Local .in-addr.arpa addresses are exposed publicly

Hi.

OpenWrt 22.03 x86 with WAN DNS set recently to AdGuard DNS (https://adguard-dns.io) for DNS lookups coming directly from my router. Router act as a local DHCP server and forwards all DNS requests from my local clients to AdGuard Home (installed on the router). I've set rDNS in AGH to be able to access my devices through a .local domain with these entries in AGH:

Upstream DNS servers
[/local/]10.36.36.1:5353
[/10.in-addr.arpa/]10.36.36.1:5353
[/ip6.arpa/]10.36.36.1:5353

Private reverse DNS servers
10.36.36.1:5353

Options "use private reverse DNS resolvers" and "enable reverse resolving of clients IP addresses" are both checked. I can access my local devices with .local domain now, but the problem is that all my local .in-addr.arpa addresses are exposed to AdGuard DNS and spamming logs in there every now and then, MOSTLY when LuCI interface has been refreshed. I don't believe my clients local IP addresses should be exposed online. I'm fighting it 2 days now and nothing works. I believe it's a OpenWrt setting, however I can't figure out what the setting it is. I've deleted all upstream DNS servers from AGH, just leave the one in private and still the same, though resolving local domains stopped to work.

AdGuard Home says
"By default, AdGuard Home uses the following reverse DNS resolvers: "127.0.0.1", "::1".

This is after I manually edited the .yaml file and add my local IP 10.36.36.1 to the "private_networks". Before editing, there were AdGuard DNS IP's there. Still exposing my local clients. Rebooted the machine or restarted services network, adguardhome and dnsmasq almost after every change.

I feel I just waste my time and out of energy for this anymore.
Does anyone know what do I need to set to stop expose my local IP clients online?

hi,

do you have problem with:

  1. you think rDNS requests are forwarded to external upstream DNS; or
  2. rDNS requests flooding AH's log?

in case #1 have you checked in query log where rDNS request is actually forwarded to?
in case #2 under Settings / Log configuration there is Ignored domains for query log and statistics, so you can add in-addr.arpa to either or both.

1 Like

I drafted this a day ago, but never posted - hoping someone else understood better, below:


  • You're using Private IPs, what exposure?
  • Can you explain what you did or why you believe your local IPs addresses are "exposed online"?

It's not clear - but I think your saying that you're observing DNS PTR Record queries egressing WAN for your LAN IPs, correct?

Problem with both. 10.36.36.xxx.in-addr.arpa generated 39k queries in 3 days. They shouldn't even be sent to the external service in first place so why should I just hide them? Quoted from AdGuard Wiki:

Since v0.106.0 all the addresses from [private IP ranges] are only resolved via appropriate local resolvers to avoid leaks of clients' information.

In case you do, don't confuse AdGuard Home installed on the router with the external AdGuard DNS service (provided in the link in #1st post). Which query log? AGH? Yes, whenever I do a ping query from a client to the router or a client to the client, all requests and responses shows up in AGH query log, with DNS server 10.36.36.1:5353 (my router). At this point, nothing is sent anywhere outside of my local network.

I've tracked this down to LuCI. As soon as I log in, all .in-addr.arpa local addresses which at the moment are connected with a static IP configured in Static leases of LuCI, are sent to the external AdGuard DNS service, and just keep sending them if I'm logged in. I just logged for a moment, 20-30 seconds, and every connected client has been exposed to AGD 5 times. 5 clients, 25 queries.
No problem with being logged into SSH at the same time. It stopped sending when I log out.

Looked a bit more at it now. When "refreshing" in LuCI is paused, nothing is sent to AGD. As soon as it's switched back from paused to refreshing, it keep flooding.

I've also discovered that my WAN gateway and static WAN IP appears in logs to, as reverted_ip.in-addr.arpa eg. 1.34.64.83 and 99.34.64.83.in-addr.arpa. (not my WAN IP :stuck_out_tongue: , just an example)

The dnsmasq uci option boguspriv should prevent private reverse lookups from being forwarded to upstream DNS. Is it disabled in /etc/config/dhcp?

2 Likes

any chance to share your /etc/config/network, /etc/config/dhcp and /etc/resolv.conf? obscure any sensitive data pls.

i guess you have a dns loop.

if i understand correctly your setup, i would do differently: announce AGH as the dns resolver for clients (via DHCP option and or bind AGH to default port 53 instead of router's dns servers (dnsmasq)), use router's dns for PTR as private reverse resolver (as you do now) (or use AGH as DHCP server), and set router's dns target to whatever upstream server.

1 Like

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0e:0958:2107::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'
        option bridge_empty '1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.255.0'
        list ipaddr '10.36.36.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '94.140.14.49'
        list dns '94.140.14.59'
        option hostname '*'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2a10:50c0::ad1:ff'
        option reqprefix 'auto'
        option reqaddress 'try'

cat /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option localise_queries '1'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option ednspacket_max '1232'
    option cachesize '1000'
    option port '5353'
    option noresolv '1'
    list server '10.36.36.1'
    option rebind_protection '0'
    option logdhcp '1'
    option logqueries '1'
    option logfacility '/logs/dhcp.log'
    option local '/local/'
    option domain 'local'
    option localservice '0'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '24h'
    option dhcpv4 'server'
    option dhcpv6 'server'
    option ra 'server'
    list ra_flags 'managed-config'
    list ra_flags 'other-config'
    list dns 'fd0e:958:2107::1'
    list dhcp_option '3,10.36.36.1'
    list dhcp_option '6,10.36.36.1'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

config host
    option name 'client_name'
    option dns '1'
    option mac 'client_mac'
    option ip '10.36.36.10'

config host x20 devices with static ip

cat /etc/resolv.conf

# Interface wan
nameserver 94.140.14.49
nameserver 94.140.14.59

I've just set, since I've seen that I haven't had this setting:

uci set dhcp.@dnsmasq[0].boguspriv='1' && uci commit
service dnsmasq restart
service network restart

Re-linked my new static WAN IP address in AG DNS, waited 30 seconds, no .arpa, logged into LuCI, 5 seconds and 10 entries appeared, stopped "refresh" LuCI, no entries, started "refresh" and it keeps spamming.

With dnsmasq listening on 5353, all queries are going to AGH first, not dnsmasq, so that suggestion turned out to be useless. You need a solution from AGH.

OK, but with resolv.conf pointing to Adguard DNS, you need localuse to point /etc/resolv.conf to 127.0.0.1.

All my clients go via AdGuard Home. When adguardhome service is stopped, no one can access internet. Only router/openwrt has internet access then.

I've had problem with this AGH thing in past. All clients via AGH could reach internet however router itself couldn't, and couldn't eg. download opkg packages or run a curl script for DDNS. I've then changed noresolv in /etc/config/dhcp from 0 to 1 and router internet access started to work. Before I did it, I could see search lan before i switched the domain to local and then next line 127.0.0.1 but as said, router couldn't connect to internet.

I don’t use AGH, but does it listen on 127.0.0.1:53, and accept queries from 127.0.0.1?

netstat -nltup | grep ":53 "
tcp        0      0 10.36.36.1:53           0.0.0.0:*               LISTEN      3057/AdGuardHome
udp        0      0 10.36.36.1:53           0.0.0.0:*                           3057/AdGuardHome

Is there a place to define bind_hosts in the AGH gui, or can you post your /etc/adguardhome.yaml

Yes, there is, in config file.

For accessing web:

bind_host: 10.36.36.1
bind_port: 8080

For dns:

dns:
  bind_hosts:
    - 10.36.36.1
  port: 53

Already tried to change them both or each of them to 127.0.0.1 but then interface won't start and clients can't access internet.

Does this work?

dns:
  bind_hosts:
    - 10.36.36.1
    - 127.0.0.1
  port: 53

What I can see is that 127.0.0.1 localhost appeared in AdGuard Home query log immediately, with 4 openwrt.pool.ntp.org responses from 4 IP addresses, processed. Nothing about it in AdGuard DNS query log. I pinged openwrt.org from router and entries appeared in AGD logs but not in AGH. Manually syncing NTP from router goes to AGD too, however.

Syslog:

Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555349 [info] dnsproxy: creating udp server socket 10.36.36.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555430 [info] dnsproxy: listening to udp://10.36.36.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555435 [info] dnsproxy: creating udp server socket 127.0.0.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555463 [info] dnsproxy: listening to udp://127.0.0.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555472 [info] dnsproxy: creating tcp server socket 10.36.36.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555502 [info] dnsproxy: listening to tcp://10.36.36.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555512 [info] dnsproxy: creating tcp server socket 127.0.0.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555536 [info] dnsproxy: listening to tcp://127.0.0.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555729 [info] dnsproxy: entering tcp listener loop on 127.0.0.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555742 [info] dnsproxy: entering udp listener loop on 127.0.0.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555756 [info] dnsproxy: entering tcp listener loop on 10.36.36.1:53
Mon Jul  3 12:09:45 2023 daemon.err AdGuardHome[6397]: 2023/07/03 10:09:45.555796 [info] dnsproxy: entering udp listener loop on 10.36.36.1:53

Did you revert the noresolv setting in /etc/config/dhcp? Or, what’s in /etc/resolv.conf now?

1 Like

I did it just now. After the change to noresolv 0, the /etc/resolv.conf looks like this:

search local
nameserver 127.0.0.1
nameserver ::1

Now all PTR entries goes to AGH instead of AGD and spamming query log there instead however, all local addresses are rewritten in the 127.0.0.1 localhost "client" as PTR from system hosts, but wan ip and wan gateway IP.in-addr.arpa are processed to one of the upstreams set in AGH public upstream. Pinging openwrt.org from router goes to AGH now too.

Nothing goes to the AdGuard DNS now. Sure, I can skip that.

Jul  3 12:39:24 dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Jul  3 12:39:24 dnsmasq[1]: using nameserver 10.36.36.1#53
Jul  3 12:39:24 dnsmasq[1]: using nameserver 94.140.14.49#53
Jul  3 12:39:24 dnsmasq[1]: using nameserver 94.140.14.59#53

These DNS of AGD went from /etc/resolv.conf to syslog instead. Are they needed? I can't see in AGD logs that they're resolving anything.

Is there a way of stopping auto-refresh LuCI? I try different options in both /etc/config/luci and uhhtpd and restart uhttpd service after every change but none of them worked so far. Nothing about it in wiki.