DNS issues upon OpenVPN disconnect

Installing and Using OpenWrt Network and Wireless Configuration
1

My current setup is:

  • Raspberry Pi 4 with OpenWRT (IP: 192.168.0.1)
  • Docker installed hosting Plex and Pi Hole
  • Pi Hole is on a VLAN with IP 192.168.10.3
  • all DNS queries forward to Pi Hole
  • Pi Hole filters adds, and has upstream server back to OpenWRT (192.168.0.1#5053 / 5054) to perform DoH with Dnsmasq and https-dns-proxy (https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy) for URLs that are not in the block list

Everything seems to work fine, no issues. However if I'm to connect via OpenVPN, set up through OpenWRT (https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci) it still works, but upon disconnecting from the server, my DNS doesn't resolve. Fix is either a reboot of the service, or the device.

Am I missing something here?

To add to this, I can see Pi Hole still forward non-blocked sites back to OpenWRT, and logread doesn't show anything odd (that I can see...)

2

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export openvpn; \
head -n -0 /etc/openvpn/*.conf; head -n -0 /etc/openvpn/*.ovpn

Run the following while connected to OpenVPN and after disconnecting:

ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like
3

First log request:

root@OpenWrt:~# ubus call system board; \
port net> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export openvpn; \
> head -n -0 /etc/openvpn/*.conf; head -n -0 /etc/openvpn/*.ovpn
{
        "kernel": "5.4.154",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.1",
                "revision": "r16325-88151b8303",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 21.02.1 r16325-88151b8303"
        }
}
package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.1'
        option device 'eth0.1'
        option delegate '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.2'
        option peerdns '0'

config interface 'macvlan'
        option proto 'static'
        option defaultroute '0'
        option netmask '255.255.255.255'
        option device 'eth0.20'
        option ipaddr '192.168.10.2'

config device
        option type 'macvlan'
        option ifname 'eth0'
        option mode 'bridge'
        option name 'eth0.20'
        option acceptlocal '1'
        option ipv6 '0'

config route
        option interface 'macvlan'
        option target '192.168.10.3'
        option netmask '255.255.255.255'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'tun0'
        option proto 'none'
        option device 'tun0'

config device
        option name 'tun0'
        option ipv6 '0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.10.3'
        option rebind_protection '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'macvlan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 192.168.10.3
iptables -t nat -A PREROUTING -i eth0 -p tcp  --dport 53 -j DNAT --to 192.168.10.3
package openvpn

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        list remote 'my_server_1 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option verb '3'

config openvpn 'pia_london'
        option config '/etc/openvpn/pia_london.ovpn'

head: /etc/openvpn/*.conf: No such file or directory

client
dev tun
proto udp
remote uk-london.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass /etc/openvpn/pia_london.auth
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>

disable-occ

Second log request (whilst connected to VPN):

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.2/32 brd 255.255.255.255 scope global eth0.20
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0.1
       valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.113/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
7: br-5c0a4dcd46c1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-5c0a4dcd46c1
       valid_lft forever preferred_lft forever
8: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.1.112.171/24 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.1.112.1 dev tun0
default via 192.168.1.1 dev eth0.2  src 192.168.1.113
10.1.112.0/24 dev tun0 scope link  src 10.1.112.171
128.0.0.0/1 via 10.1.112.1 dev tun0
138.199.30.2 via 192.168.1.1 dev eth0.2
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1
172.18.0.0/16 dev br-5c0a4dcd46c1 scope link  src 172.18.0.1
192.168.0.0/24 dev eth0.1 scope link  src 192.168.0.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.113
192.168.10.3 dev eth0.20 scope link
broadcast 10.1.112.0 dev tun0 table local scope link  src 10.1.112.171
local 10.1.112.171 dev tun0 table local scope host  src 10.1.112.171
broadcast 10.1.112.255 dev tun0 table local scope link  src 10.1.112.171
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.17.0.0 dev docker0 table local scope link  src 172.17.0.1
local 172.17.0.1 dev docker0 table local scope host  src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local scope link  src 172.17.0.1
broadcast 172.18.0.0 dev br-5c0a4dcd46c1 table local scope link  src 172.18.0.1
local 172.18.0.1 dev br-5c0a4dcd46c1 table local scope host  src 172.18.0.1
broadcast 172.18.255.255 dev br-5c0a4dcd46c1 table local scope link  src 172.18.0.1
broadcast 192.168.0.0 dev eth0.1 table local scope link  src 192.168.0.1
local 192.168.0.1 dev eth0.1 table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev eth0.1 table local scope link  src 192.168.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.113
local 192.168.1.113 dev eth0.2 table local scope host  src 192.168.1.113
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.113
local 192.168.10.2 dev eth0.20 table local scope host  src 192.168.10.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Dec  2 15:37 /tmp/resolv.conf
-rw-r--r--    1 root     root            16 Dec  2 15:37 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            16 Dec  2 15:37 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan

Third log request (disconnected from VPN):

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.2/32 brd 255.255.255.255 scope global eth0.20
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0.1
       valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.113/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
7: br-5c0a4dcd46c1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-5c0a4dcd46c1
       valid_lft forever preferred_lft forever
8: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.113
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1
172.18.0.0/16 dev br-5c0a4dcd46c1 scope link  src 172.18.0.1
192.168.0.0/24 dev eth0.1 scope link  src 192.168.0.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.113
192.168.10.3 dev eth0.20 scope link
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.17.0.0 dev docker0 table local scope link  src 172.17.0.1
local 172.17.0.1 dev docker0 table local scope host  src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local scope link  src 172.17.0.1
broadcast 172.18.0.0 dev br-5c0a4dcd46c1 table local scope link  src 172.18.0.1
local 172.18.0.1 dev br-5c0a4dcd46c1 table local scope host  src 172.18.0.1
broadcast 172.18.255.255 dev br-5c0a4dcd46c1 table local scope link  src 172.18.0.1
broadcast 192.168.0.0 dev eth0.1 table local scope link  src 192.168.0.1
local 192.168.0.1 dev eth0.1 table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev eth0.1 table local scope link  src 192.168.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.113
local 192.168.1.113 dev eth0.2 table local scope host  src 192.168.1.113
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.113
local 192.168.10.2 dev eth0.20 table local scope host  src 192.168.10.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Dec  2 15:37 /tmp/resolv.conf
-rw-r--r--    1 root     root            16 Dec  2 15:37 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            16 Dec  2 15:37 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan

I then decided to reboot and create another log output:

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
-0 /etc/resolv.*> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.2/32 brd 255.255.255.255 scope global eth0.20
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0.1
       valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.113/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
7: br-5c0a4dcd46c1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-5c0a4dcd46c1
       valid_lft forever preferred_lft forever
8: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.113
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1
172.18.0.0/16 dev br-5c0a4dcd46c1 scope link  src 172.18.0.1
192.168.0.0/24 dev eth0.1 scope link  src 192.168.0.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.113
192.168.10.3 dev eth0.20 scope link
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.17.0.0 dev docker0 table local scope link  src 172.17.0.1
local 172.17.0.1 dev docker0 table local scope host  src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local scope link  src 172.17.0.1
broadcast 172.18.0.0 dev br-5c0a4dcd46c1 table local scope link  src 172.18.0.1
local 172.18.0.1 dev br-5c0a4dcd46c1 table local scope host  src 172.18.0.1
broadcast 172.18.255.255 dev br-5c0a4dcd46c1 table local scope link  src 172.18.0.1
broadcast 192.168.0.0 dev eth0.1 table local scope link  src 192.168.0.1
local 192.168.0.1 dev eth0.1 table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev eth0.1 table local scope link  src 192.168.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.113
local 192.168.1.113 dev eth0.2 table local scope host  src 192.168.1.113
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.113
local 192.168.10.2 dev eth0.20 table local scope host  src 192.168.10.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Dec  2 15:49 /tmp/resolv.conf
-rw-r--r--    1 root     root            16 Dec  2 15:49 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            16 Dec  2 15:49 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan

No differences between log 3 and 4, and the only difference between 2 and 3 is

image
image1867×409 44.1 KB

4

Capture the iptables-save -c before and after the VPN disconnection.

5

Whilst connected to VPN

root@OpenWrt:~# iptables-save -c
# Generated by iptables-save v1.8.7 on Thu Dec  2 17:26:30 2021
*nat
:PREROUTING ACCEPT [63:10223]
:INPUT ACCEPT [24:1658]
:OUTPUT ACCEPT [31:2989]
:POSTROUTING ACCEPT [17:1234]
:DOCKER - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[0:0] -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.10.3
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.10.3
[62:7750] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[63:10223] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[28:3756] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.20 -m comment --comment "!fw3" -j zone_lan_prerouting
[19:5324] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-5c0a4dcd46c1 -j MASQUERADE
[55:6390] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[15:1096] -A POSTROUTING -o eth0.20 -m comment --comment "!fw3" -j zone_lan_postrouting
[1:76] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[37:5080] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
[0:0] -A DOCKER -i docker0 -j RETURN
[35:2436] -A DOCKER -i br-5c0a4dcd46c1 -j RETURN
[0:0] -A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
[0:0] -A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
[15:1096] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[28:3756] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[38:5156] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[38:5156] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[19:5324] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Dec  2 17:26:30 2021
# Generated by iptables-save v1.8.7 on Thu Dec  2 17:26:30 2021
*mangle
:PREROUTING ACCEPT [7608:5031709]
:INPUT ACCEPT [2643:438883]
:FORWARD ACCEPT [4956:4589946]
:OUTPUT ACCEPT [3924:4679521]
:POSTROUTING ACCEPT [8869:9273047]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[9:468] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[9:464] -A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Dec  2 17:26:30 2021
# Generated by iptables-save v1.8.7 on Thu Dec  2 17:26:30 2021
*filter
:INPUT ACCEPT [23:1566]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[36:2582] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2611:436509] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2501:423407] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:216] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[29:3593] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.20 -m comment --comment "!fw3" -j zone_lan_input
[49:5760] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[9:2183] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
[5036:4612083] -A FORWARD -j DOCKER-USER
[5036:4612083] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o br-5c0a4dcd46c1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-5c0a4dcd46c1 -j DOCKER
[0:0] -A FORWARD -i br-5c0a4dcd46c1 ! -o br-5c0a4dcd46c1 -j ACCEPT
[0:0] -A FORWARD -i br-5c0a4dcd46c1 -o br-5c0a4dcd46c1 -j ACCEPT
[4956:4589946] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4911:4577102] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[45:12844] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.20 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[36:2582] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3893:4678419] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[3791:4668703] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:2997] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[21:1498] -A OUTPUT -o eth0.20 -m comment --comment "!fw3" -j zone_lan_output
[1:76] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[60:5145] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-5c0a4dcd46c1 ! -o br-5c0a4dcd46c1 -j DOCKER-ISOLATION-STAGE-2
[5040:4612244] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-5c0a4dcd46c1 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-USER -i eth0.2 -o docker0 -j REJECT --reject-with icmp-port-unreachable
[5036:4612083] -A DOCKER-USER -j RETURN
[43:3749] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[15:4194] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:216] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
[0:0] -A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[0:0] -A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
[0:0] -A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
[0:0] -A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
[0:0] -A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[0:0] -A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[20:2997] -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
[21:1498] -A zone_lan_dest_ACCEPT -o eth0.20 -m comment --comment "!fw3" -j ACCEPT
[45:12844] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[45:12844] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[29:3593] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[29:3593] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[41:4495] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[41:4495] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[29:3593] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth0.20 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1:76] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[40:1600] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[65:16389] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[58:7943] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[58:7943] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[61:5221] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[61:5221] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[49:5760] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[9:2183] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Dec  2 17:26:30 2021

When disconnected from VPN:

root@OpenWrt:~# iptables-save -c
# Generated by iptables-save v1.8.7 on Thu Dec  2 17:26:46 2021
*nat
:PREROUTING ACCEPT [101:15319]
:INPUT ACCEPT [47:3305]
:OUTPUT ACCEPT [131:10876]
:POSTROUTING ACCEPT [104:7563]
:DOCKER - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[0:0] -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.10.3
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.10.3
[89:9586] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[101:15319] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[45:7377] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.20 -m comment --comment "!fw3" -j zone_lan_prerouting
[23:5513] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
[3:834] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[1:278] -A POSTROUTING -s 172.18.0.0/16 ! -o br-5c0a4dcd46c1 -j MASQUERADE
[168:17379] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:292] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[33:2397] -A POSTROUTING -o eth0.20 -m comment --comment "!fw3" -j zone_lan_postrouting
[21:4416] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[43:5400] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[1:146] -A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
[0:0] -A DOCKER -i docker0 -j RETURN
[52:3722] -A DOCKER -i br-5c0a4dcd46c1 -j RETURN
[1:146] -A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
[0:0] -A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
[37:2689] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[45:7377] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[64:9816] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[64:9816] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[23:5513] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Dec  2 17:26:46 2021
# Generated by iptables-save v1.8.7 on Thu Dec  2 17:26:46 2021
*mangle
:PREROUTING ACCEPT [8703:5246732]
:INPUT ACCEPT [3511:579649]
:FORWARD ACCEPT [5183:4664203]
:OUTPUT ACCEPT [4828:4818218]
:POSTROUTING ACCEPT [10016:9488115]
[7:364] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[7:364] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[9:468] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[9:464] -A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Dec  2 17:26:46 2021
# Generated by iptables-save v1.8.7 on Thu Dec  2 17:26:46 2021
*filter
:INPUT ACCEPT [63:4639]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:500]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[490:62796] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3025:517061] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2836:497405] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[8:432] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[41:4359] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[5:340] -A INPUT -i eth0.20 -m comment --comment "!fw3" -j zone_lan_input
[70:7989] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[9:2183] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[1:146] -A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
[5263:4686340] -A FORWARD -j DOCKER-USER
[5263:4686340] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o br-5c0a4dcd46c1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-5c0a4dcd46c1 -j DOCKER
[0:0] -A FORWARD -i br-5c0a4dcd46c1 ! -o br-5c0a4dcd46c1 -j ACCEPT
[0:0] -A FORWARD -i br-5c0a4dcd46c1 -o br-5c0a4dcd46c1 -j ACCEPT
[5183:4664203] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[5123:4647526] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[60:16677] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.20 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[490:62796] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[4345:4756918] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4162:4741440] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[29:3497] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[56:3970] -A OUTPUT -o eth0.20 -m comment --comment "!fw3" -j zone_lan_output
[19:1780] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[65:5425] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[5:306] -A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-5c0a4dcd46c1 ! -o br-5c0a4dcd46c1 -j DOCKER-ISOLATION-STAGE-2
[5267:4686501] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-5c0a4dcd46c1 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-USER -i eth0.2 -o docker0 -j REJECT --reject-with icmp-port-unreachable
[5263:4686340] -A DOCKER-USER -j RETURN
[54:4601] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[25:5571] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[8:432] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:306] -A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
[0:0] -A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[1:146] -A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
[0:0] -A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:146] -A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
[5:306] -A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
[5:306] -A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[1:146] -A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[29:3497] -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
[56:3970] -A zone_lan_dest_ACCEPT -o eth0.20 -m comment --comment "!fw3" -j ACCEPT
[60:16677] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[60:16677] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[46:4699] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[46:4699] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[85:7467] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[85:7467] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[41:4359] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[5:340] -A zone_lan_src_ACCEPT -i eth0.20 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[8:320] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[26:5293] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[41:1640] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[69:16629] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[79:10172] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[79:10172] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[84:7205] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[84:7205] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[70:7989] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[9:2183] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Dec  2 17:26:46 2021

Apart from the timestamps (?) inbetween the square brackets, I can't see any differences.

6

hits:bytes

Let's see if the packets flow correctly:
opkg update; opkg install tcpdump; tcpdump -i any -evn udp port 53 or port 5053 or port 5054
Try to keep most lan hosts offline and resolve something.

7

Running tcpdump before, or after... or both?

8

Right, after disconnecting should be enough.

9

Run immediately after for spytrackgps.co.uk, in amongst other calls that my PC did. I can see that it forwards from Pi Hole to DoH, but after that...?

image
image1661×609 71.5 KB 

root@OpenWrt:~# tcpdump -i any -evn udp port 53 or port 5053 or port 5054
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:47:17.498532  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 23973, offset 0, flags [DF], proto UDP (17), length 103)
    127.0.0.1.56732 > 127.0.0.1.53: 61422+ A? REDACTED.plex.direct. (75)
17:47:17.498636  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 139: (flowlabel 0xabbd2, hlim 64, next-header UDP (17) payload length: 83) ::1.56732 > ::1.53: [bad udp cksum 0x0066 -> 0xe9bb!] 61422+ A? REDACTED.plex.direct. (75)
17:47:17.498690  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 23974, offset 0, flags [DF], proto UDP (17), length 103)
    127.0.0.1.56732 > 127.0.0.1.53: 62737+ AAAA? REDACTED.plex.direct. (75)
17:47:17.498732  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 139: (flowlabel 0xabbd2, hlim 64, next-header UDP (17) payload length: 83) ::1.56732 > ::1.53: [bad udp cksum 0x0066 -> 0xc998!] 62737+ AAAA? REDACTED.plex.direct. (75)
17:47:18.374208  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 83: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21895, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:18.374217  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 21895, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:18.374585 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1530, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:18.374601   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1530, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:18.377161   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17121, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:18.377203  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17121, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:18.409099  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 83: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21896, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:18.409107  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 21896, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:18.409397 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1534, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:18.409412   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1534, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:18.409879   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17123, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5053: UDP, length 35
17:47:18.409915  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17123, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5053: UDP, length 35
17:47:18.410077   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17124, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:18.410113  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17124, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:18.766236  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 96: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21900, offset 0, flags [none], proto UDP (17), length 76)
    192.168.0.191.50158 > 192.168.0.1.53: 9487+ A? self.events.data.microsoft.com. (48)
17:47:18.766245  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 128, id 21900, offset 0, flags [none], proto UDP (17), length 76)
    192.168.0.191.50158 > 192.168.0.1.53: 9487+ A? self.events.data.microsoft.com. (48)
17:47:18.766609 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 1617, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.10.2.48982 > 192.168.10.3.53: 11751+ A? self.events.data.microsoft.com. (48)
17:47:18.766625   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 1617, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.10.2.48982 > 192.168.10.3.53: 11751+ A? self.events.data.microsoft.com. (48)
17:47:18.767064   P 02:42:c0:a8:0a:03 ethertype IPv4 (0x0800), length 108: (tos 0x0, ttl 64, id 30610, offset 0, flags [DF], proto UDP (17), length 92)
    192.168.10.3.53 > 192.168.10.2.48982: 11751* 1/0/0 self.events.data.microsoft.com. A 0.0.0.0 (64)
17:47:18.767071  In 02:42:c0:a8:0a:03 ethertype IPv4 (0x0800), length 108: (tos 0x0, ttl 64, id 30610, offset 0, flags [DF], proto UDP (17), length 92)
    192.168.10.3.53 > 192.168.10.2.48982: 11751* 1/0/0 self.events.data.microsoft.com. A 0.0.0.0 (64)
17:47:18.767536 Out dc:a6:32:fe:2a:5d ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 53273, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.0.1.53 > 192.168.0.191.50158: 9487* 0/0/0 (48)
17:47:19.414354  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 83: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21901, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:19.414363  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 21901, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:19.414664 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1640, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:19.414681   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1640, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:19.415206   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17291, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5053: UDP, length 35
17:47:19.415232  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17291, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5053: UDP, length 35
17:47:19.415378   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17292, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:19.415389  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17292, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:20.000722  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 24468, offset 0, flags [DF], proto UDP (17), length 103)
    127.0.0.1.56732 > 127.0.0.1.53: 62737+ AAAA? REDACTED.plex.direct. (75)
17:47:20.000831  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 139: (flowlabel 0xabbd2, hlim 64, next-header UDP (17) payload length: 83) ::1.56732 > ::1.53: [bad udp cksum 0x0066 -> 0xc998!] 62737+ AAAA? REDACTED.plex.direct. (75)
17:47:20.000990 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 1672, offset 0, flags [DF], proto UDP (17), length 103)
    192.168.10.2.35520 > 192.168.10.3.53: 19515+ AAAA? REDACTED.plex.direct. (75)
17:47:20.001000   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 1672, offset 0, flags [DF], proto UDP (17), length 103)
    192.168.10.2.35520 > 192.168.10.3.53: 19515+ AAAA? REDACTED.plex.direct. (75)
17:47:20.001445   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17317, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5053: UDP, length 75
17:47:20.001484  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17317, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5053: UDP, length 75
17:47:20.001663   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17318, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5054: UDP, length 75
17:47:20.001675  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17318, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5054: UDP, length 75
17:47:20.002058 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 1673, offset 0, flags [DF], proto UDP (17), length 103)
    192.168.10.2.35520 > 192.168.10.3.53: 19515+ AAAA? REDACTED.plex.direct. (75)
17:47:20.002071   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 1673, offset 0, flags [DF], proto UDP (17), length 103)
    192.168.10.2.35520 > 192.168.10.3.53: 19515+ AAAA? REDACTED.plex.direct. (75)
17:47:20.002410   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17319, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5053: UDP, length 75
17:47:20.002447  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17319, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5053: UDP, length 75
17:47:20.002596   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17320, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5054: UDP, length 75
17:47:20.002607  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 119: (tos 0x0, ttl 64, id 17320, offset 0, flags [DF], proto UDP (17), length 103)
    172.18.0.2.36682 > 192.168.0.1.5054: UDP, length 75
17:47:20.013242  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 74: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21905, offset 0, flags [none], proto UDP (17), length 54)
    192.168.0.191.50158 > 192.168.0.1.53: 61270+ A? wpad.lan. (26)
17:47:20.013250  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 128, id 21905, offset 0, flags [none], proto UDP (17), length 54)
    192.168.0.191.50158 > 192.168.0.1.53: 61270+ A? wpad.lan. (26)
17:47:20.013253  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 74: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21906, offset 0, flags [none], proto UDP (17), length 54)
    192.168.0.191.49443 > 192.168.0.1.53: 17493+ A? wpad.lan. (26)
17:47:20.013255  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 128, id 21906, offset 0, flags [none], proto UDP (17), length 54)
    192.168.0.191.49443 > 192.168.0.1.53: 17493+ A? wpad.lan. (26)
17:47:20.013517 Out dc:a6:32:fe:2a:5d ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 64, id 53441, offset 0, flags [DF], proto UDP (17), length 54)
    192.168.0.1.53 > 192.168.0.191.50158: 61270 NXDomain 0/0/0 (26)
17:47:20.013698 Out dc:a6:32:fe:2a:5d ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 64, id 53442, offset 0, flags [DF], proto UDP (17), length 54)
    192.168.0.1.53 > 192.168.0.191.49443: 17493 NXDomain 0/0/0 (26)
17:47:21.424312  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 83: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 21910, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:21.424321  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 21910, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.57035 > 192.168.0.1.53: 64498+ A? spytrackgps.co.uk. (35)
17:47:21.424634 Out de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1765, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:21.424648   P de:10:ff:ea:86:a7 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 1765, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.40010 > 192.168.10.3.53: 39262+ A? spytrackgps.co.uk. (35)
17:47:21.425136   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17414, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5053: UDP, length 35
17:47:21.425162  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17414, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5053: UDP, length 35
17:47:21.425319   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17415, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
17:47:21.425331  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 17415, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.40383 > 192.168.0.1.5054: UDP, length 35
^C
61 packets captured
75 packets received by filter
8 packets dropped by kernel
10

Ok, so weirdly enough I rebooted just now where upon reboot it automatically connects to VPN. I disconnected and after 20 seconds or so it started resolve new addresses I've not been to before. I ponder if there is some sort of delay here; a delay that in previous times had not happened before, or I had not waited long enough to see it start to work. Which is odd, cos I have waited up to 10min for a resolution before...?

11

I forgot to add in the tcpdump some filter for the DoH.
What is configured in uci show https-dns-proxy ?

13

I thought your 53, 5053 and 5054 catered for that already?

root@OpenWrt:~# uci show https-dns-proxy
https-dns-proxy.config=main
https-dns-proxy.config.force_dns_port='53' '853'
https-dns-proxy.config.force_dns='0'
https-dns-proxy.config.update_dnsmasq_config='-'
https-dns-proxy.@https-dns-proxy[0]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[0].listen_addr='192.168.0.1'
https-dns-proxy.@https-dns-proxy[0].listen_port='5054'
https-dns-proxy.@https-dns-proxy[0].user='nobody'
https-dns-proxy.@https-dns-proxy[0].group='nogroup'
https-dns-proxy.@https-dns-proxy[0].bootstrap_dns='1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001'
https-dns-proxy.@https-dns-proxy[0].resolver_url='https://cloudflare-dns.com/dns-query'
https-dns-proxy.@https-dns-proxy[1]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[1].listen_addr='192.168.0.1'
https-dns-proxy.@https-dns-proxy[1].listen_port='5053'
https-dns-proxy.@https-dns-proxy[1].user='nobody'
https-dns-proxy.@https-dns-proxy[1].group='nogroup'
https-dns-proxy.@https-dns-proxy[1].bootstrap_dns='9.9.9.9,149.112.112.9,2620:fe::fe,2620:fe::9'
https-dns-proxy.@https-dns-proxy[1].resolver_url='https://dns9.quad9.net/dns-query'
14

This is for the incoming queries only. I have added the DoH to monitor that too.
tcpdump -i any -evn '(udp port 53 or port 5053 or port 5054) or (host 1.1.1.1 or host 1.0.0.1 or host 9.9.9.9 or host 149.112.112.9)'
There is going to be a lot of output, so try to have just the testing lan host connected to avoid any garbage.

15

Rightio, I have another output. It does seem to show the response from Quad9 back to the Pi. Where at the moment it goes: internet -> modem -> Pi -> LAN clients, and on the way out in reverse of course.

image
image1757×511 94.2 KB 

root@OpenWrt:~# tcpdump -i any -evn '(udp port 53 or port 5053 or port 5054) or (host 1.1.1.1 or host 1.0.0.1 or host 9.9.9.9 or host 149.112.112.9)'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:50:18.814261  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 76: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42207, offset 0, flags [none], proto UDP (17), length 56)
    192.168.0.191.56639 > 192.168.0.1.53: 19838+ A? github.com. (28)
11:50:18.814271  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 128, id 42207, offset 0, flags [none], proto UDP (17), length 56)
    192.168.0.191.56639 > 192.168.0.1.53: 19838+ A? github.com. (28)
11:50:18.814693 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 48040, offset 0, flags [DF], proto UDP (17), length 56)
    192.168.10.2.57075 > 192.168.10.3.53: 65405+ A? github.com. (28)
11:50:18.814712   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 48040, offset 0, flags [DF], proto UDP (17), length 56)
    192.168.10.2.57075 > 192.168.10.3.53: 65405+ A? github.com. (28)
11:50:18.815325   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 29681, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5053: UDP, length 28
11:50:18.815353  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 29681, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5053: UDP, length 28
11:50:18.815536   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 29682, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5054: UDP, length 28
11:50:18.815550  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 29682, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5054: UDP, length 28
11:50:19.936693  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 83: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42211, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.61248 > 192.168.0.1.53: 21425+ A? sync-v2.brave.com. (35)
11:50:19.936701  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 42211, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.61248 > 192.168.0.1.53: 21425+ A? sync-v2.brave.com. (35)
11:50:19.937089 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 48267, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.35762 > 192.168.10.3.53: 43061+ A? sync-v2.brave.com. (35)
11:50:19.937105   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 48267, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.35762 > 192.168.10.3.53: 43061+ A? sync-v2.brave.com. (35)
11:50:19.937619   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 29884, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5053: UDP, length 35
11:50:19.937652  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 29884, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5053: UDP, length 35
11:50:19.937856   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 29885, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5054: UDP, length 35
11:50:19.937877  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 29885, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5054: UDP, length 35
11:50:20.089682  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 111: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42213, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:20.089692  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 128, id 42213, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:20.090149 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48279, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:20.090168   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48279, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:20.091635   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 29887, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:20.091697  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 29887, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:20.159639  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42214, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:20.159649  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 42214, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:20.159994 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48284, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:20.160007   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48284, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:20.162517   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 29904, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:20.162565  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 29904, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:21.090663  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 111: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42218, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:21.090671  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 128, id 42218, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:21.090935 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48399, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:21.090945   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48399, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:21.091258   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 29954, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:21.091278  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 29954, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:21.091378   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 29955, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5054: UDP, length 63
11:50:21.091394  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 29955, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5054: UDP, length 63
11:50:21.167001  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42219, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:21.167009  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 42219, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:21.167255 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48404, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:21.167264   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48404, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:21.167545   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 29968, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:21.167561  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 29968, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:21.167649   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 29969, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5054: UDP, length 32
11:50:21.167663  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 29969, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5054: UDP, length 32
11:50:21.998526  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 9511, offset 0, flags [DF], proto UDP (17), length 58)
    127.0.0.1.37966 > 127.0.0.1.53: 23200+ A? meta.plex.tv. (30)
11:50:21.998782 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 48478, offset 0, flags [DF], proto UDP (17), length 58)
    192.168.10.2.46650 > 192.168.10.3.53: 60659+ A? meta.plex.tv. (30)
11:50:21.998811  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 94: (flowlabel 0xdcc8f, hlim 64, next-header UDP (17) payload length: 38) ::1.37966 > ::1.53: [bad udp cksum 0x0039 -> 0xf63a!] 23200+ A? meta.plex.tv. (30)
11:50:21.998988  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 9512, offset 0, flags [DF], proto UDP (17), length 58)
    127.0.0.1.37966 > 127.0.0.1.53: 23533+ AAAA? meta.plex.tv. (30)
11:50:21.999084  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 94: (flowlabel 0xdcc8f, hlim 64, next-header UDP (17) payload length: 38) ::1.37966 > ::1.53: [bad udp cksum 0x0039 -> 0xf4d2!] 23533+ AAAA? meta.plex.tv. (30)
11:50:21.999120 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 48479, offset 0, flags [DF], proto UDP (17), length 58)
    192.168.10.2.49545 > 192.168.10.3.53: 26455+ AAAA? meta.plex.tv. (30)
11:50:21.999293   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 48478, offset 0, flags [DF], proto UDP (17), length 58)
    192.168.10.2.46650 > 192.168.10.3.53: 60659+ A? meta.plex.tv. (30)
11:50:21.999323   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 48479, offset 0, flags [DF], proto UDP (17), length 58)
    192.168.10.2.49545 > 192.168.10.3.53: 26455+ AAAA? meta.plex.tv. (30)
11:50:22.000251   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 30020, offset 0, flags [DF], proto UDP (17), length 58)
    172.18.0.2.39877 > 192.168.0.1.5053: UDP, length 30
11:50:22.000279  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 30020, offset 0, flags [DF], proto UDP (17), length 58)
    172.18.0.2.39877 > 192.168.0.1.5053: UDP, length 30
11:50:22.001070   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 30021, offset 0, flags [DF], proto UDP (17), length 58)
    172.18.0.2.40747 > 192.168.0.1.5053: UDP, length 30
11:50:22.001096  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 30021, offset 0, flags [DF], proto UDP (17), length 58)
    172.18.0.2.40747 > 192.168.0.1.5053: UDP, length 30
11:50:22.101835  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 111: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42223, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:22.101843  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 128, id 42223, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:22.102211 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48493, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:22.102228   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48493, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:22.102748   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30040, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:22.102780  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30040, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:22.102930   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30041, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5054: UDP, length 63
11:50:22.102944  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30041, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5054: UDP, length 63
11:50:22.180525  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42224, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:22.180533  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 42224, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:22.180911 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48494, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:22.180930   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48494, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:22.181472   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30050, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:22.181501  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30050, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:22.181673   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30051, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5054: UDP, length 32
11:50:22.181686  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30051, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5054: UDP, length 32
11:50:22.475825  In 20:b0:01:9f:7b:40 ethertype 802.1Q (0x8100), length 151: vlan 2, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 17190, offset 0, flags [DF], proto TCP (6), length 131)
    149.112.112.9.443 > 192.168.1.113.48500: Flags [FP.], cksum 0x9fad (correct), seq 2471424514:2471424593, ack 4044867929, win 118, options [nop,nop,TS val 2128056640 ecr 2710871214], length 79
11:50:22.475835  In 20:b0:01:9f:7b:40 ethertype IPv4 (0x0800), length 147: (tos 0x0, ttl 60, id 17190, offset 0, flags [DF], proto TCP (6), length 131)
    149.112.112.9.443 > 192.168.1.113.48500: Flags [FP.], cksum 0x9fad (correct), seq 0:79, ack 1, win 118, options [nop,nop,TS val 2128056640 ecr 2710871214], length 79
11:50:22.823492  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 76: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42225, offset 0, flags [none], proto UDP (17), length 56)
    192.168.0.191.56639 > 192.168.0.1.53: 19838+ A? github.com. (28)
11:50:22.823503  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 128, id 42225, offset 0, flags [none], proto UDP (17), length 56)
    192.168.0.191.56639 > 192.168.0.1.53: 19838+ A? github.com. (28)
11:50:22.823893 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 48562, offset 0, flags [DF], proto UDP (17), length 56)
    192.168.10.2.57075 > 192.168.10.3.53: 65405+ A? github.com. (28)
11:50:22.823911   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 48562, offset 0, flags [DF], proto UDP (17), length 56)
    192.168.10.2.57075 > 192.168.10.3.53: 65405+ A? github.com. (28)
11:50:22.824411   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 30209, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5053: UDP, length 28
11:50:22.824444  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 30209, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5053: UDP, length 28
11:50:22.824620   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 30210, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5054: UDP, length 28
11:50:22.824633  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 30210, offset 0, flags [DF], proto UDP (17), length 56)
    172.18.0.2.36327 > 192.168.0.1.5054: UDP, length 28
11:50:23.519875  In 20:b0:01:9f:7b:40 ethertype 802.1Q (0x8100), length 151: vlan 2, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 15772, offset 0, flags [DF], proto TCP (6), length 131)
    149.112.112.9.443 > 192.168.1.113.48496: Flags [FP.], cksum 0xd93e (correct), seq 2423391319:2423391398, ack 2448545630, win 118, options [nop,nop,TS val 2125185216 ecr 2710874549], length 79
11:50:23.519886  In 20:b0:01:9f:7b:40 ethertype IPv4 (0x0800), length 147: (tos 0x0, ttl 60, id 15772, offset 0, flags [DF], proto TCP (6), length 131)
    149.112.112.9.443 > 192.168.1.113.48496: Flags [FP.], cksum 0xd93e (correct), seq 0:79, ack 1, win 118, options [nop,nop,TS val 2125185216 ecr 2710874549], length 79
11:50:23.939095  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 83: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42236, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.61248 > 192.168.0.1.53: 21425+ A? sync-v2.brave.com. (35)
11:50:23.939103  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 42236, offset 0, flags [none], proto UDP (17), length 63)
    192.168.0.191.61248 > 192.168.0.1.53: 21425+ A? sync-v2.brave.com. (35)
11:50:23.939487 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 48827, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.35762 > 192.168.10.3.53: 43061+ A? sync-v2.brave.com. (35)
11:50:23.939504   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 48827, offset 0, flags [DF], proto UDP (17), length 63)
    192.168.10.2.35762 > 192.168.10.3.53: 43061+ A? sync-v2.brave.com. (35)
11:50:23.940027   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 30272, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5053: UDP, length 35
11:50:23.940058  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 30272, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5053: UDP, length 35
11:50:23.940256   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 30273, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5054: UDP, length 35
11:50:23.940270  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 64, id 30273, offset 0, flags [DF], proto UDP (17), length 63)
    172.18.0.2.55563 > 192.168.0.1.5054: UDP, length 35
11:50:24.111621  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 111: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42238, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:24.111629  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 128, id 42238, offset 0, flags [none], proto UDP (17), length 91)
    192.168.0.191.59290 > 192.168.0.1.53: 15679+ A? REDACTED.blob.core.windows.net. (63)
11:50:24.111988 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48854, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:24.112005   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 48854, offset 0, flags [DF], proto UDP (17), length 91)
    192.168.10.2.40115 > 192.168.10.3.53: 44573+ A? REDACTED.blob.core.windows.net. (63)
11:50:24.112458   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30297, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:24.112488  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30297, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5053: UDP, length 63
11:50:24.112639   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30298, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5054: UDP, length 63
11:50:24.112661  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 30298, offset 0, flags [DF], proto UDP (17), length 91)
    172.18.0.2.57913 > 192.168.0.1.5054: UDP, length 63
11:50:24.189641  In 18:c0:4d:af:54:4d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 42239, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:24.189651  In 18:c0:4d:af:54:4d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 42239, offset 0, flags [none], proto UDP (17), length 60)
    192.168.0.191.63769 > 192.168.0.1.53: 971+ A? www.hsbc.co.uk. (32)
11:50:24.190038 Out 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48863, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:24.190057   P 4a:58:64:8a:09:3e ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 48863, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.10.2.45038 > 192.168.10.3.53: 53357+ A? www.hsbc.co.uk. (32)
11:50:24.190598   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30305, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:24.190627  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30305, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5053: UDP, length 32
11:50:24.190788   P 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30306, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5054: UDP, length 32
11:50:24.190799  In 02:42:ac:12:00:02 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 30306, offset 0, flags [DF], proto UDP (17), length 60)
    172.18.0.2.50046 > 192.168.0.1.5054: UDP, length 32
....
^C
246 packets captured
265 packets received by filter
3 packets dropped by kernel
16

Everything seems normal up to the point that Pihole is querying DoH. I can only see a couple of times the response from the 149.112. server, but not the initial query.
I think the problem lies on DoH. Let's try to pinpoint that. Install bind-dig and query directly the DoH.
dig @127.0.0.1 www.google.com -p 5053
and
dig @127.0.0.1 www.yahoo.com -p 5054

1 Like
17

I have changed the IP that DoH listens on, from 127.0.0.1 to the internal IP that sits on the LAN network, which is 192.168.0.1. So you'll see my error and correction of the IP below:

root@OpenWrt:~# dig @127.0.0.1 www.google.com -p 5053
;; communications error to 127.0.0.1#5053: connection refused

root@OpenWrt:~# dig @192.168.0.1 www.google.com -p 5053

; <<>> DiG 9.17.19 <<>> @192.168.0.1 www.google.com -p 5053
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55100
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         58      IN      A       209.85.203.103
www.google.com.         58      IN      A       209.85.203.105
www.google.com.         58      IN      A       209.85.203.106
www.google.com.         58      IN      A       209.85.203.99
www.google.com.         58      IN      A       209.85.203.147
www.google.com.         58      IN      A       209.85.203.104

;; Query time: 79 msec
;; SERVER: 192.168.0.1#5053(192.168.0.1) (UDP)
;; WHEN: Fri Dec 03 15:11:50 UTC 2021
;; MSG SIZE  rcvd: 139

root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# dig @192.168.0.1 www.yahoo.com -p 5054

; <<>> DiG 9.17.19 <<>> @192.168.0.1 www.yahoo.com -p 5054
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35015
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.yahoo.com.                 IN      A

;; ANSWER SECTION:
www.yahoo.com.          49      IN      CNAME   new-fp-shed.wg1.b.yahoo.com.
new-fp-shed.wg1.b.yahoo.com. 49 IN      A       87.248.100.215
new-fp-shed.wg1.b.yahoo.com. 49 IN      A       87.248.100.216

;; Query time: 11 msec
;; SERVER: 192.168.0.1#5054(192.168.0.1) (UDP)
;; WHEN: Fri Dec 03 15:12:11 UTC 2021
;; MSG SIZE  rcvd: 106
18

Perhaps https-dns-proxy needs to re-establish its connection.
A hotplug script restarting the service should solve the issue.

1 Like