Making sense of how DNS works on OpenWRT

tommywrt · December 25, 2023, 7:21pm

Hi,

I installed Openwrt on an old netbook. I'd like it to work as a portable router when I'm travelling. I set its WiFi NIC (a dongle wifi actually) as a WAN port and the only ethernet interface it has as the LAN/BR port. I managed to make everything work as I wanted so far.

However, I'm spending a lot of time trying to figure out how exactly the DNS service works on OpenWRT. For the time being, I am practicing and tinkering with it on my home LAN, so Openwrt gets its WAN IP (192.168.3.99) from my main home router (192.168.3.1) . I set 192.168.33.1 as the OpenWRT's LAN IP (LAN subnet 192.168.33.0/24) . I even managed to install Adguard and make it filter webpages requested by clients. It seems to be working properly. However, if I run a nslookup it shows my main router IP as server DNS:

ex: nslookup yahoo.com
       server: 192.168.3.1
       address: 192.168.3.1#53
Non-authoritative answer:
name :yahoo.com
address: 98.137.11.164

....

I want to make sure that the LAN clients use the Openwrt itself as a DNS server .

here is my network config:

root@OpenWrt:~#  cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:c52c:f678::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.33.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '192.168.33.1'

config interface 'wwanmk'
        option proto 'dhcp'
        option peerdns '0'


root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '0'
        option port '54'
        list server '192.168.33.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.33.1'
        list dhcp_option '3,192.168.33.1'
        list dns 'fd06:c52c:f678::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

So, why the nslookup command still shows my main home router IP 192.168.3.1?
Is there something wrong with my conf files above?

Thanks

psherman · December 25, 2023, 7:33pm

If you run the nslookup from the router itself, it will need to use an external DNS server -- usually upstream (in this case the main router as advertised via DHCP), since if it self-referenced, it wouldn't be able to do any lookups. By default, a device connected downstream of your OpenWrt device will use the OpenWrt address via the advertisement from DHCP on OpenWrt.

tommywrt · December 25, 2023, 7:36pm

I executed the nslookup command on a pc connected to the Openwrt, not on the router itself. Thanks

psherman · December 25, 2023, 7:42pm

Does this mean your question is now answered?
Or do you mean to say that the previous nslookup you did was on a PC and was using 192.168.3.1 as the DNS server?

trendy · December 25, 2023, 7:58pm

Remove the following, they are not needed:

Add also this to use dnsmasq only as dhcp server.

service dnsmasq stop
uci set dhcp.@dnsmasq[0].localuse="0"
uci set dhcp.@dnsmasq[0].port="0"
uci commit dhcp
service dnsmasq start

tommywrt · December 26, 2023, 12:55pm

I did what you suggested, but I had to add this:

config interface 'wwanmk'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.4.4'

in the /etc/config/network file otherwise the DNS queries from the router itself wouldn't work.
Anyway, the problem with the clients on the LAN side is still there:

ex: nslookup yahoo.com
       server: 192.168.3.1
       address: 192.168.3.1#53
Non-authoritative answer:
name :yahoo.com
address: 98.137.11.164

Also, here is the resolv.conf file now:

root@OpenWrt:~# cat /etc/resolv.conf
# Interface wwanmk
nameserver 1.1.1.1
nameserver 8.8.4.4

I am still not sure what is going on with DNS. My fault of course
I also ran Wireshark on the client to catch the dns query:

Thanks

tommywrt · December 26, 2023, 2:24pm

By the way, I connected another pc PC with Windows 10 running on it to my Openwrt router. It gets an IP from the Openwrt, and it can ping ip like 1.1.1.1, BUT it can't resolve names. Definitely something wrong with the DNS setup.
Nslookup on the windows machine shows: server: unknown

trendy · December 27, 2023, 9:57am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
netstat -lnp | grep 53; nslookup openwrt.org 127.0.0.1; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

tommywrt · December 27, 2023, 11:26am

trendy:

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
netstat -lnp | grep 53; nslookup openwrt.org 127.0.0.1; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*


root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> netstat -lnp | grep 53; nslookup openwrt.org 127.0.0.1; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "Intel(R) Atom(TM) CPU N270   @ 1.60GHz",
        "model": "Acer       Aspire one      ",
        "board_name": "acer-aspire-one",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:c52c:f678::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.33.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wwanmk'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.4.4'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '0'
        option port '54'
        list server '192.168.33.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'wwanmk'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'mypc'
        option src 'wan'
        list src_ip '192.168.3.100'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Force DNS'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.33.1'
        option dest_port '53'
        option enabled '0'

tcp        0      0 192.168.33.1:53         0.0.0.0:*               LISTEN      1589/AdGuardHome
udp        0      0 192.168.33.1:53         0.0.0.0:*                           1589/AdGuardHome
nslookup: write to '127.0.0.1': Connection refused
;; connection timed out; no servers could be reached

lrwxrwxrwx    1 root     root            16 Nov 14 13:38 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Dec 27 11:07 /tmp/resolv.conf
-rw-r--r--    1 root     root            57 Dec 27 11:04 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            57 Dec 27 11:04 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wwanmk
nameserver 1.1.1.1
nameserver 8.8.4.4

Thank you

mk24 · December 27, 2023, 5:00pm

First take out everything you've configured related to external DNS servers, and start over. The only place you should have an external DNS server is on the wan interface that is presently in use.

In particular you're trying (in at least two places) to point at the router's own IP 192.168.33.1 as an external DNS server, clearly that is not going to work.

I see two wwan interfaces, which one is actually used? Get rid of the other one. Where is the 192.168.3 network in relation to all of this? The two Ethernet ports are bridged together. If you're using Ethernet as the wan, it's not actually routing, and it's going to allow DHCP requests from a client on one Ethernet to bridge through to the other one to sometimes (it's a race condition) be answered by the .3 router.

Finally of course if your endpoint client has a DNS server statically configured or the OS is otherwise determined to use a different DNS server, the router can't stop it from making that request.

egc · December 27, 2023, 5:18pm

How about this?
Left over from adguard install?
Just guessing

tommywrt · December 27, 2023, 7:24pm

Which part exactly?

Would that be the DNS IPs that OPenWRT uses for itself?

I want my client to point to Adguard installed on Openwrt (192.168.33.1)

As a portable router the WAN would be the wireless interface set as a client
192.168.3.0/24 is my Home LAN subnet

No dns setup on the clients.
Sorry I am totally new to OpenWRT. I know a bit better Mikrotik devices; setting up the same DNS configurations on them takes me just a bunch of seconds.

Thank you

tommywrt · December 27, 2023, 7:26pm

I too think so, not sure though

mk24 · December 27, 2023, 8:13pm

I think you have another thread about this...

I don't know anything about Adguard. First get regular DNS working and understand how it works.

By default, OpenWrt advertises itself as the DNS server for the LAN (and guest lan and iot lan etc if configured). The internal dnsmasq process answers DNS requests sent to the router's IP. If a site is requested that dnsmasq does not know about, dnsmasq looks it up by creating a request from the router to a server outside the router, usually on the wan.

If dnsmasq is to consult another process on the router (such as adguard) it should go to 127.0.0.1 with a port number that process is listening to, which can't be the default 53 since that is where LAN clients expect to find dnsmasq.

Are you using a wireless connection to home now? And there should not be two wwans, just one that you reconfigure to connect to whatever wireless Internet is available as you travel.

tommywrt · December 27, 2023, 9:00pm

Ok, but I haven't yet understood what to do and what is the problem about.

Yes, wireless home connection; I'm still practicing with it
The other wifi WAN is disabled now. It is about another WAN setup.

Thanks

psherman · December 27, 2023, 9:03pm

I'd recommend that you reset to defaults so that your device is in a known state. Don't do anything with AGH or other DNS solutions for the moment.

Once you've got the default state, create a wwan that is linked with the wan firewall zone, and a corresponding interface and a STA mode wifi configuration to form the uplink.

When that is done, your ethernet connected devices should route through your OpenWrt router and DNS should happen via the OpenWrt router address.

tommywrt · December 28, 2023, 11:21am

Reset meaning Factory reset?

It sounds strange that this DNS problem can't be fixed somehow, and I need to start from scratch.

Thanks

Arie · December 28, 2023, 11:39am

Well you could, but remote debugging your setup is going to take longer than you starting from scratch.

If you want to force send a certain DNS to clients on DHCP (without them requesting it), use list dhcp_option_force '6,192.168.33.1' in the config dhcp 'lan' section and restart dnsmasq. Release/renew the lease on the client and it should get the proper 192.168.33.1 as DNS server.

tommywrt · December 28, 2023, 2:38pm

Ok, I build a brand new openwrt image and installed on my usb drive, then I modified these options:

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option force '1'
list dhcp_option '6,192.168.73.1'

(yes, my new LAN IP gateway is 192.168.73.1)

If I run an nslookup on the debian machine client I got:

ex: nslookup yahoo.com
       server: 192.168.3.1
       address: 192.168.3.1#53
Non-authoritative answer:
name :yahoo.com
address: 98.137.11.164

Same problem. However, on a Windows machine client I got instead:

server: Openwrt.lan
Address: [its IPv6 IP]
name: yahoo.com
addresses: [bunch of IPs]

On the OpenWRT itself I got:

Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	yahoo.com
Address: 2001:4998:124:1507::f000
Name:	yahoo.com
Address: 2001:4998:44:3507::8000
Name:	yahoo.com
Address: 2001:4998:24:120d::1:1
Name:	yahoo.com
Address: 2001:4998:24:120d::1:0
Name:	yahoo.com
Address: 2001:4998:124:1507::f001
Name:	yahoo.com
Address: 2001:4998:44:3507::8001

Non-authoritative answer:
Name:	yahoo.com
Address: 74.6.231.21
Name:	yahoo.com
Address: 98.137.11.164
Name:	yahoo.com
Address: 74.6.143.25
Name:	yahoo.com
Address: 74.6.143.26

Why? Thanks

mk24 · December 28, 2023, 2:57pm

As said before, the PC LAN is probably bridged to the .3 network instead of being routed to it. What happens if you disconnect the upstream network entirely, so the only thing the PC has is the OpenWrt router, then restart the PC network and try a DNS query. That will of course fail to find an IP, but what you are looking for is that it uses the OpenWrt router as the server.

Are you doing that just to confuse us? Can you please keep it so the OpenWrt router is 192.168.33.1 and the upstream network 192.168.3.0?

It is unnecessary to add an option 6 advertising the router's own IP. By default, dnsmasq sends option 6 with the router's own IP.