Extremely slow local rDNS/Lan Domain Interception requests

Its taking nearly 10 seconds for DNS requests going to the router itself to itself, dnsmasq is set to port 54 and AGH is running on port 53.

image594×379 13 KB

Here is my dhcp config

config dnsmasq
	option authoritative '1'
	option domain 'lan'
	option rebind_protection '0'
	option localservice '0'
	option cachesize '1000'
	option port '54'
	list server '192.168.0.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.0.1'

config host
	list mac '74:DF:BF:5A:B3:41'
	option ip '192.168.0.9'

Device info

processor	: 0
BogoMIPS	: 108.00
Features	: fp asimd evtstrm crc32 cpuid
CPU implementer	: 0x41
CPU architecture: 8
CPU variant	: 0x0
CPU part	: 0xd08
CPU revision	: 3

processor	: 1
BogoMIPS	: 108.00
Features	: fp asimd evtstrm crc32 cpuid
CPU implementer	: 0x41
CPU architecture: 8
CPU variant	: 0x0
CPU part	: 0xd08
CPU revision	: 3

processor	: 2
BogoMIPS	: 108.00
Features	: fp asimd evtstrm crc32 cpuid
CPU implementer	: 0x41
CPU architecture: 8
CPU variant	: 0x0
CPU part	: 0xd08
CPU revision	: 3

processor	: 3
BogoMIPS	: 108.00
Features	: fp asimd evtstrm crc32 cpuid
CPU implementer	: 0x41
CPU architecture: 8
CPU variant	: 0x0
CPU part	: 0xd08
CPU revision	: 3

Hardware	: BCM2835
Revision	: c03114
Serial		: 100000007c7899b3
Model		: Raspberry Pi 4 Model B Rev 1.4

AGH config

http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.0.1:8076
  session_ttl: 720h
users:
  - name: admin
    password: $2a$10$azl3V/b5FSgbCnfKo9u85.TK4nsh7q31OWZqYsN/cCOTPJS8hN8.e
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 192.168.0.1
    - 127.0.0.1
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - 8.8.8.8
    - 8.8.4.4
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: parallel
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.0.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 2160h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    ecosia: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safe_fs_patterns:
    - /opt/AdGuardHome/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  enabled: true
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 29

Please post:

ubus call system board
killall -USR1 dnsmasq ; sleep 5 ; logread -e dnsmasq
opkg list-installed adguardhome

It seems you created dns forwarding loop, ie dnsmasq does queries of its request back to agh and then back again until they time out at client.

I am using AGH edge so the last command has no output

{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.4",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

root@OpenWrt:~# killall -USR1 dnsmasq ; sleep 5 ; logread -e dnsmasq

Mon Jan 20 19:44:03 2025 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Jan 20 19:44:10 2025 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Jan 20 19:44:20 2025 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Jan 20 20:02:45 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.0.171 3c:58:c2:c0:99:3c
Mon Jan 20 20:02:45 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.0.171 3c:58:c2:c0:99:3c
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: time 1737403446
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: cache size 1000, 0/6 cache insertions re-used unexpired cache entries.
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: queries forwarded 16883, queries answered locally 5337
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: pool memory in use 192, max 288, allocated 2400
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: child processes for TCP requests: in use 0, highest since last SIGUSR1 0, max allowed 20.
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: server 192.168.0.1#53: queries sent 24410, retried 16335, failed 84, nxdomain replies 2, avg. latency 2141ms
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: time 1737403446
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: cache size 1000, 0/6 cache insertions re-used unexpired cache entries.
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: queries forwarded 16883, queries answered locally 5337
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: pool memory in use 192, max 288, allocated 2400
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: child processes for TCP requests: in use 0, highest since last SIGUSR1 0, max allowed 20.
Mon Jan 20 20:04:06 2025 daemon.info dnsmasq[1]: server 192.168.0.1#53: queries sent 24410, retried 16335, failed 84, nxdomain replies 2, avg. latency 2141ms

It is just loop. 1/3 requests from agh hit it back via dnsmasq. dnsmasq is supposed to serve only lan. domain for agh.

I see, How did you figure that out?

Since it's on port 54 now, shouldn't it only be handling .lan ones(set in the upstream dns server list)

Why would this be happening?

Kind of not many numbers in your post

image351×501 16.8 KB

Right, but why is it happening?

Please provide information?

https://forum.openwrt.org/t/how-to-updated-2021-installing-adguardhome-on-openwrt-manual-and-opkg-method

According to that.

I didn't use the normal AGH package since it looses data on reboot and the edge version uses a persistent location out of the box.

Which part says dnsmasq should query agh?

Sorry? I am not very knowledgeable, but ideally, none?

I don't want to interact with dnsmasq at all, besides for the lan domain interceptions and getting DHCP assignments via rDNS.

I don't understand what you mean by that..

dnsmasq has only one upstream server - agh, which then queries it back. Remove misconfiguration on either and be fine. I have no clue what is rDNS

In dhcp file, change option localservice '0' to 1 (default value) then reboot.
0 (disabled) means dnsmasq won't respond to DNS queries sent from the router itself. Breaking functionality.

Unfortunately its the same thing.

But that's required no? for lan domain interception and rDNS

https://openwrt.org/docs/guide-user/services/dns/adguard-home#lan_domain_interception

Since its on the non normal port, i.e 54. Wouldn't all queries go to AGH which is running on the normal 53 or is that not how it works?

Your agh , acquired from somewhere else, is misconfigured. Refer to their documentation.

Mate i have configured it word to word via the official openwrt wiki

https://openwrt.org/docs/guide-user/services/dns/adguard-home

In fact i haven't done any configuring besides the rDNS and lan domain interceptions, that too from the wiki..

Can you elaborate on that?

Yeah!

So according to the AGH page on the openwrt wiki

I added

[/lan/]127.0.0.1:54
[//]127.0.0.1:54

As upstream servers so my .lan requests are passed on to dnsmasq

From the wiki
"Adding the following to the Upstream DNS Server configuration will intercept any LAN domain request or requests without a FQDN and pass those requests to the appropriate resolver, which is mostly like your OpenWrt router but it doesn't have to be.

The default LAN domain configured by OpenWrt is “lan”, but if you have configured you own domain, you can use this in the example code below:

(127.0.0.1) local loopback is used here to enable statistics tracking but you may also use your router ip (192.168.1.1) here too."