Can't query DNS from Guest network

floatingpurr · February 14, 2024, 4:31pm

I have a Guest network configured this way:

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '1.1.1.1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule
	option name 'Allow-DHCP-guest'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'
	option family 'ipv4'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'Guest-WiFi'
	option encryption 'psk2'
        option key 'password'
	option isolate '1'

I can't query the DNS from the Guest-WiFi, therefore I can't browse the WAN (Internet).

What am I doing wrong?

egc · February 14, 2024, 4:35pm

You also have to allow port 53 for tcp and udp

eduperez · February 15, 2024, 6:27am

My two cents:

The DNSs that you configure on an interface are the DNSs that are available to the router through that interface, not the DNSs that should be used by the devices connected to that interface.
The wireless interfaces need to latch to a bridge.

floatingpurr · February 15, 2024, 10:11am

Thanks @egc and @eduperez for your help. Since I had set external DNSs, I believed that such DNSs were pushed to clients via DHCP as they are. But I was wrong. The DHCP actually uses the router's DNS resolver that, in turn, uses the configured DNSs. So allowing port 53 on Firewall fixed.

Two side questions:

Do I really need port 53/TCP?
I haven't set up a bridge. Currently, the guest network works. I can do it with something like:

uci set network.guest_dev="device"
uci set network.guest_dev.type="bridge"
uci set network.guest_dev.name="br-guest"

and then I can attach it to the interface's device

uci set network.guest.device="br-guest"

Do I need it? What if I do not use that bridge and I simply rely on my current configuration?

egc · February 15, 2024, 10:56am

Normal DNS traffic is UDP but there are exceptions, DNS has always been designed to use both UDP and TCP port 53 from the start, with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.

so the answer is Yes

Without a bridge it is a hit or miss on some routers/configurations so I would certainly make/use a bridge, although in your case it appears to work.

Anyway glad it is working

floatingpurr · February 15, 2024, 11:17am

Thank you again, @egc

system · February 25, 2024, 11:18am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.