DNS problems : no answer to DNS query

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey guys,

I still have some DNS problems. I've been banging my head against the wall, so would appreciate any tip to solve this.

System Configuration
OpenWrt 19.07.7
MacOS BigSur 11.6.1

Symptoms
Every now and then, the DNS resolution to discussions.apple.com is empty :
$ dscacheutil -q host -a name discussions.apple.com
returns no output at all

Most of the time, it returns the correct output :

$ dscacheutil -q host -a name discussions.apple.com
name: e4233.a.akamaiedge.net
alias: discussions.apple.com discussions.apple.com.edgekey.net 
ip_address: 23.216.99.243

To try and diagnose this, I run tcpdump -i any | grep discussions on the router itself.

When the problem manifests itself, I see :

11:02:24.107239 IP MyDevice.mydomain.54534 > OpenWrt.mydomain.53: 53690+ AAAA? discussions.apple.com.edgekey.net. (51)
11:02:24.107239 IP MyDevice.mydomain.54534 > OpenWrt.mydomain.53: 53690+ AAAA? discussions.apple.com.edgekey.net. (51)
11:02:24.156893 IP MyDevice.mydomain.52379 > OpenWrt.mydomain.53: 45701+ A? discussions.apple.com.edgekey.net. (51)
11:02:24.156893 IP MyDevice.mydomain.52379 > OpenWrt.mydomain.53: 45701+ A? discussions.apple.com.edgekey.net. (51)

and nothing after that. In other words, I see MyDevice (the mac) asking the router for DNS resolution, but nothing comes back.

I then run sudo dscacheutil -flushcache ; sudo killall -HUP mDNSResponder on the mac to flush the cache.
When I requery DNS for discussions.apple.com following this, the output of tcpdump is like this:

11:18:00.626022 IP MyDevice.mydomain.64486 > OpenWrt.mydomain.53: 42605+ AAAA? discussions.apple.com. (39)
11:18:00.626022 IP MyDevice.mydomain.64486 > OpenWrt.mydomain.53: 42605+ AAAA? discussions.apple.com. (39)
11:18:00.642325 IP bl4-166-221.dsl.telepac.pt.28159 > 1.1.1.2.53: 35125+ AAAA? discussions.apple.com. (39)
	0x0020:  0000 0000 0b64 6973 6375 7373 696f 6e73  .....discussions
11:18:00.649261 ethertype IPv4, IP 1.1.1.2.53 > bl4-166-221.dsl.telepac.pt.28159: 35125 2/1/0 CNAME discussions.apple.com.edgekey.net., CNAME e4233.a.akamaiedge.net. (177)
11:18:00.649261 IP 1.1.1.2.53 > bl4-166-221.dsl.telepac.pt.28159: 35125 2/1/0 CNAME discussions.apple.com.edgekey.net., CNAME e4233.a.akamaiedge.net. (177)
11:18:00.660449 IP OpenWrt.mydomain.53 > MyDevice.mydomain.64486: 42605 2/1/0 CNAME discussions.apple.com.edgekey.net., CNAME e4233.a.akamaiedge.net. (177)
11:18:00.660463 IP OpenWrt.mydomain.53 > MyDevice.mydomain.64486: 42605 2/1/0 CNAME discussions.apple.com.edgekey.net., CNAME e4233.a.akamaiedge.net. (177)

Does anyone have any clue as to what is going on?
It seems to me that past the first DNS request, the router just does not bother resolving the DNS query. Maybe a caching problem on the router side?

My original setup was using https-dns-proxy. But I commented out list server '127.0.0.1#5060 and used directly 8.8.8.8 instead in my dhcp config, and the problem still persists. See configuration below.

DNSmasq configuration

config dnsmasq 'dnsmasq_mydomain'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'mydomain'
        option local '/mydomain/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp_mydomain.leases'
        option noresolv '1'
        option localservice '1'
        option logdhcp '1'
        list interface 'mydomain'
        option confdir '/tmp/dnsmasq.d'
        list server 8.8.8.8
        #list server '127.0.0.1#5060'

config dnsmasq 'dnsmasq_otherdomain'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'otherdomain'
        option local '/otherdomain/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp_otherdomain.leases'
        option noresolv '1'
        option localservice '1'
        list interface 'otherdomain'
        list notinterface 'loopback'
        option confdir '/tmp/dnsmasq.d'
        list server '127.0.0.1#5061'

/etc/config/firewall/

config rule 'mydomain_dns'                                                                                                                                                                                                     
        option name 'Allow-DNS-mydomain'                                                                                                                                                                                       
        option src 'mydomain'                                                                                                                                                                                                  
        option dest_port '53'                                                                                                                                                                                              
        option proto 'tcp udp'                                                                                                                                                                                             
        option target 'ACCEPT'                                                                                                                                                                                             
                                                                                                                                                                                                                           
config redirect 'mydomain_intdns'                                                                                                                                                                                              
        option name 'Intercept-DNS-mydomain'                                                                                                                                                                                   
        option src 'mydomain'                                                                                                                                                                                                  
        option src_dport '53'                                                                                                                                                                                              
        option proto 'tcp udp'                                                                                                                                                                                             
        option target 'DNAT'           

config rule 'dot_deny'
        option name 'Deny-DoT'
        option src '*'
        option dest 'wan'
        option dest_port '853'
        option proto 'tcp udp'
        option target 'REJECT'

config rule 'doh_deny'
        option name 'Deny-DoH'
        option src '*'
        option dest 'wan'
        option dest_port '443 80'
        option proto 'tcp udp'
        option family 'ipv4'
        option ipset 'doh dest'
        option target 'REJECT'

config include
        option path '/etc/firewall.user'

config ipset 'doh'
        option name 'doh'
        option family 'ipv4'
        option storage 'hash'
        option match 'ip'
        list entry '101.198.191.4'
        list entry '101.6.6.6'
        list entry '101.71.72.192'
        list entry '103.2.57.5'
        list entry '103.2.57.6'
        list entry '103.85.15.60'
        list entry '104.16.132.229'
        list entry '104.16.133.229'
        list entry '104.16.248.249'
        list entry '104.16.249.249'
        list entry '104.21.18.56'
        list entry '104.21.22.243'
        list entry '104.21.41.122'

Finding

If I configure the macOS client to use an external dns (8.8.8.8), I still have the same problem.
However, if I configure the macOS client to use an external dns AND comment out the redirect mydomain_intdns in the firewall, then the problem disappears. What does that mean?

2 
netstat -l -n -p | grep -e dnsmasq -e 5060 -e 5061; \
for DNS in "" 8.8.8.8 localhost 127.0.0.1#5060 127.0.0.1#5061; \
do nslookup discussions.apple.com ${DNS}; echo; done

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#nat6

3

Hey @vgaetera, thanks for your help!

Here's the output at the moment (when the problem does not manifest itself, due to having commented out the dns intercept DNAT rule).

# netstat -l -n -p | grep -e dnsmasq -e 5060 -e 5061; \
> for DNS in "" 8.8.8.8 localhost 127.0.0.1#5060 127.0.0.1#5061; \
> do nslookup discussions.apple.com ${DNS}; echo; done
tcp        0      0 192.168.5.1:53          0.0.0.0:*               LISTEN      8632/dnsmasq
tcp        0      0 192.168.4.1:53          0.0.0.0:*               LISTEN      8631/dnsmasq
tcp        0      0 192.168.6.1:53          0.0.0.0:*               LISTEN      8633/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      8630/dnsmasq
tcp        0      0 192.168.3.1:53          0.0.0.0:*               LISTEN      8630/dnsmasq
tcp        0      0 fe80::98c9:ebff:fe15:dbca:53 :::*                    LISTEN      8632/dnsmasq
tcp        0      0 fe80::9cc9:ebff:fe15:dbca:53 :::*                    LISTEN      8631/dnsmasq
tcp        0      0 fe80::94c9:ebff:fe15:dbca:53 :::*                    LISTEN      8633/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      8630/dnsmasq
tcp        0      0 fe80::9ec9:ebff:fe15:dbc7:53 :::*                    LISTEN      8630/dnsmasq
udp        0      0 192.168.5.1:53          0.0.0.0:*                           8632/dnsmasq
udp        0      0 192.168.4.1:53          0.0.0.0:*                           8631/dnsmasq
udp        0      0 192.168.6.1:53          0.0.0.0:*                           8633/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           8630/dnsmasq
udp        0      0 192.168.3.1:53          0.0.0.0:*                           8630/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           8632/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           8631/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           8633/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           8630/dnsmasq
udp        0      0 127.0.0.1:5060          0.0.0.0:*                           1574/https-dns-prox
udp        0      0 127.0.0.1:5061          0.0.0.0:*                           1576/https-dns-prox
udp        0      0 fe80::98c9:ebff:fe15:dbca:53 :::*                                8632/dnsmasq
udp        0      0 fe80::9cc9:ebff:fe15:dbca:53 :::*                                8631/dnsmasq
udp        0      0 fe80::94c9:ebff:fe15:dbca:53 :::*                                8633/dnsmasq
udp        0      0 ::1:53                  :::*                                8630/dnsmasq
udp        0      0 fe80::9ec9:ebff:fe15:dbc7:53 :::*                                8630/dnsmasq
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      discussions.apple.com
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
Name:      discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net
Name:      e4233.a.akamaiedge.net
Address 1: 104.83.186.244
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net

Server:		8.8.8.8
Address:	8.8.8.8#53

Name:      discussions.apple.com
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
Name:      discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net
Name:      e4233.a.akamaiedge.net
Address 1: 104.83.186.244
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net

Server:		localhost
Address:	::1#53

Name:      discussions.apple.com
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
Name:      discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net
Name:      e4233.a.akamaiedge.net
Address 1: 104.83.186.244
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net

Server:		127.0.0.1
Address:	127.0.0.1#5060

Name:      discussions.apple.com
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
Name:      discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net
Name:      e4233.a.akamaiedge.net
Address 1: 104.83.186.244
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net

Server:		127.0.0.1
Address:	127.0.0.1#5061

Name:      discussions.apple.com
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
Name:      discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net
Name:      e4233.a.akamaiedge.net
Address 1: 104.83.186.244
discussions.apple.com	canonical name = discussions.apple.com.edgekey.net
discussions.apple.com.edgekey.net	canonical name = e4233.a.akamaiedge.net
1 Like
4

Note that commenting out this rule :

config redirect 'mydomain_intdns'                                                                                                                                                                                              
        option name 'Intercept-DNS-mydomain'                                                                                                                                                                                   
        option src 'mydomain'                                                                                                                                                                                                  
        option src_dport '53'                                                                                                                                                                                              
        option proto 'tcp udp'                                                                                                                                                                                             
        option target 'DNAT'

is necessary and sufficient to solve the problem. It is actually not necessary in addition to use 8.8.8.8 instead of the router.

Do you have any idea why that could be ?

PS: the command you asked me to run looks the same even when the problem manifests itself.

PS2 : I ran the command you sent from the router, not the macOS client.

5

Since everything works on OpenWrt, this looks like a client-specific issue.

A DNS client should query both A and AAAA records by default.
This results in 2 separate DNS queries, unless the query type is explicitly specified.

Your tcpdump has captured only the AAAA query, but not the A.
Either you missed dscacheutil asking an A record, or it doesn't do it for some reason.

Note that an AAAA query for discussions.apple.com is expected to return no address.
The DNS client must make an A query as the host has only IPv4, but no IPv6.

1 Like
6

Ah interesting.
Why does a AAAA query to discussions.apple.com should return no address ?

The fact that commenting out the Intercept-DNS redirect solves the problem makes me believe that it's an openwrt problem, not the client.

7

https://toolbox.googleapps.com/apps/dig

Digging their A records gets this.

id 15241
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
discussions.apple.com. IN A
;ANSWER
discussions.apple.com. 2970 IN CNAME discussions.apple.com.edgekey.net.
discussions.apple.com.edgekey.net. 184 IN CNAME e4233.a.akamaiedge.net.
e4233.a.akamaiedge.net. 20 IN A 23.61.235.231
;AUTHORITY
;ADDITIONAL

Dig their AAAA

id 52225
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
discussions.apple.com. IN AAAA
;ANSWER
discussions.apple.com. 2206 IN CNAME discussions.apple.com.edgekey.net.
discussions.apple.com.edgekey.net. 166 IN CNAME e4233.a.akamaiedge.net.
;AUTHORITY
a.akamaiedge.net. 866 IN SOA n0a.akamaiedge.net. hostmaster.akamai.com. 1637628483 1000 1000 1000 1800
;ADDITIONAL

Or...

image
image692×401 13.7 KB

image
(edit forgot the AAAA record.)

Interesting TTLs. And to answer your question. They are running an IPv4 host and NOT a IPv6.

3 Likes