Attempting to browse NXDOMAIN leads to local webserver

I have a network with a webserver reached through port forwarding of 80 and 443 in LUCI>Firewall>Port Forwards. This works as expected. However, when trying to reach a non-existent website from any LAN device, the client is for some reason connected to the webserver. This gives a certificate error since the bogus domain does not match the domains specified in the server's certificate. When I continue anyway, my webserver is shown...

I suspected some kind of mess with DNS, but nslookup behaves as expected from LAN clients:

 nslookup dhfgjshagfkyjhsa.net
Server:		192.168.10.1
Address:	192.168.10.1#53
** server can't find dhfgjshagfkyjhsa.net: NXDOMAIN

Entering the same address in a browser leads to the before mentioned webserver (and certificate error).

I really don't understand how this may happen, and would greatly appreciate any hints on how to solve this awkward problem. Here are the two forwards in my firewall config file (I replaced my public IP with "CENSORED":

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'HTTP-solsikke'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '192.168.10.11'
        option dest 'lan'
        list proto 'tcp'
        option src_dip 'CENSORED'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'HTTPS-solsikke'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '192.168.10.11'
        option dest 'lan'
        list proto 'tcp'
        option src_dip 'CENSORED'

Any ideas on where I get it wrong, or where to search for the cause of this behavior?

Check with another browser, be sure to disable DoH.

1 Like

I have tried from Firefox and Chrome on an Android device (wifi) and the same two browsers + Chromium on a Debian desktop (ethernet). Same results, any NXDOMAIN seemingly resolves to my webserver. I am using Dnscrypt-proxy2 and Dnsmasq, but I really don'r see how it could be a problem there, since nslookup reports any NXDOMAIN as NXDOMAIN...

There's a big difference between nslookup and the OS/browser resolvers.
Collect the diagnostics and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show dhcp; uci show firewall; \
ip address show; ip route show table all; ip rule show; iptables-save -c; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like

Here is my paste: Conf :slightly_smiling_face:

1 Like

Are you using the NAT loopback?

[2:120] -A zone_lan_prerouting -s 192.168.10.0/24 -d PU.BLIC.IP/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP-solsikke (reflection)" -j DNAT --to-destination 192.168.10.11:80
[54:3240] -A zone_lan_prerouting -s 192.168.10.0/24 -d PU.BLIC.IP/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS-solsikke (reflection)" -j DNAT --to-destination 192.168.10.11:443
2 Likes

Most likely the DNS queries resolving to NXDOMAIN are expanded automatically with the following:

1 Like

Yes, I did this in the Luci>Firewall>Port Forwards (for each of my two forwards, one for 80 and one for 443). It made it easier to access the services from Lan. Could this be the cause of my problems?

Thanks for the answer. :slight_smile: I will try to disable it and test how it goes... I will be reporting later.

You can try to rebind the domain with its local IP address and remove those redirects.

1 Like

Sorry for being a pain, but my knowledge is somewhat limited. Did you mean I should remove the NAT-loopbacks in the Port Forwards (mentioned by trendy)?

I did just now disable "Expand hosts" under LUCI>Network>DHCP and DNS>Advanced Settings. Restarted dnsmasq, and unfortunately the same things still happens. Also, I am unsure how to rebind the domain..? Could you point me in the right direction?

uci set dhcp.@dnsmasq[0].local="/iceleaf.net/"
uci add dhcp domain
uci set dhcp.@domain[-1].name="iceleaf.net"
uci set dhcp.@domain[-1].ip="192.168.10.11"
uci commit dhcp
/etc/init.d/dnsmasq restart
2 Likes

Thank you, man, this actually works! :slight_smile: Could I ask a foolish question: The loopback on my port forwards under Luci>Firewall>Port Forwards (mentioned by trendy). Are they somehow troublesome? Sorry, but I am only an amateur. I think, however, the loopback was auto enabled when creating the port forwards.

You can disable NAT reflection using the respective option:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration?s=reflection#options2

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.