Android 15 stopped reading dnsmasq entries

Yesterday I swapped out a wireless access point and, once that seemed to be working, attempted to get DAWN running to improve roaming. That didn't go great (clients stopped being able to connect to wifi) so I did my best to revert it.

Now I'm seeing that my Google Pixel 7 Pro running Android 15 can no longer connect to my local self-hosted services for which I had defined a named address in dnsmasq. My same SSID is setup for 2.4 and 5 GHz on the router and AP, so I tried enabling one at a time and all behave the same. I even connected a USB-C to ethernet adapter to my phone to rule out wifi specific issues and the issue persists.

However, if I turn on my Wireguard VPN connection from my phone to my router (either while still on the local network or on mobile data) I am able to connect to addresses listed in my dnsmasq settings.

My current /etc/config/dhcp (sanitized by removing static leases and additional list address '...' entries):

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list address '/home.lan/192.168.1.90'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'CAMS'
        option interface 'CAMS'
        option start '100'
        option limit '150'
        option leasetime '12h'

What I remember doing during the DAWN setup (following these docs) is

1. replacing the default version of wpad-* on my wireless router and AP with wpad-openssl (originally I accidentally installed wpad thinking that was the "full" one mentioned in the docs - it seems I probably could have left that stock)
2. installing luci-app-dawn and
3. adjusting the few config items in the docs

Working backwords, I removed the config items, uninstaled dawn, and for wpad I forgot exactly which version was installed previously but tried both leaving it as is and replacing with my best guess from memory (wpad-wolfssl on my E8450 running OpenWRT 22.03.3 and wpad-mbedtls on the newly set up NWA50AX Pro running OpenWRT 24.10.1).

For testing, I have been using termux and Network Analyzer. While on wifi with VPN off I can do a DNS query (whithout specifying a DNS server - the text box is left with the dimmed reference IP of 192.168.1.1) for my home.lan address it immediately pulls up an A record with the correct IP. If I try a ping or route test for home.lan it says "Failed to resolve IP address". If I enable my Wireguard tunnel (in which DNS server is set to 192.168.1.1 and Allowed IPs are 192.168.1.0/24, 192.168.9.0/24, and 172.16.1.0/24), then my ping and route tests work fine.

My Linux desktop (hard-wired), a Linux Laptop (on wifi), and a macOS laptop (tested hard-wired and wifi) all are able to connect to the dnsmasq entries (although I did notice one device that I usually connect to using <hostname>.lan isn't reachable now, so maybe that is a clue?).

I have tried:

1. Disabling Private DNS on my phone
2. installing umdns (which I believe had been installed with DAWN but removed again automatically when DAWN was removed)
3. DNS hijacking (posibly just the LuCI part - I'm forgetting what all I did at midnight last night)
4. I think there was more, but it was late and I can't recall anything else.

Any tips for digging deeper into this?

Not much to do with local topology, it just falls to auto-doh , you can add canary domain to override its default behavior and use local dns.

I'm not familiar with canary domains, but some googling found the docs for https-dns-proxy which seems to set canary domains for local requests in addition to proxying all DNS to use DoH (a nice bonus).

I've got it setup and loading https://one.one.one.one/help/ it shows that my traffic is using DoH (which it wasn't before on either my phone or computer), so to me at least that indicates the DNS traffic is going through OpenWRT's dnsmasq, but I'm still not able to resolve my internal addresses on my Android phone unless I'm specifically doing a DNS lookup separate from anything else (nslookup home.lan or Network Analyzer app).

What is particularly curious for me is that I'm 99% sure this was all working a few days ago - I've got at least one Android app that was configured to use one of these dnsmasq address overrides and I'm sure I was using it without VPN (I'm just not sure how recently).

Selection is timing based, few slow responses and it goes to public secure dns. I

Okay, I think I fixed it. I had tried the DNS hijacking before, and then I did the canary domains via https-dns-proxy, but I did not use them together. Turning both on, things seem to be working again!

It is still weird to me how this broke to begin with, but I've got network wide DoH now, so I guess it is a net win.

Thanks for the help @brada4

Woops, spoke too soon. Seems like it is maybe intermittently fixed? I tried accessing something on my network again and it is back to not resolving. I cycled my wifi and now it is back.

check the dns stats, maybe you need to ignore slow provider dns server.

killall -USR1 dnsmasq
logread -e dnsmasq

This is not the default... did you add this? Does the directory exist and does it have stuff inside?

Let's also review the other config files:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Please help with

opkg list-installed | grep ^dnsmasq

The output looks flaky

I do not recall setting that, but I think it might be part of the adblock package - there is /tmp/dnsmasq.d/adb_list.overall which contains a ton of domains that I would guess are tracking domains. Disabling adblock (from LuCI) does not solve my issue.

image973×461 40 KB

# ubus call system board
{
        "kernel": "5.10.161",
        "hostname": "OpenWrt-Router",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}

Re. the older version: I've been meaning to update OpenWrt, but on my router if I want to go any newer I need to jump through a couple hoops to rearrange partitions into UBI (it doesn't seem to complicated, but I haven't had a chance where I can afford downtime in the event of an issue). Is there a chance updating would fix it?

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd32:0d63:e7ab::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option device 'br-lan.101'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
        option description 'Generic client'

<MORE REDACTED wireguard_vpn CLIENT CONFIGS>

config interface 'iot'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'
        option device 'br-lan.103'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.10.10.10'
        option netmask '255.255.255.0'
        option device 'br-lan.102'

config bridge-vlan
        option device 'br-lan'
        option vlan '101'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '102'
        list ports 'lan1:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '103'
        list ports 'lan1:t'
        list ports 'lan4:t'

config device
        option name 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '104'
        list ports 'lan1:t'
        list ports 'lan4:t'

config interface 'CAMS'
        option proto 'static'
        option device 'br-lan.104'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'

# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'CA'
        option channel '6'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'guest-wifi'
        option key 'REDACTED'
        option network 'guest'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option cell_density '0'
        option country 'CA'
        option htmode 'HE80'
        option channel 'auto'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'deprecated-iot-wifi'
        option encryption 'sae-mixed'
        option hidden '1'
        option key 'REDACTED'
        option network 'iot'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid 'internal-wifi'
        option key 'REDACTED'
        option network 'lan'
        option encryption 'sae-mixed'

config wifi-iface 'wifinet8'
        option device 'radio0'
        option mode 'ap'
        option ssid 'iot-wifi'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'iot'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'internal-wifi'
        option encryption 'sae-mixed'
        option key 'REDACTED'
        option network 'lan'

# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list address '/home.lan/home.mydomain.ca/192.168.1.190'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'new-bendesktop'
        option ip '192.168.1.190'
        option mac 'REDACTED'

config dhcp 'CAMS'
        option interface 'CAMS'
        option start '100'
        option limit '150'
        option leasetime '12h'

Note I removed most of my static DHCP lease entries and list address '/domain/ip' mappings from the above to reduce clutter and to not show what services might be running on my network.

# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'iot'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'iot'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest DHCP and DNS'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'Allow IOT to talk to Home Assistant'
        option src 'iot'
        list dest_ip '192.168.1.220'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        list src_ip '172.16.0.196'
        option dest 'wan'
        option target 'ACCEPT'
        option name 'Allow <device> internet access'
        option src 'iot'
        option enabled '0'

config rule
        option name 'Allow LAN to talk to <device>'
        option src 'lan'
        option dest 'guest'
        list dest_ip '10.10.10.192'
        option target 'ACCEPT'

config rule
        option name 'Allow phone internet access on IOT network'
        option src 'iot'
        list src_ip '172.16.0.149'
        option dest 'wan'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.190'
        option dest_port '80'
        option src_ip 'REDACTED'
        option name 'HTTP - Location X'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.190'
        option dest_port '443'
        option src_ip 'REDACTED'
        option name 'HTTPS - Location X'

config zone
        option name 'cams'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'CAMS'

config forwarding
        option src 'lan'
        option dest 'cams'

config rule
        option name 'Cams to Home Assistant'
        option src 'cams'
        option dest 'lan'
        list dest_ip '192.168.1.220'
        option target 'ACCEPT'

config rule
        option name 'Allow wall panel to talk to Home Assistant'
        option src 'iot'
        list src_ip '172.16.0.100'
        option dest 'lan'
        list dest_ip '192.168.1.220'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'

The firewall config seems to be including /etc/firewall.user but no such file exists.

OK, you are running ancient overcustomised/forked OpenWrt. if dnsmasq is too slow Android goes to its pre-set DoH service, it used to be 1s then .5s and I dont know what v15 brought in.
I would recommend upgrading and re-doing config manually (read each release notes, you may need to resize partitions)

Yeah. The version you are running is quite old and unsupported. It may also have security vulnerabilities. Time to upgrade.

More than likely, this is your problem.

Thanks folks, I'll try to upgrade soon.

@psherman adblock was working great for me for a long time. Are you thinking it is no longer working with the latest Android, perhaps because it is introducing latency in the DNS lookups?

I don't know if related but interesting: GL.iNET Flint 2 (GL-MT6000) discussions - #2646 by ktmakwana

Latest Android is expecting lower latency from DNS before switching to DoH.
1/100 DNS lookups misses 1s which means realistically android can get long sequence of slow replies.

I think it is unrelated (that seems wifi specific and I experience my issues with an ethernet adapter as well), but good to know just in case!

Somehow I missed this message.

# opkg list-installed | grep ^dnsmasq
dnsmasq - 2.86-16

Well, read through upgrade guides, seems you have at least dns-http-proxy and stubby in addition to adblock. Maybe ssl frameworks aged and part of dns stopped working.

I would recommend going though the upgrade process but not using any dns altering packages or configs. Test for long enough to gain confidence that everything is working properly.

Then, you can install your DoH or Adblock configuration — do this one at a time and test between. If things break, you will then be able to identify which specific set of packages/configs caused the breakage.