DNS responds on correct port but is denied?

marinmo · July 22, 2023, 4:15pm

I'm having a somewhat similar problem as in DNS responds on wrong ports but yet slightly different; in the aforementioned thread the response from the DNS server came to another port. My issue seems similar - the reply from the DNS server times out due to the port being unreachable, but in my case it seems the reply arrives at the same port as the request was sent. As far as I'm aware, I am not behind CGNAT.

Relevant info and logs below;

Network layout:

Internet -> Router (openWRT x86-64) -> Internal network
External IP: 81.228.193.xxx/24
Router (DHCP server) 192.168.254.77
DNS server (pihole) 192.168.254.8
Clients 192.168.254.0/24

OpenWRT info:

Model	LENOVO 10FLS43K00
Architecture	Intel(R) Core(TM) i5-6500T CPU @ 2.50GHz
Target Platform	x86/64
Firmware Version	OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-23.093.57360-e98243e

"Luckily" I just managed to capture a long period of the problem through tcpdump on the DNS server - as evident by the last call for debian.org, the problem isn't constant;

pi@rpi ~> doas tcpdump host 4.2.2.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:31:41.051743 IP rpi.internal.korvroffe.org.44745 > a.resolvers.level3.net.domain: 58883+ [1au] AAAA? yelp.com. (59)
17:31:41.086569 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.44745: 58883 0/1/1 (102)
17:31:41.086657 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 44745 unreachable, length 138
17:32:09.054109 IP rpi.internal.korvroffe.org.58201 > a.resolvers.level3.net.domain: 53679+ [1au] A? g.live.com. (61)
17:32:09.080263 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.58201: 53679 3/0/1 CNAME g.msn.com., CNAME g-msn-com-nsatc.trafficmanager.net., A 68.219.88.225 (123)
17:32:09.080317 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 58201 unreachable, length 159
17:32:31.651550 IP rpi.internal.korvroffe.org.34322 > a.resolvers.level3.net.domain: 2382+ [1au] A? api.msn.com. (62)
17:32:31.679722 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.34322: 2382 3/0/1 CNAME api-msn-com.a-0003.a-msedge.net., CNAME a-0003.a-msedge.net., A 204.79.197.203 (115)
17:32:31.679791 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 34322 unreachable, length 151
17:32:54.120828 IP rpi.internal.korvroffe.org.55108 > a.resolvers.level3.net.domain: 29866+ [1au] A? g.live.com. (61)
17:32:54.152431 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.55108: 29866 3/0/1 CNAME g.msn.com., CNAME g-msn-com-nsatc.trafficmanager.net., A 68.219.88.225 (123)
17:32:54.152492 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 55108 unreachable, length 159
17:33:19.023981 IP rpi.internal.korvroffe.org.36401 > a.resolvers.level3.net.domain: 10646+ [1au] A? hm.se. (56)
17:33:19.170837 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.36401: 10646 2/0/1 A 23.48.23.183, A 23.48.23.150 (66)
17:33:19.170896 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 36401 unreachable, length 102
17:33:40.061165 IP rpi.internal.korvroffe.org.51184 > a.resolvers.level3.net.domain: 64234+ [1au] AAAA? klarna.com. (61)
17:33:40.099944 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.51184: 64234 0/1/1 (99)
17:33:40.100020 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 51184 unreachable, length 135
17:34:07.635021 IP rpi.internal.korvroffe.org.57305 > a.resolvers.level3.net.domain: 25273+ [1au] A? drupal.org. (61)
17:34:07.671591 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.57305: 25273 4/0/1 A 151.101.2.217, A 151.101.66.217, A 151.101.130.217, A 151.101.194.217 (103)
17:34:07.671653 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 57305 unreachable, length 139
17:34:33.051653 IP rpi.internal.korvroffe.org.57474 > a.resolvers.level3.net.domain: 10606+ [1au] A? www.youtube.com. (66)
17:34:33.079545 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.57474: 10606 17/0/1 CNAME youtube-ui.l.google.com., A 216.58.212.14, A 216.58.212.46, A 216.58.213.110, A 142.251.140.14, A 142.251.140.46, A 142.251.140.78, A 142.251.141.46, A 172.217.169.110, A 172.217.169.142, A 142.250.184.142, A 142.250.187.110, A 142.250.187.142, A 142.250.187.174, A 172.217.17.110, A 172.217.17.142, A 172.217.20.78 (334)
17:34:33.079600 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 57474 unreachable, length 370
17:34:54.430804 IP rpi.internal.korvroffe.org.33921 > a.resolvers.level3.net.domain: 23079+ [1au] A? g.live.com. (61)
17:34:54.457371 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.33921: 23079 3/0/1 CNAME g.msn.com., CNAME g-msn-com-nsatc.trafficmanager.net., A 68.219.88.225 (123)
17:34:54.457420 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 33921 unreachable, length 159
17:35:19.243419 IP rpi.internal.korvroffe.org.49921 > a.resolvers.level3.net.domain: 9263+ [1au] A? gamereactor.com. (66)
17:35:19.309671 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.49921: 9263 1/0/1 A 77.247.76.132 (60)
17:35:48.496844 IP rpi.internal.korvroffe.org.55146 > a.resolvers.level3.net.domain: 40957+ [1au] AAAA? fedoraproject.org. (68)
17:35:48.523294 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.55146: 40957 7/0/1 AAAA 2600:1f14:fad:5c02:7c8a:72d0:1c58:c189, AAAA 2605:bc80:3010:600:dead:beef:cafe:fed9, AAAA 2620:52:3:1:dead:beef:cafe:fed6, AAAA 2600:2701:4000:5211:dead:beef:fe:fed3, AAAA 2620:52:3:1:dead:beef:cafe:fed7, AAAA 2604:1580:fe00:0:dead:beef:cafe:fed1, RRSIG (359)
17:35:48.523355 IP rpi.internal.korvroffe.org > a.resolvers.level3.net: ICMP rpi.internal.korvroffe.org udp port 55146 unreachable, length 395
17:36:09.853129 IP rpi.internal.korvroffe.org.38766 > a.resolvers.level3.net.domain: 19434+ [1au] A? connectivitycheck.gstatic.com. (80)
17:36:09.881024 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.38766: 19434 1/0/1 A 142.250.187.163 (74)
17:36:34.706117 IP rpi.internal.korvroffe.org.38452 > a.resolvers.level3.net.domain: 3248+ [1au] AAAA? debian.org. (61)
17:36:34.706868 IP rpi.internal.korvroffe.org.38452 > a.resolvers.level3.net.domain: 3248+ [1au] AAAA? debian.org. (61)
17:36:34.707872 IP rpi.internal.korvroffe.org.42575 > a.resolvers.level3.net.domain: 64853+ [1au] A? debian.org. (61)
17:36:34.735415 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.38452: 3248 4/0/1 AAAA 2001:4f8:1:c::15, AAAA 2603:400a:ffff:bb8::801f:3e, AAAA 2001:67c:2564:a119::77, RRSIG (357)
17:36:34.735501 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.38452: 3248 4/0/1 AAAA 2001:4f8:1:c::15, AAAA 2603:400a:ffff:bb8::801f:3e, AAAA 2001:67c:2564:a119::77, RRSIG (357)
17:36:34.735541 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.42575: 64853 4/0/1 A 128.31.0.62, A 130.89.148.77, A 149.20.4.15, RRSIG (321)
17:36:34.735847 IP rpi.internal.korvroffe.org.56975 > a.resolvers.level3.net.domain: 53385+ [1au] DS? debian.org. (39)
17:36:34.762163 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.56975: 53385 2/0/1 DS, RRSIG (250)
17:36:34.762760 IP rpi.internal.korvroffe.org.40877 > a.resolvers.level3.net.domain: 28828+ [1au] DNSKEY? debian.org. (39)
17:36:34.790719 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.40877: 28828 4/0/1 DNSKEY, DNSKEY, RRSIG, RRSIG (1059)
17:36:34.831763 IP rpi.internal.korvroffe.org.50565 > a.resolvers.level3.net.domain: 9772+ [1au] AAAA? debian.org. (61)
17:36:34.885405 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.50565: 9772 4/0/1 AAAA 2001:67c:2564:a119::77, AAAA 2603:400a:ffff:bb8::801f:3e, AAAA 2001:4f8:1:c::15, RRSIG (357)
17:36:35.571933 IP rpi.internal.korvroffe.org.49441 > a.resolvers.level3.net.domain: 17799+ [1au] A? www.debian.org. (65)
17:36:35.572942 IP rpi.internal.korvroffe.org.40898 > a.resolvers.level3.net.domain: 74+ [1au] AAAA? www.debian.org. (65)
17:36:35.598885 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.49441: 17799 2/0/1 A 130.89.148.77, RRSIG (297)
17:36:35.599212 IP rpi.internal.korvroffe.org.43952 > a.resolvers.level3.net.domain: 13954+ [1au] DS? www.debian.org. (43)
17:36:35.625778 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.43952: 13954 2/0/1 DS, RRSIG (325)
17:36:35.626617 IP rpi.internal.korvroffe.org.42376 > a.resolvers.level3.net.domain: 65321+ [1au] DNSKEY? www.debian.org. (43)
17:36:35.654606 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.42376: 65321 2/0/1 DNSKEY, RRSIG (493)
17:36:35.765615 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.40898: 74 2/0/1 AAAA 2001:67c:2564:a119::77, RRSIG (309)
17:36:35.778895 IP rpi.internal.korvroffe.org.59708 > a.resolvers.level3.net.domain: 27676+ [1au] AAAA? www.debian.org. (65)
17:36:35.805564 IP a.resolvers.level3.net.domain > rpi.internal.korvroffe.org.59708: 27676 2/0/1 AAAA 2001:67c:2564:a119::77, RRSIG (309)
^C
56 packets captured
56 packets received by filter
0 packets dropped by kernel

Output of relevant configs (somewhat truncated with regards to static IPs, wireguard etc);

root@gateway:~# uci export network; uci export dhcp; ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /
tmp/resolv.* /tmp/resolv.*/*
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6c:ce7f:f3d8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.254.77'
        option netmask '255.255.255.0'
        list dns '192.168.254.8'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        list dns '192.168.254.8'
        option peerdns '0'

config interface 'wg_lan'
[REMOVED]

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option ednspacket_max '1232'
        option local '/internal.korvroffe.org/'
        option domain 'internal.korvroffe.org'
        option rebind_protection '0'
        option localservice '1'
        option localuse '1'
        list server '192.168.254.77'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'rpi'
        option dns '1'
        option mac 'DNS-MAC'
        option ip '192.168.254.8'

[...]

lrwxrwxrwx    1 root     root            16 Sep  1  2021 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            66 Jul 11 22:17 /tmp/resolv.conf
-rw-r--r--    1 root     root            82 Jul 10 22:38 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            82 Jul 10 22:38 resolv.conf.auto
==> /etc/resolv.conf <==
search internal.korvroffe.org
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search internal.korvroffe.org
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.254.8
# Interface wan
nameserver 192.168.254.8

root@gateway:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan wg_lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.254.XXX'
firewall.@redirect[0].dest_port='80'
firewall.@redirect[0].name='http-server'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.254.XXX'
firewall.@redirect[1].dest_port='443'
firewall.@redirect[1].name='https-server'
firewall.dns_int=redirect
firewall.dns_int.name='Intercept-DNS'
firewall.dns_int.src='lan'
firewall.dns_int.src_dport='53'
firewall.dns_int.proto='tcp udp'
firewall.dns_int.target='DNAT'
firewall.dns_int.src_mac='!DNS-MAC'
firewall.dot_fwd=rule
firewall.dot_fwd.name='Deny-DoT'
firewall.dot_fwd.src='lan'
firewall.dot_fwd.dest='wan'
firewall.dot_fwd.dest_port='853'
firewall.dot_fwd.proto='tcp udp'
firewall.dot_fwd.target='REJECT'
firewall.doh_fwd=rule
firewall.doh_fwd.name='Deny-DoH'
firewall.doh_fwd.src='lan'
firewall.doh_fwd.dest='wan'
firewall.doh_fwd.proto='tcp udp'
firewall.doh_fwd.dest_port='443'
firewall.doh_fwd.family='ipv4'
firewall.doh_fwd.ipset='doh dest'
firewall.doh_fwd.target='REJECT'
firewall.doh6_fwd=rule
firewall.doh6_fwd.name='Deny-DoH6'
firewall.doh6_fwd.src='lan'
firewall.doh6_fwd.dest='wan'
firewall.doh6_fwd.dest_port='443'
firewall.doh6_fwd.proto='tcp udp'
firewall.doh6_fwd.family='ipv6'
firewall.doh6_fwd.ipset='doh6 dest'
firewall.doh6_fwd.target='REJECT'
firewall.doh=ipset
firewall.doh.name='doh'
firewall.doh.family='ipv4'
firewall.doh.storage='hash'
firewall.doh.match='ip'
firewall.doh.entry='[LONG LIST OF IPV4 ADDRESSES]'
firewall.doh6=ipset
firewall.doh6.name='doh6'
firewall.doh6.family='ipv6'
firewall.doh6.storage='hash'
firewall.doh6.match='ip'
firewall.doh6.entry='[LONG LIST OF IPV6 ADDRESSES]'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard-lan'
firewall.wg.src='wan'
firewall.wg.dest_port='[REDACTED]'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.@rule[14]=rule
firewall.@rule[14].src='lan'
firewall.@rule[14].name='block 8888'
firewall.@rule[14].dest_ip='8.8.8.8'
firewall.@rule[14].target='DROP'
firewall.@rule[14].dest='wan'
firewall.@rule[14].proto='all'
firewall.@rule[15]=rule
firewall.@rule[15].src='wan'
firewall.@rule[15].name='Allow-ICMPv4-DNS-replies'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].dest_ip='fe80::339f:7937:f17d:1edb' '192.168.254.8'
firewall.@rule[15].proto='udp' 'icmp' 'igmp'

The last rule is me trying to solve the issue (I'm aware the rule might be insecure - just wanted to try and "fix" the issue with a sledgehammer to see if it worked), with little success obviously. Resolution usually works despite the timeouts since I also use 4.2.2.2 for resolution which is then used if 4.2.2.1 doesn't work and vice versa. But the issue is rather annoying and I'd of course prefer if my firewall consistently allowed connections which was established by my own DNS server. I'm kinda stumped as to why the requests bounce sometimes and then starts working again? Can anyone see where I or something else went awry?
Let me know if there's any more information needed!

ncompact · July 22, 2023, 4:26pm

a first small mistake i found is the definition of an internal dns on your wan interface, usually it is better to put something like 8.8.8.8 or 1.1.1.1 or other server of your liking.

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        list dns '192.168.254.8'
        option peerdns '0'

If I were you I would remove it or change it

egc · July 22, 2023, 4:28pm

It looks like you are pointing the router to itself as DNS server.
Try removing that and see if that helps.

ncompact · July 22, 2023, 4:32pm

As for these rules what do you want to be able to do

firewall.@rule[14]=rule
firewall.@rule[14].src='lan'
firewall.@rule[14].name='block 8888'
firewall.@rule[14].dest_ip='8.8.8.8'
firewall.@rule[14].target='DROP'
firewall.@rule[14].dest='wan'
firewall.@rule[14].proto='all'
firewall.@rule[15]=rule
firewall.@rule[15].src='wan'
firewall.@rule[15].name='Allow-ICMPv4-DNS-replies'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].dest_ip='fe80::339f:7937:f17d:1edb' '192.168.254.8'
firewall.@rule[15].proto='udp' 'icmp' 'igmp

if you want dns requests to be resolved only from an internal device (which can be a rasberry, pc or other dns server) you should look at this post

marinmo · July 22, 2023, 6:10pm

I first want to make something clear which perhaps wasn't in the original post: DNS is working, generally. A few times, both DNS servers (4.2.2.1 and 4.2.2.2) have gotten unresponsive (probably due to timeouts) which is usually solved within ~30 seconds. This topic is for hunting why responses on the same port that the request was sent doesn't get through, which as seen by the logs only happens sometimes.

a first small mistake i found is the definition of an internal dns on your wan interface, usually it is better to put something like 8.8.8.8 or 1.1.1.1 or other server of your liking.

As far as I can tell, that option means that the WAN interface on the router uses my internal DNS server and not the DHCP provided ones. This is intended behaviour and doesn't make a difference - the provided tcpdump is captured on the DNS server itself and requests are coming from another client.

It looks like you are pointing the router to itself as DNS server.
Try removing that and see if that helps.

This is a whoopsie on my part, but not the root cause of the issue (I did change this - thanks for pointing it out! - to no avail).

if you want dns requests to be resolved only from an internal device (which can be a rasberry, pc or other dns server) you should look at this post

As for 8.8.8.8 blocking all communication to it - I've found is just a wise move if you have a lot of IoT-devices in general. As I began this post: rerouting DNS requests to my local DNS server already works. See;

firewall.dns_int=redirect
firewall.dns_int.name='Intercept-DNS'
firewall.dns_int.src='lan'
firewall.dns_int.src_dport='53'
firewall.dns_int.proto='tcp udp'
firewall.dns_int.target='DNAT'
firewall.dns_int.src_mac='!DNS-MAC'

This rule captures all packets originating from the LAN on port 53 and redirects them to the router (which then - by now at least - forward them to the DNS server). Other services (DoH, DoT) are also blocked at port (DoT - see firewall.dot) and IP level (DoH - see firewall.doh and firewall.doh6). These things are (largely) taken from the wiki (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns - note that the router is running 21.02 which uses fw3 still!).

grrr2 · July 22, 2023, 6:48pm

hi,

and what is your intention with this?

marinmo · July 23, 2023, 12:15pm

I'm afraid I don't understand the question - this hardly is the culprit of what issues I'm facing? How/why do you figure this is relevant to the issue at hand?

The answer is as simple as I want all my devices to use my own DNS server. There's as little reason for them to do so as there is reason for not doing so and I prefer the consistency of having a single point of failure in this case. Do you see a problem with this?

grrr2 · July 23, 2023, 2:06pm

you set DNS server at various part of the config in the same time. setting a local destination on your wan interface as upstream dns server looks weird.

what you want / need is to set your clients to use your preferred dns resolver (pihole) which can be achieved via dhcp option.

marinmo · July 23, 2023, 7:02pm

I'm sorry but this conversation is not productive to the issue I'm asking for help about, please refrain from commenting further. Thanks in advance.

pavelgl · July 24, 2023, 7:01am

FTLDNS™ is based on dnsmasq.

https://unix.stackexchange.com/a/361423

Include 4.2.2.2 in the dump to see if this is the case.

I won't comment on your DNS configuration, but it really needs optimisation as pointed out above.

marinmo · July 25, 2023, 3:04pm

Thank you! I will look into this and report back, if it is dnsmasq I'll of course mark your reply as the solution.

system · August 4, 2023, 3:05pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.