Netbird Support/Discussion Thread

Using netbird w/ dnsmasq by wehagy

I'm glad to hear that my reply on GitHub was helpful to someone!

I'm using a similar config for DNS, and from what I can see, your setup allows netbird to function only for the *.netbird.cloud domain, at the same time, you need to prevent DNS leaks to ensure that your DNS server is enforced.

My config is dnsmasq --> netbird --> custom DNS. The custom DNS is managed through the netbird dashboard, and I assume you're familiar with how to set this up. In my case, I have a server running Pi-hole to block ads, utilizing EDNS0 and a recursive DNS server, all configured with internal routes through netbird. However, that's a topic for another day...

If I'm not mistaken, by default, netbird tries to run the DNS server on port 53 at the same IP as the internal WireGuard interface (wt0), which falls within the range of 100.127.0.1 to 100.127.255.254. If that fails, it attempts 127.0.0.1, and if that also fails, it gives up. It will always give up because, in OpenWrt, all ports 53 is already occupied by dnsmasq. To resolve this, modify the file /etc/netbird/config.json to ensure that the changes are persistent.

[...]
    "CustomDNSAddress": "127.0.0.1:5335",
[...]

The 127.0.0.1 is mandatory because it is the IP address where the netbird DNS server will listen. The :5335 is the port, which can be any arbitrary number, except for :53, which is the default port where the dnsmasq DNS server listens.

Why is 127.0.0.1 mandatory? Sometimes, dnsmasq and netbird fight for the /etc/resolv.conf file. /etc/resolv.conf is responsible, simplifying, for informing OpenWrt about the DNS server. This file does not support custom ports, only IP addresses. If, for some reason, this file is changed to an arbitrary address from netbird, it is better for it to match the one from dnsmasq to ensure that OpenWrt does not lose domain name resolution.

Now add or change the values in the file cat /etc/config/dhcp:

config dnsmasq
[...]
        # Disable the use of the ISP's DNS server to effectively enable split DNS.
        option noresolv '1'
        # Prioritize the `list server` from top to bottom, this is good to have.
        option strictorder '1'
        # The two `arpa` configurations may have some side effects,
        # here, I'm limiting the resolution of local addresses to be local only,
        # without making requests to upstream servers.
        # This is for reference, but in my case, if not configured, it can become annoying.
        list server '/in-addr.arpa/'
        list server '/ip6.arpa/'
        # Allow the resolution of `netbird.io` to be sent to any arbitrary public DNS server, in this case, 9.9.9.9 (Quad9).
        # If you are self-hosting, replace `netbird.io` with the address of your server.
        # Without this, you will encounter a race condition,
        # `netbird` cannot connect because `dnsmasq` is unable to resolve addresses,
        # and `dnsmasq` cannot resolve addresses because `netbird` cannot connect.
        list server '/netbird.io/9.9.9.9'
        # Use `netbird` DNS server.
        list server '127.0.0.1#5335'
[...]

config dhcp 'lan'
[...]
        # Disable the IPv6 DNS server, it's cursed and has caused me some issues.
        # However, you can test it to see if it works for you.
        option dns_service '0'
        option ra_dns '0'
[...]

Some relevant OpenWrt wiki pages:

• DHCP and DNS configuration /etc/config/dhcp
  • All options
• DHCP and DNS examples
  • Split DNS
  • Enforcing dnsmasq for local system, this is the default configuration, so there's no need to change it. However, it's good to have it for reference.
  • DNS filtering
  • DNS forwarding

---

Going further, you can configure the firewall to enforce the use of OpenWrt as the DNS server at all times to prevent DNS leaks. More information about this can be found in the DNS hijacking documentation.

This probably requires your own topic too, but without going into too much detail, here is my /etc/config/firewall for reference:

[...]
config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'

config rule
        option name 'Block-Public-DNS'
        option src '*'
        # Common ports used for DNS servers
        option dest_port '53 5353 5335 853'
        option target 'REJECT'
        option dest 'wan'

# IPv6 is cursed
config rule
        option name 'Block-IPV6-DNS'
        option src 'lan'
        option target 'REJECT'
        option family 'ipv6'
        # Common ports used for DNS servers
        option dest_port '53 5353 5335 853'
[...]

Now you are leveraging all the capabilities of netbird DNS server... Probably...