DNS failure on Android clients; but not on Linux clients

DNS failure on Android clients; but not on Linux clients:

It's DNS right? - "Connected to device. Can't provide internet."

I've been building a complicated home network, for fun, and to learn things. Not sure what is relavent, or exactly what to ask.

So before I spew a desperate plea for help with a bunch of my configuration info. Let me try and educate myslef.

Do you know any documents or how to guides on setting up OpenWrt to be a DNS cache/server for a local network?

Thank you!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

The Setup
There are VLAN's involved. The AP's and switches are all accessible on VLAN_4 - "iot". While computers, phones and such are all on VLAN_2 - "house".

On the AP
I'm using the Networking => Switch LuCi page to enumerate the VLAN's, a Wireless Mesh on Radio0, and a GRETAP tunnel to allow the VLANS on my network to continue over the air to another AP where I hope to connect more computers. The AP that I'm testing with is the start of the bridge and it has wired access to my home network, and subsequently the internet.
Currently there is one firewall zone defined, and the AP interface is assigned to that zone, which is in turn connected to a bridge, which links together eth0.4, @GreT.4, and the WiFi Mesh (which the GRETAP tunnel runs through).
The GRETAP tunnel, and the "house" interface are not assigned to a firewall zone. The "house" interface is connected to a bridge which links together eth0.2, @GerT.2, and the WiFi network on Radio1.

I tried to sanitize everything, and use generic names. If there is a weird typo here and there it's probably due to my editing.

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "FastJack3",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "Ubiquiti UniFi AC Pro",
        "board_name": "ubnt,unifiac-pro",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd46:5992:0a24::/48'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '999'
        option description 'blackhole'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '4'
        option ports '0t 2t 3'
        option description 'iot'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '2'
        option ports '0t 2t'
        option description 'house'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '5'
        option ports '0t 2t'
        option description 'servers'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '3'
        option ports '0t 2t'
        option description 'guest'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option ports '0t 2t'
        option vid '1'
        option description 'whispers'

config interface 'iot'
        option proto 'static'
        option device 'br-4'
        option ipaddr '10.42.40.3'
        option netmask '255.255.255.0'
        option gateway '10.42.40.1'
        list dns '10.42.40.1'
        option type 'bridge'

config device
        option type 'bridge'
        option name 'br-2'
        option bridge_empty '1'
        list ports 'eth0.2'
        list ports '@GreT.2'

config device
        option type 'bridge'
        option name 'br-4'
        list ports 'eth0.4'
        list ports '@GreT.4'

config interface 'GreT'
        option proto 'gretap'
        option force_link '1'
        option peeraddr '10.42.40.4'
        option tunlink 'iot'
        option df '0'
        option defaultroute '0'

config interface 'house'
        option proto 'static'
        option device 'br-2'
        option ipaddr '10.42.42.3'
        option netmask '255.255.255.0'
        option gateway '10.42.42.1'
        option defaultroute '0'
        list dns '10.42.42.1'

config device
        option type 'bridge'
        option name 'br-5'
        list ports 'eth0.5'
        list ports '@GreT.5'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'br-3'
        list ports 'eth0.3'
        list ports '@GreT.3'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'br-1'
        list ports 'eth0.1'
        list ports '@GreT.1'
        option bridge_empty '1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '40'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '4'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id 'FJ-MESH'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option key 'SUPER_TOP_SECRET'
	option network 'iot'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'dentest'
	option encryption 'psk2'
	option key 'TOP_SECRET'
	option ieee80211r '1'
	option mobility_domain '28fa'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'house'

Apparently I have barely touched the dhcp section. So this likely needs a lot of work

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Out of desperation I set the firewall on the AP to accept everything, I'll put it back after I fix the problem:

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'iot'

Would you like to see the configs from my home router?

I found this:
https://oldwiki.archive.openwrt.org/doc/uci/dhcp
An excellent summary of the available options with some examples.

And this:
https://openwrt.org/docs/guide-user/base-system/dhcp.dnsmasq#dnsmasq_dhcp_server

So I have some reading to do. Although I was hoping for something easier to 'digest'; I also really like dense information.

Also found
https://dnsleaktest.com/
http://dnsleak.com/
doileak.com

It's nearly midnight here. Thank you so much for the help @psherman !! I'll check back in a few hours, and will resume trying to figure this out in ~16 hours. I'm beginning to see that I was completely focused on learning so many other networking topics that I was haphazard with and ignored DNS.

Possible quick fix for DNSMasq:

Change these options to 0:
option rebind_protection '0'
option localservice '0'

Thank you. Although I haven't solved this yet, that did lead me to make some changes and do some tests. I found that the routes on my normal desktop were totally wrong. (!!) I'm hoping to have this weekend off. I'll work on learning more about this over the weekend, and will report back. Hopefully with s solution, or much more concise questions.

Thanks again.

I have solved a few configuration issues that were confusing the problem. And I think I have narrowed the scope.

DNS requests are only answered by the IOT VLAN interface on the router. Sending a DNS request to the "House" (Internet) VLAN interface doesnt' work:

root@SilverGhost:/etc(root)# cat /etc/resolv.conf
 #  house (Normal Internet usage) VLAN 142
 #nameserver 10.42.42.1
 #
 #  iot VLAN 140
 nameserver 10.42.40.1
 
root@SilverGhost:/etc(root)# resolvectl query google.com
 google.com: 2607:f8b0:400a:806::200e           -- link: vlan140
             142.251.33.78                      -- link: vlan140
 
 -- Information acquired via protocol DNS in 36.6ms.
 -- Data is authenticated: no
 
root@SilverGhost:/etc(root)# vim resolve.conf
 root@SilverGhost:/etc(root)# cat /etc/resolv.conf
 #  house (Normal Internet usage) VLAN 142
 nameserver 10.42.42.1
 #
 #  iot VLAN 140
 #nameserver 10.42.40.1
 root@SilverGhost:/etc(root)# resolvectl query google.com
 google.com: resolve call failed: Lookup failed due to system error: Resource temporarily unavailable

Here are some router configs:
dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'house'
	option interface 'house'
	option start '200'
	option limit '250'
	option leasetime '12h'

config dhcp 'wan2'
	option interface 'wan2'
	option ignore '1'

config dhcp 'hiro'
	option interface 'hiro'
	option start '42'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '200'
	option limit '250'
	option leasetime '12h'

config dhcp 'foyer0'
	option interface 'foyer0'
	option start '200'
	option limit '250'
	option leasetime '12h'

config dhcp 'foyer1'
	option interface 'foyer1'
	option start '200'
	option limit '250'
	option leasetime '12h'
	option ignore '1'

config dhcp 'servers'
	option interface 'servers'
	option start '100'
	option limit '150'
	option leasetime '12h'

firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'House'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'house'

config forwarding
	option src 'House'
	option dest 'wan'

config zone
	option name 'wan2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wan2'
	list network 'wan26'

config zone
	option name 'Hiro'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'hiro'

config forwarding
	option src 'Hiro'
	option dest 'wan'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'Raven'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'raven'

config zone
	option name 'foyer'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'foyer0'
	list network 'foyer1'

config forwarding
	option src 'Raven'
	option dest 'Calcifer'

config rule
	option name 'iotDHCP'
	list proto 'udp'
	option src 'IOT'
	option src_port '67-68 547'
	option dest_port '67-68 547'
	option target 'ACCEPT'

config rule
	option name 'iotDNS'
	option src 'IOT'
	option src_port '53'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'iotPING'
	list proto 'icmp'
	option src 'IOT'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'houseDHCP'
	option src 'House'
	option src_port '67-68 547'
	option dest_port '67-68 547'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'houseDNS'
	option src 'House'
	option src_port '53'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'housePING'
	list proto 'icmp'
	option src 'House'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'serversDHCP'
	list proto 'udp'
	option src 'Servers'
	option src_port '67-68 547'
	option dest_port '67-68 547'
	option target 'ACCEPT'

config rule
	option name 'serversDNS'
	option src 'Servers'
	option src_port '53'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'serversPING'
	list proto 'icmp'
	option src 'Servers'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'hiroDHCP'
	list proto 'udp'
	option src 'Hiro'
	option src_port '67-68 547'
	option dest_port '67-68 547'
	option target 'ACCEPT'

config rule
	option name 'hiroDNS'
	option src 'Hiro'
	option src_port '53'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'hiroPING'
	list proto 'icmp'
	option src 'Hiro'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

I found this:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#multiple_dhcpdns_serverforwarder_instances

It's about setting up multiple DHCP/DNS server/forwarder instances. I'm suspicious that the solution lies here. Unfortunately I've barely learned what uci commands are, and I'm not confident that I can translate that page into useful changes to my dhcp configuration file.

Thank you for your time.

These are all invalid in that the limit is too big. The limit is the size of the DHCP pool, so for a /24 network with a start value of 200, the max value will be <=55.

The foyer1 network's DHCP server is disabled (not sure if that's intentional).

The src_port line should be removed from each of the DNS rules (one example shown below), only the destination port should be specified:

After fixing those things, restart your router and try again.

1 Like

I owe you big time! Thank you so much!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.