DNS via intermediate router

I have an upstream router (br-lan: 192.168.0.1) and downstream router (wan: 192.168.0.2, br-lan: 192.168.1.1) - masquerading is disabled on the downstream router to avoid double NAT.

DNS queries from my downstream router to the upstream router work just fine, but DNS queries directed to 192.168.0.1 from LAN clients 192.168.1.x of the downstream router do not work, although such clients can ping 192.168.0.1. Using 'tcpdump' I think the upstream router sees the requests, but nothing happens.

Do you have a static route defined on the main router (192.168.1.0/24 via 192.168.0.2)?

Let's see your conifguration on your OpenWrt router:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix ''

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option proto 'modemmanager'
        option device '/sys/devices/platform/1e1c0000.xhci/usb2/2-1'
        option iptype 'ipv4v6'
        option autoconnect '1'
 
config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config route
        option target '192.168.1.0/24'
        option gateway '192.168.0.2'
        option table 'main'
        option interface 'lan'

config route
        option target '192.168.2.0/24'
        option gateway '192.168.0.2'
        option table 'main'
        option interface 'lan'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'OpenWrt'
        option dns '1'
        option mac ''
        option ip '192.168.0.2'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option mtu_fix '1'
        option forward 'REJECT'
        option masq '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

Ok... this must be the main router. Everything looks okay here.

Can you post the config of the downstream router?

root@OpenWrt-1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'wan'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'wan'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

root@OpenWrt-1:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option localuse '1'
        list server '127.0.0.1#5453'
        list server '0::1#5453'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option mac ''
        option ip '192.168.1.5'

config host
        option mac ''
        option ip '192.168.1.7'
root@OpenWrt-1:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option dest 'wan'
        option src '*'
        option start_time '21:00:00'
        option stop_time '17:00:00'
        option target 'REJECT'
        option name 'Restrict-OpenWrt-GitHub'
        list proto 'all'
        list dest_ip '139.59.210.197'
        list dest_ip '192.30.252.0/22'
        list dest_ip '185.199.108.0/22'
        list dest_ip '140.82.112.0/20'
        list dest_ip '143.55.64.0/20'
        list dest_ip '20.201.28.151/32'
        list dest_ip '20.205.243.166/32'
        list dest_ip '102.133.202.242/32'
        list dest_ip '20.248.137.48/32'
        list dest_ip '20.207.73.82/32'
        list dest_ip '20.27.177.113/32'
        list dest_ip '20.200.245.247/32'
        list dest_ip '20.233.54.53/32'
        option weekdays 'Mon Tue Wed Thu Fri'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'
        option input 'REJECT'

config rule
        option name 'Allow-GUEST-DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-GUEST-DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'Guest-DNS-Hijack-Cloudflare'
        option src 'guest'
        option src_dport '53'
        option dest_ip '1.1.1.1'
        list src_mac ''
        list src_mac ''

Looks like you have AGH or something else happening with your downstream router.... I'd look more into the configuration there. I'm not an expert on this aspect, though.

Just stubby - DNS to my downstream router goes via stubby. But I don't think that's what's preventing DNS requests from lan clients on 192.168.1.x from getting DNS responses from 192.168.0.1?

What are your 192.168.1.0/24 hosts using as their DNS? are they sending the queries to 192.168.1.1? (you can check this by looking at the network config on those devices).

Yes they are, but I thought I could just set 192.168.0.1 on a LAN client 192.168.1.x to use the upstream DNS (actually my ISP's DNS)? I tried nslookup from the downstream router 192.168.1.1 via 192.168.0.1 and that works. But not from 192.168.1.x clients. That makes me wonder if it's a firewall issue?

Try disabling dhcp.@dnsmasq[0].localservice on the upstream router.

2 Likes

That looks pretty promising:

So what is currently happening is that a host is sending its dns requests to 192.168.1.1 which in turn will send its requests to whatever that device has specified as the upstream dns (which is being affected by stubby).

In the absense of stubby or any other DNS configurations deviating from the default, your downstream router would simply foward the requests to the DNS advertised by the DHCP server upstream (which would be 192.168.0.1 based on the configuration we have seen). So all requests would simply go 192.168.1.x > 192.168.1.1 > 192.168.0.1 > ISP advertised DNS.

1 Like

Thanks @psherman. Maybe I can check my thinking with you to see if it makes sense. On my downstream router I have stubby set to send DNS requests out via CleanBrowsing Family Filter. Now this works great, but I've noticed that on my Microsoft Office 365 programs sometimes the 'Exchange Front Door' is getting set to an undesirable location (Germany). So my thinking was to make an override for the Microsoft domains on my downstream router that means those domains get sent out to the upstream router (and hence via my ISP's DNS servers). CleanBrowsing is there to block offensive content, but for Office365 I care about getting the best possible routing, and I think my ISP's DNS, Google or Cloudflare may be better for that. Does this seem reasonable?

I see that such selective domain-based DNS forwarding is facilitated in OpenWrt:

@dave14305 I've marked your post as the solution (many thanks!), since this made the requests work (albeit I am still unsure about whether what I have in mind above makes sense). I'd also value any thoughts you may have on the above.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.