Sunday, 26 April 2015

DNS with DD-WRT and dnsmasq

I recently switched ISPs. I had been a broadband customer for 15 years with the same ISP. I had a fairly complicated home network with a few routers, one of which provided DHCP and DNS. Between my network and the ISP’s, I had a simple ADSL modem with no additional functionality (i.e. no built-in wireless or router).

My new cable modem (an Arris/Motorola SBG6782) came with wireless, four wired LAN ports, and a router. Basic connectivity was up very quickly, and we were able to start connecting wirelessly to the new network.

Unfortunately, the new modem/router is also “idiot-proofed” by the manufacturer and/or the ISP. Among other features, I’m forced to use the “192.168.0/24” subnet for my LAN. Way back, for reasons that I have mostly forgotten, I set up my LAN on “10.3.3.0/24”. This meant that all my network infrastructure, including file servers, storage boxes, printers, backup destinations, etc. were all broken by the new router.

After a couple of unsuccessful attempts to make the router act only as a modem, I decided that reconfiguring my network was probably the quickest solution. (The ISP’s support forums suggested it was possible, but it didn’t work for me, and their customer support denied all knowledge of how to do it.)

In my old network, one DD-WRT-based router was connected to the ADSL modem (Internet) via the router’s WAN port. That router provided DHCP and DNS for my network. The DNS provided addresses for devices in my network with static IPs and those that got addresses from DHCP.

For the new network, I disconnected the WAN port and hooked the LAN side of the router into an 8-port switch that was also connected to the cable modem. I changed all the relevant IP addresses in the router to “192.168.0.x” addresses. Tedious, but it mostly worked.

The part that didn’t work was DNS. If I had DHCP on my router hand out my router’s IP as the DNS server, I could look up hosts on my LAN, but not on the Internet. If I hard coded the ISP’s DNS servers into my router, I could look up hosts on the Internet, but not on my LAN.

Since my router was no longer using DHCP to get its Internet address from the ISP, the magic done by DD-WRT and/or dnsmasq to configure the DNS service wasn’t working any more.

After a bit of Googling, and reading dnsmasq documentation, I decided that what was missing was to put the ISP’s DNS servers into the router’s /tmp/resolv.dnsmasq file. So in the Administration-> Commands page of the router’s web interface, I added these lines to the start-up script:

echo 'nameserver 64.59.144.93' >> /tmp/resolv.dnsmasq
echo 'nameserver 64.59.150.139' >> /tmp/resolv.dnsmasq
killall -HUP dnsmasq

After rebooting the router, and disconnecting and reconnecting my computer to force it to get the new settings from the router, DNS works.

I’m not sure if this is the “right” way to do it, but it works.

Sunday, 19 April 2015

Single Sign-Off

One of the things I find amusing about the IT business is how often we create unintended consequences for ourselves.

Last week at work we ran into an interesting dilemma: We have a nice set-up to enable some level of single sign-on for our external users (business partners), across a suite of applications they use. We're preparing to deploy some browser-based COTS software into that suite of applications. Like most applications, the new one has a "log out" button.

When the user logs out, we'd like to take them back to a page that says, "You have logged out. To log on again click here." But we can't, because once they click on the log-out link, our "single sign-on" becomes "single sign-off". Before they can see any page on our partner network, we have to send them to our corporate log-in page.

We have options, so it's not like this is a huge problem. But no one thought of it before, so we're going through a bit of churn while people get their head around the problem and decide how they want to deal with it.

So don't forget, "single sign-on" also means "single sign-off".