UPDATE (20131122): Sometimes realhostip.com goes down and can cause DNS failures.
Recently, console access to my CloudStack VMs stopped from the browser altogether. Safari would simply show a blank page while Google Chrome would show a more helpful “Unable to resolve the server’s DNS address” error.
And the culprit turned out to be a minor dnsmasq setting in DD-WRT.
The browser was unable to resolver the console access URLs generated by CloudStack. These URLs point to realhostip.com which is the default wildcard DNS domain configured in CloudStack. Queries for realhostip.com was failing.
$ host 192-168-64-102.realhostip.com 192.168.44.1 Using domain server: Name: 192.168.44.1 Address: 192.168.44.1#53 Aliases:
The same query would work against public DNS servers like Google DNS
$ host 192-168-64-102.realhostip.com 188.8.131.52 Using domain server: Name: 184.108.40.206 Address: 220.127.116.11#53 Aliases: 192-168-64-102.realhostip.com has address 192.168.64.102
I recently changed my home edge router from a Linksys EA3500 to Asus RTN16 running the open-source DD-WRT firmware. The DD-WRT “No DNS Rebind” setting was set to “Enabled” and was causing the DNS resolution to fail.
According to dnsmasq(8),
-stop-dns-rebind Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.
Since my home CloudStack public network uses RFC 1918 private subnets, the requests were being dropped by my local DNS server 192.168.44.1.
The fix is to Disable No DNS Rebind option as below
After the change, realhostip.com addresses started resolving and console proxy access from the browser works once more.
$ host 192-168-64-102.realhostip.com 192-168-64-102.realhostip.com has address 192.168.64.102
Update (20131118): OpenWRT users should turn off Rebind Protection option.