Cannot open pages by DNS

Hi I'm using openconnect on OpenWRT installed on raspberrypi3 b. I have a lan interface, wan interface and anyconnect interface.
I have defined in the firewall general setting to forward lan traffic to openconnect :

I have have various DNS servers on the lan interface such as and and
But unfortunately I cannot open webpages using their name, apparently dns server is not working at all!

╰─$ nslookup                                                     

Non-authoritative answer:
*** Can't find No answer

But when I add the DNS server manually in the resolv.conf file, everything works fine.
How can I fix this problem?

In firewall you allow or deny traffic, you don't forward traffic. For that we need to see:
uci export network; uci export dhcp; ip -4 addr; ip -4 ru; ip -4 ro

That is wrong, you should assign the nameservers under the interface that the router can reach them, in your case wan or anyconnect.

Thanks for your reply,
the output of uci export network; uci export dhcp; ip -4 addr; ip -4 ru; ip -4 ro:

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option ipaddr ''
	list dns ''
	list dns ''
	list dns ''
	list dns ''
	option delegate '0'

config interface 'WAN'
	option proto 'dhcp'
	option ifname 'eth0'
	option type 'bridge'

config interface 'oc'
	option proto 'openconnect'
	option password '*****'
	option serverhash '******'
	option password2 '*****'
	option username '*****'
	option server '*****'
	option delegate '0'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/'
	option localservice '1'
	option rebind_protection '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet scope host lo
       valid_lft forever preferred_lft forever
7: br-WAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet brd scope global br-WAN
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet brd scope global br-lan
       valid_lft forever preferred_lft forever
13: vpn-oc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1434 qdisc fq_codel state UNKNOWN qlen 500
    inet brd scope global vpn-oc
       valid_lft forever preferred_lft forever
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
default dev vpn-oc scope link via dev br-WAN dev br-WAN scope link  src dev br-lan scope link  src dev vpn-oc scope link

And I don't see any option to add dns servers in anyconnect. But I believe openconnect server is pushing its dns servers because this is what I see in the logs:

Sun Apr  5 17:29:07 2020 dnsmasq[6365]: using nameserver
Sun Apr  5 17:29:07 2020 dnsmasq[6365]: using nameserver
  • 99% of the cases I see br-wan interface, is something wrong. Tell us about the bridges you have in lan and wan interfaces.
  • All the traffic goes through the openconnect.
  • Don't forget to remove the dns from the lan interface. Assign them to wan if openconnect doesn't take dns options.

This is dnsmasq log, not openconnect. It is mentioning the nameservers it is using and it seems ok judging by what you have configured.
Post also the following to make sure everything else is correct:
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Thanks for your reply, removing DNS from lan and adding them to the wan interface fixed the problem.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.