DNS intercept breaking dns for mailcow

duindain · May 24, 2025, 4:42am

Hi everyone,

I'm running OpenWrt on a router GL-iNet mt6000 OpenWrt v24.10.1 with AdGuard v0.107.57

When i add in a rule from the forum https://openwrt.org/docs/guide-user/services/dns/adguard-home#dns_interception to intercept clients trying to sidestep AdGuard it seems to break connectivity for mailcow for the unbound container

I get hundreds of these log entries in AdGuard from mailcows unbound health check, they all show as "Response code REFUSED" and the url seems to be a single period?

Time Request Response Client
13:46:02 . Processed 192.168.2.83
24/05/2025 Type: NS, Plain DNS 0ms
(Sorry i had a screenshot of this but it wont let me have two screenshots in the same post, I've included it in a reply under the post)

The rule is defined in Firewall - Port forwards

Have I entered it incorrectly?

When i disable the rule mailcow health check starts working again but I assume that's because its dns queries are now able to avoid AdGuard

The mailcow health check runs through the outbound docker container this command for each url it tests

dig +short +timeout=2 +tries=1 "$domain" @127.0.0.1 2

I would like to intercept any dns query and make it run through AdGuard if possible

duindain · May 24, 2025, 4:51am

Screenshot of the AdGuard log entry

The entries after 13:46:03 were when i turned the firewall forward rule off

The response info shows

When failing;

Response details
Status: Processed
DNS server: 127.0.0.1:54
Elapsed: 0 ms
Response code: REFUSED

When succeeding;

Response details
Status: Processed
DNS server: 208.67.222.222:53
Served from cache: Ticked
Elapsed: 0 ms
Response code: NOERROR
Response: A: 142.250.70.142 (ttl=224)

frollic · May 24, 2025, 6:12am

What's supposed to be on port 54 ?

duindain · May 24, 2025, 7:13am

AdGuard?

From /etc/adguardhome.yaml
dns:
bind_hosts:
- 192.168.2.1
- 127.0.0.1

frollic · May 24, 2025, 7:18am

DNS doesn't run on port 54, default is 53.

duindain · May 24, 2025, 7:19am

Its the LAN domain interception config i think from
### LAN domain interception

frollic · May 24, 2025, 7:20am

TLDR

Then you need someone to reply on 54 ?

duindain · May 24, 2025, 7:22am

its mentioned in the official config in many places

The install script in the setup section will move dnsmasq to port 54 and set it for AGH to use as local PTR / reverse DNS lookups.

I ran that script on command line during installation

frollic · May 24, 2025, 7:26am

That part I'm aware of, just saying something's not right.
You either have misconfigured somewhere to query/forward to port 54, or something's not listening on port 54.

duindain · May 24, 2025, 7:49am

Ok thanks i was able to sort it out, the clue about no service listening on port 54 helped

I had added in the rdns section

my actual ips
192.168.2.1:54

I needed to also add
127.0.0.1:54

After adding that and re-enabling the port forward to 54 i can still run the mailcow healthchecks successfully

Thanks @frollic

Bob.Dig · May 24, 2025, 8:03am

And/Or maybe NAT it to 127.0.0.1 in the first place.

system · June 3, 2025, 8:04am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.