Dnsmasq fails to resolve SOME addresses

I'm getting DNS_PROBE_FINISHED_NXDOMAIN from several well known domains (e.g., notably, reddit.com) when accessing from inside the lan.

The same happens if I attempt to access LuCI on the router itself by name, which is in the hosts file; LuCI works fine if I type in the IP directly.

Can someone point me in the right direction? What am I missing here?

Config below. Thanks!

~# ubus call system board
{
	"kernel": "6.6.30",
	"hostname": "equinox0.internal.andrewperry.io",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r26253-d03b567b66",
		"target": "mediatek/mt7622",
		"description": "OpenWrt SNAPSHOT r26253-d03b567b66"
	}
}

~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd7:e4e8:ec93::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.11'
	option proto 'static'
	option ipaddr '10.1.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'wan'
	option device 'wan.201'
	option proto 'pppoe'
	option username '***redacted***'
	option password '***redacted***'
	option ipv6 '0'

config interface 'henet'
	option proto '6in4'
	option peeraddr '184.105.250.46'
	option ip6addr '2001:####:####:####::2/64'
	list ip6prefix '2001:####:####::/48'
	option tunnelid '***redacted***'
	option username '***redacted***'
	option password '***redacted***'

config bridge-vlan
	option device 'br-lan'
	option vlan '11'
	list ports 'lan1'
	list ports 'lan2:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '31'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.31'
	option ipaddr '172.16.123.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ip6assign '64'

config interface 'work'
	option proto 'static'
	option device 'br-lan.21'
	option ipaddr '172.16.122.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.41'
	option ipaddr '172.16.124.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option phy 'wl0'
	option cell_density '2'
	option country 'US'
	option htmode 'HT40'
	option band '2g'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'apollo'
	option encryption 'sae-mixed'
	option key '***redacted***'

config wifi-device 'radio1'
	option type 'mac80211'
	option phy 'wl1'
	option cell_density '2'
	option country 'US'
	option htmode 'HE160'
	option band '5g'
	option channel 'auto'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'apollo'
	option encryption 'sae-mixed'
	option key '***redacted***'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'vesta'
	option encryption 'sae-mixed'
	option isolate '1'
	option key '***redacted***'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'vesta'
	option encryption 'sae-mixed'
	option isolate '1'
	option key '***redacted***'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'vulcan'
	option encryption 'sae-mixed'
	option key '***redacted***'
	option network 'iot'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'ceres'
	option encryption 'sae-mixed'
	option key '***redacted***'
	option network 'work'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'ceres'
	option encryption 'sae-mixed'
	option key '***redacted***'
	option network 'work'

~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/internal.***redacted***.io/'
	option domain 'internal.***redacted***.io'
	option expandhosts '1'
	option add_local_fqdn '3'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option dnssec '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '42,10.1.0.1'
	list dhcp_option '6,10.1.0.1'
	list domain 'internal.***redacted***.io'
	list ntp 'fdd7:e4e8:ec93::1'
	list ntp '2001:####:####:1::1'
	option ra_useleasetime '1'
	option ra_default '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '42,172.16.123.1'
	list dhcp_option '6,172.16.123.1'
	option ra 'server'
	option dhcpv6 'server'
	list domain 'guest.***redacted***.io'
	list ntp 'fdd7:e4e8:ec93::1'
	list ntp '2001:####:####:1::1'
	option ra_useleasetime '1'
	option ra_default '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'work'
	option interface 'work'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '42,172.16.122.1'
	list dhcp_option '6,172.16.122.1'
	option ra 'server'
	option dhcpv6 'server'
	list domain 'internal.***redacted***.io'
	list ntp 'fdd7:e4e8:ec93:2::1'
	list ntp '2001:####:####:2::1'
	option ra_useleasetime '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '42,172.16.124.1'
	list dhcp_option '6,172.16.124.1'
	option ra 'server'
	option dhcpv6 'server'
	list domain 'internal.***redacted***.io'
	list ntp '2001:####:####:1::1'
	list ntp 'fdd7:e4e8:ec93::1'
	option ra_useleasetime '1'
	option ra_default '1'

config host
	option name 'nest-t'
	option dns '1'
	list mac '***redacted***'
	option ip '172.16.124.166'

config host
	option name 'printer1'
	option duid '***redacted***'
	list mac '***redacted***'
	option ip '10.1.0.182'
	option dns '1'

config host
	option name 'S380HB'
	option ip '172.16.124.216'
	option mac '***redacted***'

config host
	option name 'cam-k'
	option ip '172.16.124.247'
	list mac '***redacted***'

config domain
	option name '***edge-router-lan-if***'
	option ip '10.1.0.1'

~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'henet'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'work'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'work'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'work'
	option dest 'wan'

config rule
	option name 'Allow-guest-DHCP+DNS'
	option src 'guest'
	option dest_port '53 67 68 547'
	option target 'ACCEPT'

config rule
	option name 'Allow-work-DHCP+DNS'
	option src 'work'
	option dest_port '53 67 68 547'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-DHCP+DNS'
	option src 'iot'
	option dest_port '53 67 68 547'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-https'
	list proto 'tcp'
	option src 'iot'
	option dest 'wan'
	option dest_port '443'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Nest NTP'
	list proto 'udp'
	option src 'iot'
	option src_dport '123'
	option dest_ip '172.16.124.1'
	option dest_port '123'

config rule
	option name 'Allow-NEST-Thermostat'
	option src 'iot'
	list src_ip '172.16.124.166'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Allow-eufy-UDP'
	list proto 'udp'
	option src 'iot'
	list src_ip '172.16.124.216'
	option dest 'wan'
	option dest_port '1025-65535'
	option target 'ACCEPT'

config rule
	option name 'Allow-eufy-TCP'
	list proto 'tcp'
	option src 'iot'
	list src_ip '172.16.124.216'
	option dest 'wan'
	option dest_port '443 5061 12306 12308'
	option target 'ACCEPT'
~# opkg info dnsmasq-full
Package: dnsmasq-full
Version: 2.90-r2
Depends: libc, libubus20231128, libnettle8, libnetfilter-conntrack3, nftables-json
Provides: dnsmasq
Status: install user installed
Architecture: aarch64_cortex-a53
Conffiles:
 /etc/config/dhcp a3ab720d8cd674dced9d6c22963a900e700480d9e666285c52c0cf0a418ba5bb
 /etc/dnsmasq.conf 1e6ab19c1ae5e70d609ac7b6246541d52042e4dee1892f825266507ef52d7dfd
Installed-Time: 1715292574

Looks like you are using the Dansa from your ISP. I would activate logging on DNSMASQ, then watch the messages and see who is giving that answer.

1 Like

Also make sure your browser actually uses your DNS and hostfile.

2 Likes

@eduperez , @frollic - Thank you!

Turns out the issue was unrelated to OpenWRT. Chrome did some weird thing with DNS internally. No other application or kind of traffic was affected.

Appreciate your insights.