from your PC:

(I actually wonder if an OS would even route it to your router when it can easily recognize this is its own address)

However, with your Windows Firewall on, you won't be able to ping from your router to your PC:

Once your have configured it properly, or have it disabled (for testing), it will ping fine:

Use 10.0.0.11 as primary DNS server, and 8.8.8.8 as secondary; I am not sure how exactly you did that, but certainly, you can configure on the client side statically:

Or through the LAN-side DHCP server setting:

But certainly, first of all you need to have a DNS server built up on your PC:

Tom Yan

Posted 2016-05-27T14:13:15.507

Reputation: 4 744

So basically my testing is bad I guess, I will try actually making a query from another computer and see if it works. I am not at home right now though so expect updates :D – Amit Gold – 2016-06-05T16:57:15.033

@AmitGold Btw, beware of bad DHCP server implementation on some routers...

– Tom Yan – 2016-06-06T15:10:45.387

I think there is a misconception here : DNS queries are not part of the router services - all the router does is only to communicate the IPs of the two specified DNS servers to your computer, and it is your computer that issues the DNS queries.

So what happens is that your computer tries to forward DNS queries to itself, but unfortunately by using its external IP address, which means that the connection is done through the router. A connection of this type usually cannot work except via the loopback interface on IP 127.0.0.1 (localhost), which does not pass through the router.

Most consumer-grade routers do not support loopback, which is a computer addressing itself via the router. Such a router will either protect itself against the risk of looping eternally in a circular manner, or its firmware will simply not have the code required to keep track of loopback connections.

The end-result is that the DNS server at address 10.0.0.11 is quickly marked as unusable by your computer when it boots, or on the first DNS query, so is probably already being ignored when you launch Wireshark.

Conclusion : The router is working properly for a consumer-grade router.

Remark :

In general, it is not useful to have two DNS servers, one primary and the other secondary, since Windows will only use one. The secondary DNS server is the backup in case that the first one fails. You will need to define these DNS servers on your computer, not on the router, but Windows will only use the first that answers.

The local DNS server must be defined by the IP address of 127.0.0.1 (localhost). If a local DNS server is to be used by Windows, then this server needs to know how to fall back to the Google server at 8.8.8.8 if it cannot find an answer locally, because Windows will not do this automatically.

harrymc

Posted 2016-05-27T14:13:15.507

Reputation: 306 093

That sounds correct to me. How are you making these dns requests? If the requests are coming from the same computer, that's a loop. The router shouldn't need to make dns queries unless it's for a completely different thing. If there are other devices that need dns, I would think they should be pointing to the dns server directly. If your router is advertising dhcp, the internal dns should be what is advertized. – BloodyEl – 2016-06-01T21:40:37.707

It seems to me what you want to do should be doable, with the exception of the "consumer-grade" part. If you have hardware lying around you could also just use a linux box as a router and firewall without it costing anything and without proprietary compromises. – BloodyEl – 2016-06-01T21:44:10.973

So basically Windows is protecting itself because it understands that I am trying to address myself? How does it know that the router uses itself, if the configuration of the DNS server is on the router's settings? – Amit Gold – 2016-06-02T13:26:07.080

Windows is not protecting itself - it's starting a connection for the DNS query, but the connection times-out because the router doesn't cooperate, so Windows just gives up on it. It's the router that either is protecting itself or is simply not programmed to handle self-loops. – harrymc – 2016-06-02T13:38:33.603

1AFAIK it's only common that a "consumer-grade" router does not support being addressed from the LAN with its WAN side IP address (port forwarded or not). I have never seen "loopback issue" as what you've described. – Tom Yan – 2016-06-04T03:40:45.183

@TomYan: "loopback issue" ? I described ? No comprendo. – harrymc – 2016-06-04T09:29:55.537

So what happens is that your computer tries to forward DNS queries to itself, but unfortunately by using its external IP address. A self-reference like this usually cannot work except via the loopback interface on IP 127.0.0.1 (localhost), which does not pass through the router. – Tom Yan – 2016-06-04T09:45:05.147

@TomYan: Explain please what's wrong with this scenario, if the user did specify his WAN address as DNS server. AFAIK Windows doesn't check the IP address for "correctness" but tries it out and will use it if there is an answer. – harrymc – 2016-06-04T11:03:48.720

@harrymc if the user did specify his WAN address as DNS server clearly he did not according to the two bullet points in the OP? – Tom Yan – 2016-06-04T12:59:39.320

Instead of what you described, he could have set Use 10.0.0.11 as primary DNS server, and 8.8.8.8 as secondary in the Internet side setting instead of the LAN-side DHCP server setting though... – Tom Yan – 2016-06-04T13:07:26.780

@TomYan: I still don't understand anything in what you say. I describe nothing except what happens when he did exactly what you claim he should have done, and it didn't work. Please delete your comments above since they are not constructive. – harrymc – 2016-06-04T13:58:45.800

1So you are trying to say that when he writes ping 10.0.0.11 on his PC, it will fail because of his router? Never seen this too. – Vojtěch Dohnal – 2016-06-06T11:29:09.403

@VojtěchDohnal: DNS is more complex than ping. – harrymc – 2016-06-06T11:43:45.967

Perhaps, but the packets do not even get to the router's interface, so it does not matter anyway. Your theory is just false, that is it. – Vojtěch Dohnal – 2016-06-06T13:11:50.047

@VojtěchDohnal: This is not theory but fact. I think you miss it - the fact that one can ping something is absolutely not the same as pinging oneself through the router as third party. The router will not cooperate because it's only built to connect local-router-internet. Only sophisticated routers can do paths like local-router-local-router-internet. – harrymc – 2016-06-06T14:39:35.970

A simple 5 minutes empiric test: 1. install DNS (Simple DNS plus just few clicks) on a PC with 10.0.0.11. 2. Setup one zone test.com with one A record there www. Disconnect ethernet cable. 3. Try nslookup server 10.0.0.11 and try www.test.com4. then do server 127.0.0.1 - behavior is the same and both can translate the name correctly. Your theory is falsified by this test, because there is no router connected at all. – Vojtěch Dohnal – 2016-06-06T15:00:13.923

Let's eventually continue here: http://superuser.com/questions/1086068/is-there-a-chance-that-an-ip-packet-with-the-the-same-source-and-destination-ip

– Vojtěch Dohnal – 2016-06-06T15:23:51.880

@VojtěchDohnal: Please finally understand - the problem is when going through the router. Again : The poster's problem is when going through the router. Please read the post before bombarding with out-of-subject comments. – harrymc – 2016-06-06T18:04:31.547

You probably meant this: Many DSL routers/modems prevent loopback connections as a security feature. This means that a machine on your local network (e.g. behind your DSL router/modem) cannot connect to a forward facing IP address (such as 199.149.252.44) of a machine that it also on your local network. Connecting to the local IP address (such as 192.168.2.40) of that same machine works fine. ? – Vojtěch Dohnal – 2016-06-07T09:51:35.943

1@VojtěchDohnal: Yes, I thought this was clear from my answer. If you think it's unclear, feel free to add to it. Although this is not only a security feature - the router needs to be able to keep track of it and a simple router will not have the code for it. – harrymc – 2016-06-07T10:08:20.570