DNSCrypt + DNSMasq randomly stops working

RubyQuby · October 4, 2022, 12:48pm

Hi there,

I'm in a bit of a predicament; I really want to use DNS Crypt as I know that in the UK DNS queries are monitored, filtered and often blocked.
However, Since I installed DNSCrypt + DNSMasq on my OpenWrt 21.02.2 r1 I've been experiencing random DNS failures.

I cannot pinpoint what is that is failing, all the information I have ATM is the following:

DNS queries take forever and eventually fail
I am running DNS Crypt with DNS Masq on internal interfaces only
I've used the DSA tutorial for DNS Crypt to the letter, no deviations or anything.

The problem is most frequently solved by me changing the DNSCrypt Resolver. Most often just doing that fixes the issue. The issue seems to appear every 48 hours or so, making me think it's a space or memory issue.

Going through logread doesn't really tell me anything useful. The only hint for an issue comes from dnsmasq which keeps spamming with the same message over and over:

daemon.warn dnsmasq[5495]: possible DNS-rebind attack detected:

Making me wonder if that's the source of the issue.
When the issue does arise, no client can access anything. The router itself has the following issues.

If I try pinging without an explicit IP (which does work) then I get:

ping google.com                                                                                                                                                                          
ping: bad address 'google.com'

If I try to do a lookup, I get:

nslookup openwrt.org 127.0.0.1                                                                                                                                                           
;; connection timed out; no servers could be reached                                                                                                                                                         
                                                                                                                                                                                                             
root@InnerRouter:~# nslookup openwrt.org                                                                                                                                                                     
;; connection timed out; no servers could be reached

However, the servers are configured and running AFAIK:

root@InnerRouter:~# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*                                                                                                                                
==> /etc/resolv.conf <==                                                                                                                                                                                     
#nameserver 8.8.8.8                                                                                                                                                                                          
                                                                                                                                                                                                             
==> /tmp/resolv.conf <==                                                                                                                                                                                     
search lan                                                                                                                                                                                                   
nameserver 127.0.0.1                                                                                                                                                                                         
nameserver ::1                                                                                                                                                                                               
                                                                                                                                                                                                             
==> /tmp/resolv.conf.d <==                                                                                                                                                                                   
head: /tmp/resolv.conf.d: I/O error

(Notice the I/O error?)

And I believe that the DNSCrypt-proxy is configured to run at 127.0.0.1#5253 and DNS-Masq runs at 53 and forwards them.

How can I go about finding what is happening, why this keeps consistently happing and how to fix it? I really don't want to give up on DNSCrypt! Any help is much appreciated!

lleachii · October 4, 2022, 1:30pm

This means a private IP address is being given by a Public upstream DNS server as an answer. You can stop this warning by turning off DNS Rebind protection. It's enabled by default for safety.

trendy · October 4, 2022, 1:40pm

This is a directory, head will not work.

RubyQuby:

==> /etc/resolv.conf <==                                                                                                                                                                                     
#nameserver 8.8.8.8

This should not be empty, or the router doesn't know where to query. Leave it as nameserver 127.0.0.1
For the rest, it would help to show the configs.

uci export dhcp ; uci export dnscrypt

RubyQuby · October 4, 2022, 2:28pm

Hi there!

This is interesting:

uci export dnscrypt
uci: Entry not found

DHCP:

uci export dhcp
package dhcp                      

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/' 
        option domain 'lan'       
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'   
        option leasefile '/tmp/dhcp.leases'
        option ednspacket_max '1232'
        option logqueries '0'
        option noresolv '1'    
        option localuse '1'       
        option localservice '1'       
        option resolvfile '/etc/resolv-crypt.conf'
        option allservers '0'
        list server '127.0.0.1#5253'
        list server '/pool.ntp.org/8.8.8.8'

config dhcp 'lan'
        option interface 'lan'     
        option start '100'        
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'   
        option dhcpv6 'server'    
        option ra 'server'            
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
                                                    
config dhcp 'wan'                     
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'     
                                                    
config odhcpd 'odhcpd'                
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'       
                                                    
config dhcp 'isolated'
        option interface 'isolated'
        option start '100'
        option limit '150'        
        option leasetime '12h'        
        list ra_flags 'none'
                                                    
config dhcp 'devlan'     
        option interface 'devlan' 
        option start '100'            
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'pubface'
        option interface 'pubface'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'holly'
        option interface 'holly'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'GUESTS'
        option interface 'GUESTS'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'MediaNet'
        option interface 'MediaNet'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

Then it goes on to list specific IPs and hostnames which I won't put here.

lleachii · October 4, 2022, 2:37pm

I'm guessing you saw some config host stanzas, correct?
Have you previously created anything here?

I wasn't sure if you noted it as an issue, or you're just describing your DHCP config file. Hope this information helps.

Question...does resolution of the listed host names stop too when you're having the issue?

RubyQuby · October 4, 2022, 2:43pm

I don't seem to have that version of Luci, but I suppose you mean setting hostnames? I do have static leases, and I have added some hostnames to some of those IPs just to make it easier to work with the connecting devices. I am describing my DHCP config file yes, no it's not an issue AFAIK, just would rather not put it in public.

lleachii · October 4, 2022, 2:46pm

OK.

When you have DNS issues, can you still perform lookups on the names you created?

RubyQuby · October 4, 2022, 2:50pm

I haven't tried it TBH. What I did try and was surprised to find was that if I specified the WAN's Gateway IP for resolution, they worked. For example:

root@InnerRouter:~# nslookup openwrt.org 192.168.1.254                                                                                                                                                       
Server:         192.168.1.254                                                                                                                                                                                
Address:        192.168.1.254#53                                                                                                                                                                             
                                                                                                                                                                                                             
Name:      openwrt.org                                                                                                                                                                                       
Address 1: 139.59.209.225                                                                                                                                                                                    
Address 2: 2a03:b0c0:3:d0::1af1:1                                                                                                                                                                            
root@InnerRouter:~# nslookup openwrt.org 192.168.2.1                                                                                                                                                         
Server:         192.168.2.1                                                                                                                                                                                  
Address:        192.168.2.1#53                                                                                                                                                                               
                                                                                                                                                                                                             
Name:      openwrt.org                                                                                                                                                                                       
Address 1: 139.59.209.225                                                                                                                                                                                    
Address 2: 2a03:b0c0:3:d0::1af1:1                                                                                                                                                                            
root@InnerRouter:~# nslookup openwrt.org 127.0.0.1                                                                                                                                                           
;; connection timed out; no servers could be reached

Bear in mind I have two WAN (192.168.1.254 and 192.168.2.1).

lleachii · October 4, 2022, 2:55pm

Yes, correct. That's the location your DNS settings should be - on the connection with actual Internet access.

(Also, most consumer gateway routers have a DNS server/resolver installed.)

boredhominid · October 4, 2022, 2:56pm

use dnscrypt-proxy2, dnscrypt-proxy is unmaintained.
follow this wiki to set it up properly.

RubyQuby · October 4, 2022, 4:06pm

Did I follow an outdated guide?
This is the one I used: https://openwrt.org/docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy

boredhominid · October 5, 2022, 7:14pm

yes that is outdated, dnscrypt-proxy is unmaintained. dnscrypt-proxy2 is the replacement

system · October 15, 2022, 7:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.