A weird problem in name resolution popped up after upgrade to new OpenWrt 24.10.0

In short: A host having last part in its IP .100 in my home network lost its ability to do name resolution after the upgrade. All the other hosts in the network weren't affected. Here are excerpts from my findings.

The main router running OpenWrt 24.10.0 shows this. The main suspect shown, but this is where the weirdness begins.

root@fir4:~# dnsmasq -v
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

Logging enabled on the main router and doing name resolution via dnsmasq for names in local domain and dnsmasq forwarding other names to dnscrypt-proxy. In the excerpt another host resolves a local hostname first. Second the host, which lost its name resolution, does the same query. Something somewhere adds local domain second time to the query.

root@fir4:~# logread -f
Sat Feb  8 09:44:37 2025 daemon.info dnsmasq[1]: 41 192.168.0.103/58329 query[AAAA] hud.ebirdie from 192.168.0.103
Sat Feb  8 09:44:37 2025 daemon.info dnsmasq[1]: 41 192.168.0.103/58329 config hud.ebirdie is NODATA-IPv6
Sat Feb  8 09:44:37 2025 daemon.info dnsmasq[1]: 42 192.168.0.103/37701 query[A] hud.ebirdie from 192.168.0.103
Sat Feb  8 09:44:37 2025 daemon.info dnsmasq[1]: 42 192.168.0.103/37701 /etc/hosts hud.ebirdie is 192.168.0.95
Sat Feb  8 09:45:11 2025 daemon.info dnsmasq[1]: 43 192.168.0.100/43340 query[A] hud.ebirdie.ebirdie from 192.168.0.100
Sat Feb  8 09:45:11 2025 daemon.info dnsmasq[1]: 43 192.168.0.100/43340 config hud.ebirdie.ebirdie is NXDOMAIN
Sat Feb  8 09:45:11 2025 daemon.info dnsmasq[1]: 44 192.168.0.100/43340 query[AAAA] hud.ebirdie.ebirdie from 192.168.0.100
Sat Feb  8 09:45:11 2025 daemon.info dnsmasq[1]: 44 192.168.0.100/43340 config hud.ebirdie.ebirdie is NXDOMAIN

There isn't a subdomain ebirdie.ebirdie so the reply is logical. But why this happens on one particular host, is puzzling?

A name resolution done for an external service from the problem host. The query get yet again local domain appended, which is wrong, should not happen and did not before the upgrade.

root@fir4:~# logread -f
Sat Feb  8 09:46:13 2025 daemon.info dnsmasq[1]: 45 192.168.0.100/51741 query[A] ftp.funet.fi.ebirdie from 192.168.0.100
Sat Feb  8 09:46:13 2025 daemon.info dnsmasq[1]: 45 192.168.0.100/51741 config ftp.funet.fi.ebirdie is NXDOMAIN
Sat Feb  8 09:46:13 2025 daemon.info dnsmasq[1]: 46 192.168.0.100/51741 query[AAAA] ftp.funet.fi.ebirdie from 192.168.0.100
Sat Feb  8 09:46:13 2025 daemon.info dnsmasq[1]: 46 192.168.0.100/51741 config ftp.funet.fi.ebirdie is NXDOMAIN

The same name resolution as above done from another host. All well and done.

root@fir4:~# logread -f
Sat Feb  8 09:46:55 2025 daemon.info dnsmasq[1]: 48 192.168.0.95/34036 query[A] ftp.funet.fi from 192.168.0.95
Sat Feb  8 09:46:55 2025 daemon.info dnsmasq[1]: 48 192.168.0.95/34036 forwarded ftp.funet.fi to ::1#5335
Sat Feb  8 09:46:55 2025 daemon.info dnsmasq[1]: 49 192.168.0.95/34036 query[AAAA] ftp.funet.fi from 192.168.0.95
Sat Feb  8 09:46:55 2025 daemon.info dnsmasq[1]: 49 192.168.0.95/34036 forwarded ftp.funet.fi to ::1#5335
Sat Feb  8 09:46:55 2025 daemon.info dnsmasq[1]: 49 192.168.0.95/34036 reply ftp.funet.fi is 2001:708:10:8::2
Sat Feb  8 09:46:55 2025 daemon.info dnsmasq[1]: 48 192.168.0.95/34036 reply ftp.funet.fi is 193.166.3.2

The hosts above both run the same system software. The resolver software is libc6 and there was no differences in their /etc/resolv.conf.

Before I took the above excerpts, I made many efforts to change dnsmasq configuration. I cleaned up everything from dnsmasq conf, which pointed to the problem host except a host record in /etc/hosts. The changes had no effect. After that I restored the conf back.

This is what can be seen on wire at the main router running OpenWrt 24.10.0. The problem host doing name resolution.

root@fir4:~# tcpdump -i eth0 -n host 192.168.0.100
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:16:32.291672 IP 192.168.0.100.56026 > 192.168.0.254.53: 14051+ A? ftp.funet.fi. (60)
10:16:37.297033 IP 192.168.0.100.56026 > 192.168.0.254.53: 14051+ A? ftp.funet.fi. (60)
10:16:37.452623 ARP, Request who-has 192.168.0.254 tell 192.168.0.100, length 46
10:16:37.452668 ARP, Reply 192.168.0.254 is-at e4:5f:01:54:10:9d, length 28
10:16:42.302463 IP 192.168.0.100.58799 > 192.168.0.254.53: 14505+ A? ftp.funet.fi.ebirdie. (76)
10:16:42.303036 IP 192.168.0.254.53 > 192.168.0.100.58799: 14505 NXDomain 0/0/0 (38)
10:16:42.303306 IP 192.168.0.254.53 > 192.168.0.100.58799: 16033 NXDomain 0/0/0 (38)
10:16:47.335666 ARP, Request who-has 192.168.0.100 tell 192.168.0.245, length 28
10:16:47.336151 ARP, Reply 192.168.0.100 is-at 52:54:00:3e:56:78, length 46

The main router gets a query as it should. After a while and after the ARP lines, comes a really weird line.

The same name resolution done from another host seen from wire. All well and done.

root@fir4:~# tcpdump -i eth0 -n host 192.168.0.95
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:23:38.271412 IP 192.168.0.103.57974 > 192.168.0.95.22: Flags [S], seq 1636205869, win 64240, options [mss 1460,sackOK,TS val 1004711519 ecr 0,nop,wscale 7], length 0
10:23:43.264343 IP 192.168.0.95.40502 > 192.168.0.254.53: 21234+ A? ftp.funet.fi. (30)
10:23:43.264358 IP 192.168.0.95.40502 > 192.168.0.254.53: 6137+ AAAA? ftp.funet.fi. (30)
10:23:43.265478 IP 192.168.0.254.53 > 192.168.0.95.40502: 21234 1/0/1 A 193.166.3.2 (57)
10:23:43.265711 IP 192.168.0.254.53 > 192.168.0.95.40502: 6137 1/0/1 AAAA 2001:708:10:8::2 (69)

Downgrading the main router to.

 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------
root@fir4:~# dnsmasq -v
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

The problem host gains back its name resolution without any other action than the downgrade. As a bonus, in weirdness, the previous OpenWrt release seems to have the same version of dnsmasq as 24.10.0 has.

Anyone having a sensible explanation, why this is happening to one of my hosts with 24.10.0?

Do you happen to use Banip? If so, switch it off for a test and see if it works then.

Not running Banip on the router nor the host.

Ok, it could have been. Your problem could indicate a bug in the Dnsmasq, especially as you have certainly not changed anything in the configuration. Have you tried another Dns resolver like Unbound?

Not related to your issue directly but I've noticed that firewall traffic rules are not working after upgrading to 24.10.0.

It's only been a few days since the release but the amount of reported bugs/issues is already high.
Probably it's too early to call it a stable release.
I downgraded back to 23.05.5 and it solved my problem.

If you use BanIp deactivate it as a test, Banip has paralyzed the wireguard part of my DDos script, because the maker of Banip has prioritized the chain that contains a few ddos rules higher, unfortunately in an area where there are problems with the conntrack. I also encountered this problem when I was building my ddos script.

Suspection of a bug in dnsmasq made me open this topic. Will try another dns resolver.

I checked my firewall rules, they are very basic and do not affect internal network traffic.

Thanks for sharing the view of rising number in bugs/issues after the release. Tells me in general testing wasn't adequate despite of 6 release candidates with nice cadence. I did run every rc on a dumb ap setup without a glitch but it wasn't enough, I can say now.

You stated that there is just a single host that has issues...

• What is the OS on the host in question?
• What is the host's IP configuration? (static, and if so, what is the complete info; or dhcp)?
• Are there any DNS overrides at the host's os level and/or application level (such as browsers)?
• What happens when you try a lookup in the os (for example, linux/mac would be nslookup openwrt.org)?
• What about if you specify a public nameserver (i.e. nslookup openwrt.org 8.8.8.8)

Please post the complete configuration of your main router:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Correct. That is what makes the problem "weird" in first place, I think.

Debian GNU/Linux 11 (bullseye)

iface eth0 inet static
        address 192.168.0.100/24
        gateway 192.168.0.254

No. The host has been very static for years. It works as NAS and other minor tasks, so it is a headless server system without X or anyother non-essential software...

... Ie. the host has no nslookup utility installed but host is.

ebirdie@vario6:~$ ping ftp.funet.fi
ping: ftp.funet.fi: Temporary failure in name resolution
ebirdie@vario6:~$ host ftp.funet.fi
ftp.funet.fi has address 193.166.3.2
ftp.funet.fi has IPv6 address 2001:708:10:8::2
ftp.funet.fi mail is handled by 10 posti.nic.funet.fi.
ebirdie@vario6:~$ host ftp.funet.fi 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

ftp.funet.fi has address 193.166.3.2
ftp.funet.fi has IPv6 address 2001:708:10:8::2
ftp.funet.fi mail is handled by 10 posti.nic.funet.fi.

ebirdie@vario6:~$ echo nameserver 8.8.8.8 | sudo tee /etc/resolv.conf
nameserver 8.8.8.8
ebirdie@vario6:~$ ping -c1 ftp.funet.fi
PING ftp.funet.fi (193.166.3.2) 56(84) bytes of data.
64 bytes from ipv4.ftp.funet.fi (193.166.3.2): icmp_seq=1 ttl=55 time=19.8 ms
...
ebirdie@vario6:~$ echo nameserver 192.168.0.254 | sudo tee /etc/resolv.conf
nameserver 192.168.0.254
ebirdie@vario6:~$ ping -c1 ftp.funet.fi
ping: ftp.funet.fi: Temporary failure in name resolution

root@fir4:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "fir4",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

oot@fir4:~# cat /etc/config/network                                                                                                                                                                                 
                                                                                                                                                                                                                     
config interface 'loopback'                                                                                                                                                                                          
        option proto 'static'                                                                                                                                                                                        
        option ipaddr '127.0.0.1'                                                                                                                                                                                    
        option netmask '255.0.0.0'                                                                                                                                                                                   
        option device 'lo'                                                                                                                                                                                           
                                                                                                                                                                                                                     
config globals 'globals'                                                                                                                                                                                             
        option ula_prefix 'fdde:70e6:9d7b::/48'                                                                                                                                                                      
        option packet_steering '1'                                                                                                                                                                                   
                                                                                                                                                                                                                     
config interface 'lan'                                                                                                                                                                                               
        option proto 'static'                                                                                                                                                                                        
        option netmask '255.255.255.0'                                                                                                                                                                               
        option ipaddr '192.168.0.245'                                                                                                                                                                                
        option ip6ifaceid '::6'                                                                                                                                                                                      
        option device 'eth0'                                                                                                                                                                                         
        option ip6assign '64'                                                                                                                                                                                        
        option delegate '0'                                                                                                                                                                                          
                                                                                                                                                                                                                     
config interface 'wan'                                                                                                                                                                                               
        option proto 'dhcp'                                                                                                                                                                                          
        option reqopts '212'                                                                                                                                                                                         
        option device 'eth1'                                                                                                                                                                                         
        option peerdns '0'                                                                                                                                                                                           
                                                                                                                                                                                                                     
config interface 'wan6'                                                                                                                                                                                              
        option proto 'dhcpv6'                                                                                                                                                                                        
        option device 'eth1'                                                                                                                                                                                         
        option reqaddress 'try'                                                                                                                                                                                      
        option reqprefix 'auto'                                                                                                                                                                                      
        option norelease '1'                                                                                                                                                                                         
        option defaultroute '0'                                                                                                                                                                                      
        option peerdns '0'                                                                                                                                                                                           
        option delegate '0'                                                                                                                                                                                          
                                                                                                                                                                                                                     
config interface 'langw'                                                                                                                                                                                             
        option proto 'static'                                                                                                                                                                                        
        option netmask '255.255.255.0'                                                                                                                                                                               
        option ipaddr '192.168.0.254'                                                                                                                                                                                
        option device 'eth0'                                                                                                                                                                                         
        option delegate '0'                                                                                                                                                                                          
                                                                                                                                                                                                                     
config interface 'wg0'                                                                                                                                                                                               
        option proto 'wireguard'                                                                                                                                                                                     
        option private_key '00000000000000000000000000000000'                                                                                                                                                        
        list addresses '192.168.0.2'                                                                                                                                                                                 
        option auto '0'

root@fir4:~# cat /etc/config/wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

Note: not used, see line option disabled 1.

config dnsmasq
	option localise_queries '1'
	option domain 'ebirdie'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '0'
	option localuse '1'
	option rebind_protection '0'
	option localservice '0'
	option local '/ebirdie/'
	option cachesize '0'
	option noresolv '1'
	list server '::1#5335'

config dhcp 'langw'
	option ra_management '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '100'
	option leasetime '12h'
	option limit '100'
	list dhcp_option '3,192.168.0.254'
	list dhcp_option '6,192.168.0.254'
	option force '1'
	option dhcpv6 'server'
	option dhcpv4 'server'
	option ra 'server'
	option interface 'langw'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config mxhost
	option domain 'ebirdie'
	option relay 'vario.ebirdie'
	option pref '10'

config host
	option name 'jetti'
	option dns '1'
	option mac '00:00:00:00:00:00'
	option ip '192.168.0.98'
	option leasetime 'infinite'
	option hostid '98'

config host
	option name 'rpi4-1'
	option dns '1'
	option ip '192.168.0.93'
	option 0ui0 '0000000000000000000000000000'
	option hostid '93'
	list mac '00:00:00:00:00:00'
	list mac '00:00:00:00:00:00'

config host
	option mac '00:00:00:00:00:00'
	option name 'fis.ebirdie'
	option dns '1'
	option ip '192.168.0.96'

config match
	option networkid 'bios'
	option match '60,PXEClient:Arch:00000'

config match
	option networkid 'efi32'
	option match '60,PXEClient:Arch:00006'

config match
	option networkid 'efi64'
	option match '60,PXEClient:Arch:00007'

config match
	option networkid 'efi64'
	option match '60,PXEClient:Arch:00009'

config boot
	option filename 'tag:bios,/boot/pxe/bios/lpxelinux.0'
	option serveraddress '192.168.0.100'
	option servername 'vario'

config boot
	option filename 'tag:efi32,/boot/pxe/efi32/syslinux.efi'
	option serveraddress '192.168.0.100'
	option servername 'vario'

config boot
	option filename 'tag:efi64,/boot/pxe/efi64/syslinux.efi'
	option serveraddress '192.168.0.100'
	option servername 'vario'

Note: In topic opening I mentioned removing some config lines for testing. The removed ones are here all sections config match and config boot.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'langw'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option dest 'lan'
	option name 'AllowIPv6-sit'

config rule
	list proto 'ipv6'
	option name 'Allow-6rd'
	option target 'ACCEPT'
	option src 'wan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

I see alot of issues.

You have 2 interfaces enumerated on the same PHY. One has IPv6.

Your Wireguard is improperly addressed.

You specify no DNS on WAN and WAN6.

• Why did you erase the lan config and create this one?
• Why do you want both 192.168.1.245 and 192.168.1.254? There's a correct way to list IPs for the interface instead of creating a second interface.

Thanks for your notes. I think the issues you spotted from my configs aren't affecting the problem at hand unless I'm clearly pointed to otherwise. There are reasons why and how they are now. However there is also cleaning to be done, I agree.

Did try out with another dns resolver. Interesting results.

Shutting down dnsmasq and configuring dnscrypt-proxy2 to provide name resolving without internal names did not solve the problem on the host. Other hosts were able to resolv names with the test setup as normal except the local names, obviously.

IMO this busts the assumption of a bug in dnsmasq. What could it then be? Puzzling.

Now going back to 23.05.5.

dnscrypt-proxy2 is not a Dnsresolver it is a proxy used by Dnsmasq to encrypt the requests therefore the error remains Try “Unbound” here the instructions https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md . I always use the parallel configuration.

Seems I was unclear. I did name resolving from both the problem host and hosts, which haven't had any problem, while I had dnscrypt-proxy2 setup as only resolving dns server on the main router. Normally I do your "parallel" way.

dnscrypt-proxy2 web-source says:

dnscrypt-proxy acts as a local caching DNS server for your device or your entire network.

It responds to standard DNS queries, and can be thus configured in network settings in place of your router's or your ISP's resolver.

It does that too, but before the dnsmasq. The Lan devices ask the Dnsmasq and this in turn asks the proxy which then encrypts the request. But there remains the probable problem of Dnsmasq in the chain. As I said, try unbound in parallel mode because the dnsmasq is set to a different port in which it intercepts dns requests and instead unbound is set in their place.

You have 3 interfaces with overlapping subnets. This is likely to cause problems. It should be fixed.

Put another way... your current configuration is known to have a bunch of invalid or malformed parts. Before you can blame anything else, you must fix these.

Conversely, if there is a specific reason you wish to have those things, let's first remove them so that your config is clean, and then we can discuss your goals and the intent of those items.

Maybe there is something fishy in /etc/resolv.conf in your non working client. There might be the reason for added extra domain.

IPV6 in relay mode is not working either after sysupgrade to 24.10. Downgrade to 23.05.5 and it works fine.

Did you manage to fix your issue?

I have a strange dns issue too since 24.10.0

Only partly. I found the problem host to work fine by changing nameserver point to ipv6 address of the main router. On ipv6 everything works with 24.10.0 as before with 23.05.5 on ipv4.

I think this is a workaround fix until I find a root cause, if I find it. Have had a little time to dig around and experiment past week, will try to report the findings, may they help others.