Providing local DNS service behind a cheap router/gateway

Chris Buxton cbuxton at
Thu Dec 27 18:46:41 UTC 2007

First off, what you have now functions. There are just performance  
problems. This could probably be resolved by configuring global  
forwarding in the DNS server pointing to some outside name server that  
has a bigger cache and more available bandwidth. Loading a typical  
webpage involves several DNS lookups, and if those lookups each take a  
couple of seconds, it can look like there is a problem at the HTTP  

If you turned on the DNS proxy service in the router, it would give  
out its own address as a DNS service in DHCP leases. It would then  
forward queries to whatever is configured in it as an "outside" name  
server. This would be the internal DNS server, which would then send  
queries to the outside world (through the router). However, the DNS  
proxy service in the router would probably* not interfere with this -  
there would be no infinite loop.

* Some routers have an actual DNS interceptor (transparent proxy) that  
would cause things to fail. But usually, it's a simple DNS server that  
only receives queries that are addressed to it. This is usually done  
using dnsmasq, which is most likely also the DHCP server - this can  
have some neat capabilities if properly configured. You might want to  
look at a replacement firmware such as Tomato.

Since you're having performance problems with your BIND name server  
and outside data, it might make sense to switch to something simpler  
like dnsmasq (possibly in your router) that would forward everything  
unknown out to a better-connected resolving name server.

If you decide instead to build your own DHCP server, then for a small  
office, you may still end up wanting to use dnsmasq. If you decide to  
set up ISC's DHCP service instead, you'll have a lot more work to do,  
and for a small network you probably won't see any functional benefit.  
Either way, setting up a separate DHCP service (from the router) means  
disabling the DHCP service in the router itself.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.

On Dec 23, 2007, at 7:25 PM, Steven Stromer wrote:

> Many of my smaller clients use high-end consumer or low-end
> professional router/gateways. These router/gateways provide DHCP
> services for the LAN, and are thus providing LAN hosts with DNS
> information dynamically. The DNS servers that the LAN hosts are
> pointed to are BIND servers running on the LAN. In these router/
> gateways, there is no DHCP specific option for specifying the the IP
> address to offer for DNS. The only solution is to assign the LAN
> address of the BIND server in the router's WAN configuration.
> The result that I believe is achieved is that the router/gateway
> provides the LAN address of the local BIND host to the local clients
> (this part I know to be correct). When needing name resolving
> service, the local clients query the DNS service on the LAN, and the
> BIND service uses full recursion to query authoritative name servers
> on the internet, passing these queries, and all replies, through the
> very router/gateway that provided the DHCP service.
> This seems to function, but not perfectly; I notice that web pages
> and similar services that depend on name resolution load more slowly
> than I'd expect them to, but I'm not sure why. I am not certain
> whether the router 'appreciates' having to look inward to the LAN for
> name resolution, or having to pass the DNS responses on to the BIND
> server on the LAN instead of handling them itself.
> There exists an option in the router/gateway to toggle on or off
> 'Provide DNS proxy service', which I have turned off, so that the
> router/gateway will not try to use its own DNS configuration (which,
> as described earlier, points to the BIND server on the LAN) to
> resolve the outgoing queries from the BIND server. This would
> obviously cause a never-ending loop between the BIND service running
> on the LAN and the router/gateway itself.
> I have a feeling that the best solution would be to move the DHCP
> service to one of the internal linux servers, and to be done with it
> all, but it doesn't resolve my curiosity regarding this arrangement,
> nor does it provide me the time to rearrange DHCP service, which is
> really limited at the moment. Any insight on whether this convoluted
> configuration could ever work would be really appreciated!
> Thanks,
> Steven Stromer

More information about the bind-users mailing list