internal DNS question

[Wyk72]

I'm having a lot of troubles making an internal DNS work into WAG.

My goal:

• build a WAG instance into a box that gives 2FA access to a private /24 network (10.90.90.0/24 for example)

• The WAG subnet will be something like 10.99.99.0/24, a host does the usual registration/2FA and gets access to 10.90.90.0/2

This part WORKS fine.

Now I have difficulty with:

• this network will have a local dnsmasq that resolves the internal ips 10.90.90.x using a hosts file (classic dnsmasq usage for local networks)

I'd like this DNS to respond "publicly" i.e. it does not need to be into mfa, it should always reply.

If I put this value into the "dns" section of the WAG config any DNS request gets blocked by the fireall even if it gets the right rules :

"client1": {
"Policies": [
"10.90.90.1/32 policy [public(20) 53/any]",
"10.90.90.0/24 policy [mfa(16) any/any]",
"10.99.99.1/32 policy [public(20) any/any public(20) any/any]"
],

(dnsmasq running and answering to 10.90.90.1 in this example)

The dns gets blocked (checked with TCPDUMP: the request comes in but the counterpart does not answer)

Can you please enlighten me on HOW to make this DNS work ? i.e.:

• which network should the DNS reside ? WAG public subnet (10.99.99.1) or "local" net (10.90.90.1) ?

Any special rule to put into the config ?

[NHAS]

Thanks for opening this as a discrete issue.

I'm going to assume that you're trying to run your dns server on the wag host itself.

To do that you will need to use the ExposePorts directive as wag inserts iptables rules to block inbound traffic.

[Wyk72]

Yes exactly. That was my issue. I missed it from the istructions. Thanks a lot.