Bizarre DNS problems with Debian Linux after upgrade to 24.10

I think this only started after upgrading OpenWRT to 24.10.

Debian machines (several, including a fresh install from a newer ISO for testing) work with dig and nslookup, but cannot ping, traceroute, wget etc. They are set to the router DNS of 192.168.1.1.

When I change their DNS to something else, like Cloudflare's 1.1.1.1, they work totally fine.

Windows machines are fine, as are Android, iOS, etc.

I did have "HTTPS DNS Proxy" enabled, but I disabled it and the problem persists.

I have tried for hours to troubleshoot this. It doesn't seem likely to be a problem with the Debian settings, because this happens on multiple machines and on a fresh install. One machine is DHCP, another is static IP.

I attach console output from Debian.

user@debian:~$ dig bing.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14732
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bing.com.                      IN      A

;; ANSWER SECTION:
bing.com.               537     IN      A       204.79.197.200
bing.com.               537     IN      A       13.107.21.200

;; Query time: 8 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Mon Feb 24 14:58:20 GMT 2025
;; MSG SIZE  rcvd: 69


user@debian:~$ ping bing.com
ping: bing.com: Temporary failure in name resolution

user@debian:~$ ping openwrt.org
ping: openwrt.org: Temporary failure in name resolution

user@debian:~$ ping ipv4.google.com
ping: ipv4.google.com: Temporary failure in name resolution


user@debian:~$ dig openwrt.org

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> openwrt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17106
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;openwrt.org.                   IN      A

;; ANSWER SECTION:
openwrt.org.            3557    IN      A       64.226.122.113

;; Query time: 12 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Mon Feb 24 14:58:51 GMT 2025
;; MSG SIZE  rcvd: 56

user@debian:~$ cat /etc/resolv.conf
nameserver 192.168.1.1

# Changed resolv.conf to Clouflare 1.1.1.1

user@debian:~$ cat /etc/resolv.conf
nameserver 1.1.1.1

user@debian:~$ ping bing.com
PING bing.com(2620:1ec:c11::200 (2620:1ec:c11::200)) 56 data bytes
64 bytes from 2620:1ec:c11::200 (2620:1ec:c11::200): icmp_seq=1 ttl=55 time=5.59 ms
64 bytes from 2620:1ec:c11::200 (2620:1ec:c11::200): icmp_seq=2 ttl=55 time=5.72 ms
64 bytes from 2620:1ec:c11::200 (2620:1ec:c11::200): icmp_seq=3 ttl=55 time=5.72 ms
64 bytes from 2620:1ec:c11::200 (2620:1ec:c11::200): icmp_seq=4 ttl=55 time=5.64 ms
64 bytes from 2620:1ec:c11::200 (2620:1ec:c11::200): icmp_seq=5 ttl=55 time=5.75 ms
^C
--- bing.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 5.594/5.683/5.747/0.058 ms

user@debian:~$ ping openwrt.org
PING openwrt.org(wiki-03.infra.openwrt.org (2a03:b0c0:3:d0::1a51:c001)) 56 data bytes
64 bytes from wiki-03.infra.openwrt.org (2a03:b0c0:3:d0::1a51:c001): icmp_seq=1 ttl=54 time=20.9 ms
64 bytes from wiki-03.infra.openwrt.org (2a03:b0c0:3:d0::1a51:c001): icmp_seq=2 ttl=54 time=20.0 ms
64 bytes from wiki-03.infra.openwrt.org (2a03:b0c0:3:d0::1a51:c001): icmp_seq=3 ttl=54 time=19.9 ms
64 bytes from wiki-03.infra.openwrt.org (2a03:b0c0:3:d0::1a51:c001): icmp_seq=4 ttl=54 time=19.9 ms
64 bytes from wiki-03.infra.openwrt.org (2a03:b0c0:3:d0::1a51:c001): icmp_seq=5 ttl=54 time=19.9 ms
^C
--- openwrt.org ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 19.862/20.096/20.886/0.395 ms

user@debian:~$ ping ipv4.google.com
PING ipv4.l.google.com (172.217.16.238) 56(84) bytes of data.
64 bytes from lhr48s28-in-f14.1e100.net (172.217.16.238): icmp_seq=1 ttl=117 time=6.22 ms
64 bytes from lhr48s28-in-f14.1e100.net (172.217.16.238): icmp_seq=2 ttl=117 time=5.95 ms
64 bytes from lhr48s28-in-f14.1e100.net (172.217.16.238): icmp_seq=3 ttl=117 time=6.07 ms
^C
--- ipv4.l.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.948/6.079/6.215/0.109 ms

There is a similar thread about this here.

Are you able to show us the output of

cat /etc/config/dhcp

Thanks for the link, I did search but I don't think I'd found that thread.
As mentioned, it happens on a static IP machine too so I don't think it is DHCP.

Yes but this file also has the config for the DNS server running on your router.

As a side note, I had a weird DNS issue similar to yours after upgrading to 24.10 on my Linux machine. I switched to systemd-resolved and that seemed to fix the issue.

Oh you mean that command on the router?

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

I did try systemd-resolved on one machine during troubleshooting, but nothing changed unfortunately.

Can you remove these lines and add the following instead and then restart dnsmasq

        list server '1.1.1.1#53'

Can you also provide the output of

cat /etc/config/network

Done, no change on Debian.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3e:b17b:d52f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth1'
        option username '...'
        option password '...'
        option ipv6 'auto'
        option peerdns '0'
        list dns '9.9.9.9'

Enable logging for dnsmasq, either in Luci or by adding option logqueries '1' to the config file.

Debian:

ping bbc.co.uk
ping: bbc.co.uk: Temporary failure in name resolution

OpenWRT:

Mon Feb 24 16:40:48 2025 daemon.info dnsmasq[1]: 3149 192.168.1.112/48070 query[A] bbc.co.uk.lan from 192.168.1.112
Mon Feb 24 16:40:48 2025 daemon.info dnsmasq[1]: 3149 192.168.1.112/48070 config bbc.co.uk.lan is NXDOMAIN
Mon Feb 24 16:40:48 2025 daemon.info dnsmasq[1]: 3150 192.168.1.112/48070 query[AAAA] bbc.co.uk.lan from 192.168.1.112
Mon Feb 24 16:40:48 2025 daemon.info dnsmasq[1]: 3150 192.168.1.112/48070 config bbc.co.uk.lan is NXDOMAIN

I tried "google.com" and "yahoo.de" and they did not even appear in the log.
bbc.co.uk is only appearing for the .lan

It's as if it isn't even receiving the queries.

Adding system details if it is of any relevance. I did notice that at least two other people having DNS issues lately also have this hardware.

{
        "kernel": "6.6.73",
        "hostname": "router",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.5",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

I have found something promising that can get Debian to work properly.

Add the following to the bottom of Debian's /etc/resolv.conf

options single-request

Ping and traceroute etc started working.

Obviously you shouldn't have to modify clients to get OpenWRT to work properly. Would be interested in what caused this and whether it can be fixed in OpenWRT.

EDIT:
Details of this resolv.conf option from the resolv.conf manual:

single-request (since glibc 2.10)
Sets RES_SNGLKUP in _res.options. By default, glibc
performs IPv4 and IPv6 lookups in parallel since
glibc 2.9. Some appliance DNS servers cannot handle
these queries properly and make the requests time
out. This option disables the behavior and makes
glibc perform the IPv6 and IPv4 requests
sequentially (at the cost of some slowdown of the
resolving process).

EDIT2:

The following option works instead in Debian's resolv.conf

options single-request-reopen

Details from manual:

single-request-reopen (since glibc 2.9)
Sets RES_SNGLKUPREOP in _res.options. The resolver
uses the same socket for the A and AAAA requests.
Some hardware mistakenly sends back only one reply.
When that happens the client system will sit and
wait for the second reply. Turning this option on
changes this behavior so that if two requests from
the same port are not handled correctly it will
close the socket and open a new one before sending
the second request.

I submitted a bug on GitHub on Wednesday, which has as yet not been acknowledged, nor even appears on the issues tab. I tried.

To be clear here, the following indicates that you have made changes to the way that dnsmasq operates:

So the problem is not likely related to the core dnsmasq services on Openwrt, but the changes that occur when you add DoH/DoT or Adguard or similar.

Nope, I did a fresh install without any extra DNS related packages and the problem remained.
I just hope the GitHub issue hasn't been caught by some spam filter.

Try resetting to defaults again (create a backup first), and then only configure the bare minimum (such as your PPPoE wan and WiFi). Don't make any changes to the DHCP file at all.

Ok, just got a new image from the firmware selector. The only extra package I added was "kmod-usb-net-rtl8152" for the USB ethernet adapter.
I then flashed it without keeping settings, logged in and changed the system password, added "wan" interface with PPPoE details but without any other changes. Problem remains.
I am wondering if this issue is specific to armv8 or even my device type (Pi 4B).
Thanks for your help by the way.

We have seen some strange behaviors with some Linux flavors -- Mint in particular. The problems have almost always been traced back to issues with the OS, not OpenWrt.

But let's review the current configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.5",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd40:d59c:1359::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth1'
        option username ''
        option password ''
        option ipv6 'auto'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Ok... config looks fine.

Can you try a default Debian installation? you don't have to disturb your existing install -- just boot off a live USB stick and see if it works as expected? Or you could do the same with Ubuntu or some other OS.

Kubuntu (Debian-based) Live USB on laptop - works fine with both default config (127.0.0.53 in resolv.conf) and with resolv.conf changed to use 192.168.1.1 (OpenWRT) directly

Debian freshly installed on laptop without Desktop Environment - ping usually not working etc, though works about 1/3 of the time, often with large delay (10 seconds) in name resolution. Probably same as before. This is on Wi-Fi, so I wonder if the inherent latency of the Wi-Fi (around 40ms with about 20ms jitter) is helping the queries not "clash" or something (thinking back to the "options single-request-reopen" and other one).

Debian freshly installed on desktop PC without Desktop Environment - ping not working etc (works maybe 1 in 50 times, as it has been doing for weeks)

Rocky Linux (RHEL-based) freshly installed on laptop, using ethernet via NetworkManager - ping works but has a delay of 5 seconds at beginning for DNS. Happens even if same site pinged again afterwards. Definitely handles the problem more gracefully, but still not correct behaviour.

Adding "options single-request-reopen" to resolv.conf on any of the non-working ones fixes the issue.
This also removes the 5 second delay on Rocky Linux.