Dnsmasq ignoring replies from upstream dns servers

Hello fellow WRTers,

I'm facing a problem I can't debug further, hence I hope someone is able to point me in right direction.

I have multiple sites with OpenWRT routers connected together via site2site Wireguard tunnels.
Each site has its own local dns domain (e.g. k.lan, jj,lan, ...).

I'm trying to set up dns forwarding for those specific domains, but there's something not right here:

As you can see below, drill works just fine:

root@jj-router:~# drill @192.168.15.1 k-router.k.lan.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11897
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; k-router.k.lan.      IN      A

;; ANSWER SECTION:
k-router.k.lan. 5       IN      A       192.168.10.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 21 msec
;; SERVER: 192.168.15.1
;; WHEN: Mon May 13 20:54:59 2024
;; MSG SIZE  rcvd: 48

Here's tcpdump excerpt from wg interface connecting 2 sites - all looks good:

20:54:59.625834 IP (tos 0x0, ttl 64, id 22042, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.39396 > 192.168.15.1.53: [udp sum ok] 11897+ A? k-router.k.lan. (32)
20:54:59.626127 IP (tos 0x0, ttl 64, id 38989, offset 0, flags [none], proto UDP (17), length 76)
    192.168.45.2.53 > 192.168.45.1.39396: [bad udp cksum 0xdb9d -> 0x7e32!] 11897 q: A? k-router.k.lan. 1/0/0 k-router.k.lan. A 192.168.10.1 (48)

Unfortunately, resolving this domain using dnsmasq does not work:

root@jj-router:~# nslookup k-router.k.lan.
;; connection timed out; no servers could be reached

In tcpdump, you can see packets with query, as well as reply coming back:

20:54:14.806957 IP (tos 0x0, ttl 64, id 18746, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.45710 > 192.168.15.1.53: [udp sum ok] 18153+ A? k-router.k.lan. (32)
20:54:14.807140 IP (tos 0x0, ttl 64, id 35187, offset 0, flags [none], proto UDP (17), length 76)
    192.168.45.2.53 > 192.168.45.1.45710: [bad udp cksum 0xdb9d -> 0x4d18!] 18153 q: A? k-router.k.lan. 1/0/0 k-router.k.lan. A 192.168.10.1 (48)
20:54:14.807651 IP (tos 0x0, ttl 64, id 18747, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.55789 > 192.168.15.1.53: [udp sum ok] 46120+ AAAA? k-router.k.lan. (32)
20:54:14.807785 IP (tos 0x0, ttl 64, id 35188, offset 0, flags [none], proto UDP (17), length 88)
    192.168.45.2.53 > 192.168.45.1.55789: [bad udp cksum 0xdba9 -> 0x5596!] 46120 q: AAAA? k-router.k.lan. 1/0/0 k-router.k.lan. AAAA <censored>:fe::1 (60)
20:54:17.309963 IP (tos 0x0, ttl 64, id 18777, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.45710 > 192.168.15.1.53: [udp sum ok] 18153+ A? k-router.k.lan. (32)
20:54:17.310219 IP (tos 0x0, ttl 64, id 35301, offset 0, flags [none], proto UDP (17), length 76)
    192.168.45.2.53 > 192.168.45.1.45710: [bad udp cksum 0xdb9d -> 0x4d18!] 18153 q: A? k-router.k.lan. 1/0/0 k-router.k.lan. A 192.168.10.1 (48)
20:54:17.310280 IP (tos 0x0, ttl 64, id 18778, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.55789 > 192.168.15.1.53: [udp sum ok] 46120+ AAAA? k-router.k.lan. (32)
20:54:17.310448 IP (tos 0x0, ttl 64, id 35302, offset 0, flags [none], proto UDP (17), length 88)
    192.168.45.2.53 > 192.168.45.1.55789: [bad udp cksum 0xdba9 -> 0x5596!] 46120 q: AAAA? k-router.k.lan. 1/0/0 k-router.k.lan. AAAA <censored>:fe::1 (60)
20:54:19.813093 IP (tos 0x0, ttl 64, id 18923, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.45710 > 192.168.15.1.53: [udp sum ok] 18153+ A? k-router.k.lan. (32)
20:54:19.813093 IP (tos 0x0, ttl 64, id 18924, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.55789 > 192.168.15.1.53: [udp sum ok] 46120+ AAAA? k-router.k.lan. (32)
20:54:19.813355 IP (tos 0x0, ttl 64, id 35318, offset 0, flags [none], proto UDP (17), length 76)
    192.168.45.2.53 > 192.168.45.1.45710: [bad udp cksum 0xdb9d -> 0x4d18!] 18153 q: A? k-router.k.lan. 1/0/0 k-router.k.lan. A 192.168.10.1 (48)
20:54:19.813381 IP (tos 0x0, ttl 64, id 35319, offset 0, flags [none], proto UDP (17), length 88)
    192.168.45.2.53 > 192.168.45.1.55789: [bad udp cksum 0xdba9 -> 0x5596!] 46120 q: AAAA? k-router.k.lan. 1/0/0 k-router.k.lan. AAAA <censored>:fe::1 (60)
20:54:22.315784 IP (tos 0x0, ttl 64, id 18931, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.45710 > 192.168.15.1.53: [udp sum ok] 18153+ A? k-router.k.lan. (32)
20:54:22.315909 IP (tos 0x0, ttl 64, id 18932, offset 0, flags [DF], proto UDP (17), length 60)
    192.168.45.1.55789 > 192.168.15.1.53: [udp sum ok] 46120+ AAAA? k-router.k.lan. (32)
20:54:22.316135 IP (tos 0x0, ttl 64, id 35531, offset 0, flags [none], proto UDP (17), length 76)
    192.168.45.2.53 > 192.168.45.1.45710: [bad udp cksum 0xdb9d -> 0x4d18!] 18153 q: A? k-router.k.lan. 1/0/0 k-router.k.lan. A 192.168.10.1 (48)
20:54:22.316163 IP (tos 0x0, ttl 64, id 35532, offset 0, flags [none], proto UDP (17), length 88)
    192.168.45.2.53 > 192.168.45.1.55789: [bad udp cksum 0xdba9 -> 0x5596!] 46120 q: AAAA? k-router.k.lan. 1/0/0 k-router.k.lan. AAAA <censored>:fe::1 (60)

In dnsmasq log, you can see it recognizes it should use special nameserver for domain in question, as well as that it's sending requests to correct server:

Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon May 13 20:55:28 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.40.100 -- 192.168.40.249, lease time 1h
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using nameserver 192.168.15.1#53 for domain k.lan
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using nameserver 192.168.15.1#53 for domain k.lan
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using nameserver 195.146.128.62#53
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using nameserver 195.146.132.58#53
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Mon May 13 20:55:28 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Mon May 13 20:55:28 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon May 13 20:55:31 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Mon May 13 20:55:31 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Mon May 13 20:55:31 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Mon May 13 20:55:31 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon May 13 20:55:50 2024 daemon.info dnsmasq[1]: 25 127.0.0.1/33044 query[A] k-router.k.lan from 127.0.0.1
Mon May 13 20:55:50 2024 daemon.info dnsmasq[1]: 25 127.0.0.1/33044 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:50 2024 daemon.info dnsmasq[1]: 26 127.0.0.1/33044 query[AAAA] k-router.k.lan from 127.0.0.1
Mon May 13 20:55:50 2024 daemon.info dnsmasq[1]: 26 127.0.0.1/33044 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:52 2024 daemon.info dnsmasq[1]: 28 127.0.0.1/33044 query[A] k-router.k.lan from 127.0.0.1
Mon May 13 20:55:52 2024 daemon.info dnsmasq[1]: 28 127.0.0.1/33044 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:52 2024 daemon.info dnsmasq[1]: 29 127.0.0.1/33044 query[AAAA] k-router.k.lan from 127.0.0.1
Mon May 13 20:55:52 2024 daemon.info dnsmasq[1]: 29 127.0.0.1/33044 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:55 2024 daemon.info dnsmasq[1]: 31 ::1/47055 query[A] k-router.k.lan from ::1
Mon May 13 20:55:55 2024 daemon.info dnsmasq[1]: 31 ::1/47055 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:55 2024 daemon.info dnsmasq[1]: 32 ::1/47055 query[AAAA] k-router.k.lan from ::1
Mon May 13 20:55:55 2024 daemon.info dnsmasq[1]: 32 ::1/47055 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:57 2024 daemon.info dnsmasq[1]: 33 ::1/47055 query[A] k-router.k.lan from ::1
Mon May 13 20:55:57 2024 daemon.info dnsmasq[1]: 33 ::1/47055 forwarded k-router.k.lan to 192.168.15.1
Mon May 13 20:55:57 2024 daemon.info dnsmasq[1]: 34 ::1/47055 query[AAAA] k-router.k.lan from ::1
Mon May 13 20:55:57 2024 daemon.info dnsmasq[1]: 34 ::1/47055 forwarded k-router.k.lan to 192.168.15.1

...however, there's no mention of any reply arriving back.
I'm not sure why, but it seems to me replies are ignored (as above, using drill, everything looks fine from network perspective.

Any idea what might be wrong, why dnsmasq is ignoring replies?

I've already tried to turn off dnsmasq's rebind protection just in case, it did not help.

Thanks a lot!

root@jj-router:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='22.03.2'
DISTRIB_REVISION='r19803-9a599fee93'
DISTRIB_TARGET='ath79/generic'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 22.03.2 r19803-9a599fee93'
DISTRIB_TAINTS=''

You did not specify but I assume you have added the domains and server ip address which should be used to resolve e.g.:
server=/k.lan/ip-address-DNSserver-off-k.lan

I think you need to disable rebind protection or better use:
rebind-domain-ok=k.lan

Furthermore the DNS server of k.lan should listen on all interfaces (or at least include the WG interface)

ah, forgot to paste config. Here it is:

root@jj-router:~# cat /etc/config/dhcp
config dnsmasq
        option localise_queries '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option domain 'jj.lan'
        option local '/jj.lan/'
        list server '/k.lan/192.168.15.1'
        option domainneeded '1'
        option rebind_protection '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

remote dns server listens - as you can see in either drill test, or in provided tcpdumps

as said in my original post, I've tried to turn off rebind protection, but to no avail :frowning:

Nevetheless, I've tested rebind-domain-ok option as well:

root@jj-router:~# cat /var/etc/dnsmasq.conf.cfg01411c
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
edns-packet-max=1232
domain=jj.lan
local=/jj.lan/
server=/k.lan/192.168.15.1
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
stop-dns-rebind
rebind-domain-ok=k.lan
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq

dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

result is the same:

Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue May 14 09:45:53 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.40.100 -- 192.168.40.249, lease time 1h
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using nameserver 192.168.15.1#53 for domain k.lan
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using nameserver 192.168.15.1#53 for domain k.lan
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using nameserver 195.146.128.62#53
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using nameserver 195.146.132.58#53
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Tue May 14 09:45:53 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Tue May 14 09:45:53 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue May 14 09:45:56 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Tue May 14 09:45:56 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Tue May 14 09:45:56 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Tue May 14 09:45:56 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue May 14 09:46:00 2024 daemon.info dnsmasq[1]: 1 127.0.0.1/51480 query[A] k-router.k.lan from 127.0.0.1
Tue May 14 09:46:00 2024 daemon.info dnsmasq[1]: 1 127.0.0.1/51480 forwarded k-router.k.lan to 192.168.15.1
Tue May 14 09:46:00 2024 daemon.info dnsmasq[1]: 2 127.0.0.1/51480 query[AAAA] k-router.k.lan from 127.0.0.1
Tue May 14 09:46:00 2024 daemon.info dnsmasq[1]: 2 127.0.0.1/51480 forwarded k-router.k.lan to 192.168.15.1
Tue May 14 09:46:05 2024 daemon.info dnsmasq[1]: 23 ::1/39596 query[A] k-router.k.lan from ::1
Tue May 14 09:46:05 2024 daemon.info dnsmasq[1]: 23 ::1/39596 forwarded k-router.k.lan to 192.168.15.1
Tue May 14 09:46:05 2024 daemon.info dnsmasq[1]: 24 ::1/39596 query[AAAA] k-router.k.lan from ::1
Tue May 14 09:46:05 2024 daemon.info dnsmasq[1]: 24 ::1/39596 forwarded k-router.k.lan to 192.168.15.1
Tue May 14 09:46:08 2024 daemon.info dnsmasq[1]: 25 ::1/39596 query[A] k-router.k.lan from ::1
Tue May 14 09:46:08 2024 daemon.info dnsmasq[1]: 25 ::1/39596 forwarded k-router.k.lan to 192.168.15.1
Tue May 14 09:46:08 2024 daemon.info dnsmasq[1]: 26 ::1/39596 query[AAAA] k-router.k.lan from ::1
Tue May 14 09:46:08 2024 daemon.info dnsmasq[1]: 26 ::1/39596 forwarded k-router.k.lan to 192.168.15.1

it looks like DNSMasq is forwarding the query to 192.168.15.1.
Why 192.168.15.1 does not answer I cannot tell, can you reach it from the router? Is there actually a DNS servers listening on the WG interface?

Please have a look on tcpdumps I've provided in my post above - remote dns server is sending replies back.
I can also get the results using drill installed on jj-router - so network-wise, connectivity is fine.

here's screenshot from wireshark (in case you prefer this, rather than tcpdump output):

@egc your question helped :slight_smile:

as seen in either tcpdumps or wireshark screenshot, dnsmasq is forwarding the query to 192.168.15.1 ("main" interface of remote router), but receiving the answer from 192.168.45.2 (ip address of wg interface connecting the sites).

usually that's not the problem for most of software, but apparently dnsmasq does not like to get the answer from different IP...

I've reconfigured dnsmasq to forward queries to 192.168.45.2, and it works:

root@jj-router:~# nslookup k-router.k.lan.
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:

Non-authoritative answer:
Name:   k-router.k.lan
Address: <censored>:fe::1
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue May 14 11:11:36 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.40.100 -- 192.168.40.249, lease time 1h
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using nameserver 192.168.45.2#53 for domain k.lan
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using nameserver 192.168.45.2#53 for domain k.lan
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using nameserver 195.146.128.62#53
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using nameserver 195.146.132.58#53
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Tue May 14 11:11:36 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Tue May 14 11:11:36 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue May 14 11:11:39 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Tue May 14 11:11:39 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Tue May 14 11:11:39 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Tue May 14 11:11:39 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue May 14 11:11:53 2024 daemon.info dnsmasq[1]: 23 127.0.0.1/47456 query[A] k-router.k.lan from 127.0.0.1
Tue May 14 11:11:53 2024 daemon.info dnsmasq[1]: 23 127.0.0.1/47456 forwarded k-router.k.lan to 192.168.45.2
Tue May 14 11:11:53 2024 daemon.info dnsmasq[1]: 24 127.0.0.1/47456 query[AAAA] k-router.k.lan from 127.0.0.1
Tue May 14 11:11:53 2024 daemon.info dnsmasq[1]: 24 127.0.0.1/47456 forwarded k-router.k.lan to 192.168.45.2
Tue May 14 11:11:53 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: k-router.k.lan
Tue May 14 11:11:53 2024 daemon.info dnsmasq[1]: 24 127.0.0.1/47456 reply k-router.k.lan is 2a02:130:102:fe::1

... as dnsmasq's rebind protection kicked in, so I've also updated its cofiguration:

root@jj-router:~# grep rebind_domain /etc/config/dhcp
        list rebind_domain 'k.lan'
root@jj-router:~# grep rebind-domain-ok /var/etc/dnsmasq.conf.cfg01411c
rebind-domain-ok=k.lan

...and that's it, it works now!

root@jj-router:~# nslookup k-router.k.lan.
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   k-router.k.lan
Address: 192.168.10.1

Non-authoritative answer:
Name:   k-router.k.lan
Address: <censored>:fe::1
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue May 14 11:12:27 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.40.100 -- 192.168.40.249, lease time 1h
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using nameserver 192.168.45.2#53 for domain k.lan
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May 14 11:12:27 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using nameserver 192.168.45.2#53 for domain k.lan
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using nameserver 195.146.128.62#53
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using nameserver 195.146.132.58#53
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: using only locally-known addresses for jj.lan
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 10 addresses
Tue May 14 11:12:28 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Tue May 14 11:12:28 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue May 14 11:12:41 2024 daemon.info dnsmasq[1]: 23 127.0.0.1/41540 query[A] k-router.k.lan from 127.0.0.1
Tue May 14 11:12:41 2024 daemon.info dnsmasq[1]: 23 127.0.0.1/41540 forwarded k-router.k.lan to 192.168.45.2
Tue May 14 11:12:41 2024 daemon.info dnsmasq[1]: 24 127.0.0.1/41540 query[AAAA] k-router.k.lan from 127.0.0.1
Tue May 14 11:12:41 2024 daemon.info dnsmasq[1]: 24 127.0.0.1/41540 forwarded k-router.k.lan to 192.168.45.2
Tue May 14 11:12:41 2024 daemon.info dnsmasq[1]: 23 127.0.0.1/41540 reply k-router.k.lan is 192.168.10.1
Tue May 14 11:12:41 2024 daemon.info dnsmasq[1]: 24 127.0.0.1/41540 reply k-router.k.lan is 2a02:130:102:fe::1

Interesting using Windows client or Android it does not matter if you use the routers address or the WG address.

Not sure if this is a DNSMasq problem or the router classifying this traffic as "invalid"

For the record do you have filtering invalid traffic enabled?
Under Firewall defaults

Anyway glad it is solved :slight_smile:

Nope, that one is turned off.
I'm quite sure it's dnsmasq thing - as on the same router, drill works just fine.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.