OpenWRT Loses DNS When ISP Box is set in bridge Mode

aluciani · June 4, 2025, 6:44pm

When my ISP box is in bridge mode, my OpenWRT router loses DNS resolution. Internet connectivity still works (I can ping IP addresses like 9.9.9.9), but DNS lookups fail. However, when I switch the ISP box to router mode, DNS resolution and internet access both work correctly.

Setup Details:
OpenWRT version: OpenWrt 24.10.1 r28597-0425664679 / LuCI openwrt-24.10 branch 25.151.78251~e445dc1

Device model: Fujitsu S920

WAN interface: DHCP client

ISP box brand/model: France / Free

Issue occurs: Only when ISP box is in bridge mode

I m adding that I'm using AdGuard Home on port 53 with OpenWRT (dnsmasq is now on port 54).
AdGuard appears functional and logs DNS queries correctly (including blocked entries), but only when the ISP box is in bridge mode.

Observed Behavior:
OpenWRT WAN interface gets IP and gateway via DHCP correctly.

No DNS resolution from OpenWRT or connected clients. I don't know know what else to test.

Pinging IPs (e.g., 9.9.9.9) works fine.

Switching ISP box to router mode fix the DNS functionality.

Restarting dnsmasq → no effect

AdGuard Home Settings :

Upstream DNS servers :

https://dns.adguard-dns.com/dns-query
tls://dns.adguard-dns.com
94.140.14.14
2a10:50c0::ad1:ff
https://dns10.quad9.net/dns-query
[/lan/]127.0.0.1:54
[//]127.0.0.1:54
[/pool.ntp.org/]94.140.14.14
[/pool.ntp.org/]94.140.15.15
[/pool.ntp.org/]2a10:50c0::ad1:ff
[/pool.ntp.org/]2a10:50c0::ad2:ff
quic://dns.adguard-dns.com

Fallback DNS servers :

94.140.14.14
94.140.15.15
2a10:50c0::ad1:ff
2a10:50c0::ad2:ff

Bootstrap DNS servers :

94.140.14.14
94.140.15.15
2a10:50c0::ad1:ff
2a10:50c0::ad2:ff

Private reverse DNS servers :

192.168.1.1:54
127.0.0.1:54

Box Use private reverse DNS resolvers is on
Box Enable reverse resolving of clients'IP addresses is on

I've followed this guide to install the adguard software : https://openwrt.org/docs/guide-user/services/dns/adguard-home

In "/etc/config/network" :

...
config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '94.140.14.14'
	list dns '94.140.15.15'
	list dns '2a10:50c0::ad1:ff'
	list dns '2a10:50c0::ad2:ff'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2a10:50c0::ad1:ff'
	list dns '2a10:50c0::ad2:ff'

In "/etc/config/dhcp" :

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option port '54'
	option noresolv '0'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '24h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns 'fdc1:93:ff10::1'
...

In /etc/resolv.conf

search lan
nameserver 127.0.0.1
nameserver ::1

in logs (when ISP box is in router mode):

Wed Jun  4 17:55:07 2025 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Wed Jun  4 17:55:07 2025 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Wed Jun  4 17:55:07 2025 daemon.info dnsmasq[1]: using nameserver 94.140.14.14#53
Wed Jun  4 17:55:07 2025 daemon.info dnsmasq[1]: using nameserver 94.140.15.15#53
Wed Jun  4 17:55:07 2025 daemon.info dnsmasq[1]: using nameserver 2a10:50c0::ad1:ff#53
Wed Jun  4 17:55:07 2025 daemon.info dnsmasq[1]: using nameserver 2a10:50c0::ad2:ff#53

netstat -tuln | grep :53 :

tcp        0      0 :::53                   :::*                    LISTEN      
udp        0      0 :::53                   :::*

netstat -tuln | grep :54 :

tcp        0      0 192.168.1.1:54          0.0.0.0:*               LISTEN      
tcp        0      0 192.168.1.118:54        0.0.0.0:*               LISTEN <- Me
...

slh · June 5, 2025, 1:45am

What happens if you stick more to the defaults, by not overriding the default DNS settings?

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config dnsmasq
        option domainneeded '1'                                                                                            
        option localise_queries '1'    
        option rebind_protection '0'       
        option local '/lan/'   
        option expandhosts '1'             
        option authoritative '1'                               
        option readethers '1'          
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option confdir '/tmp/dnsmasq.d'
        option nonwildcard '0'     
        option localservice '0' 

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '24h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
...

aluciani · June 5, 2025, 5:34am

Well I added the DNS option to try to fix the problem.
But it didn't help.
I will try without adguard, to see if the issue is in adguard setup, or if the problem is somewhere else.

I ll try tonight.

frollic · June 5, 2025, 6:45am

if you temp disable the secure DNSes, you can tcpdump port 53 traffic to check if there are any requests going out.

aluciani · June 5, 2025, 6:12pm

So I have try to reinstall a clean OpenWRT setup.

/etc/config/network

...
config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

Same issue. Connection while ISP box is in router mode, but when I switch the ISP box into bridge mode I loose the DNS.

# ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=11 ttl=61 time=2.26 ms
...
--- 9.9.9.9 ping statistics ---
11 packets transmitted, 11 received, 0% packet loss, time 10014ms
rtt min/avg/max/mdev = 1.654/2.135/2.453/0.277 ms

But :

# ping google.com
ping: bad address 'google.com'

frollic · June 5, 2025, 6:14pm

and nslookup google.com 9.9.9.9 ?

aluciani · June 5, 2025, 6:15pm

I don't get anything on the interfaces while ping says it s pinging :

# tcpdump  -vnnni eth2 tcp port 53

# tcpdump  -vnnni eth1 tcp port 53

I also did udp

frollic · June 5, 2025, 6:16pm

no wonder, ping isn't a tcp nor udp protocol.

aluciani · June 5, 2025, 6:18pm

 nslookup google.com 9.9.9.9
;; connection timed out; no servers could be reached

frollic · June 5, 2025, 6:19pm

try some of the other well known DNS IPs, like 1.1.1.1, 8.8.8.8, etc ...

are you sure your ISP isn't doing something fishy ?

aluciani · June 5, 2025, 6:25pm

# sudo tcpdump  -vnnni enp46s0 udp port 53

tcpdump: listening on enp46s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:20:02.624327 IP (tos 0x0, ttl 64, id 32859, offset 0, flags [DF], proto UDP (17), length 69)
    192.168.1.122.15902 > 192.168.1.1.53: 44113+ A? dns.adguard-dns.com.lan. (41)

dns.adguard-dns.com because my brave browser brave is setup to use adguard as DNS

This is on my laptop

and this is on the openwrt router :

18:30:19.370899 IP (tos 0x0, ttl 64, id 49695, offset 0, flags [DF], proto UDP (17), length 65)
    192.168.1.122.39148 > 192.168.1.1.53: 61189+ A? dns.adguard-dns.com. (37)
18:30:19.880059 IP (tos 0x0, ttl 64, id 51334, offset 0, flags [DF], proto UDP (17), length 69)
    192.168.1.1.53 > 192.168.1.217.48407: 64603 NXDomain 0/0/0 (41)
18:30:20.845127 IP6 (flowlabel 0xeeb0b, hlim 64, next-header UDP (17) payload length: 45) fdc6:ca72:8158::80e.15180 > fdc6:ca72:8158::1.53: [udp sum ok] 47136+ A? dns.adguard-dns.com. (37)
18:30:21.037051 IP (tos 0x0, ttl 64, id 15858, offset 0, flags [DF], proto UDP (17), length 65)
    192.168.1.122.23749 > 192.168.1.1.53: 44375+ A? dns.adguard-dns.com. (37)
18:30:21.462244 IP6 (flowlabel 0x25d68, hlim 64, next-header UDP (17) payload length: 45) fdc6:ca72:8158::8fe.33434 > fdc6:ca72:8158::1.53: [udp sum ok] 14216+ A? dns.adguard-dns.com. (37)
18:30:21.843037 IP (tos 0x0, ttl 64, id 44889, offset 0, flags [DF], proto UDP (17), length 65)
    192.168.1.122.38405 > 192.168.1.1.53: 39493+ A? dns.adguard-dns.com. (37)
18:30:22.033131 IP6 (flowlabel 0x4b54a, hlim 64, next-header UDP (17) payload length: 45) fdc6:ca72:8158::80e.10067 > fdc6:ca72:8158::1.53: [udp sum ok] 13279+ A? dns.adguard-dns.com. (37)
18:30:22.052039 IP (tos 0x0, ttl 64, id 25588, offset 0, flags [DF], proto UDP (17), length 78)
    192.168.1.217.40262 > 192.168.1.1.53: 4363+ A? detectportal.brave-http-only.com. (50)
18:30:22.394033 IP (tos 0x0, ttl 64, id 51483, offset 0, flags [DF], proto UDP (17), length 69)
    192.168.1.1.53 > 192.168.1.217.40008: 19531 NXDomain 0/0/0 (41)
18:30:23.048108 IP6 (flowlabel 0x356f1, hlim 64, next-header UDP (17) payload length: 58) fdc6:ca72:8158::8fe.58153 > fdc6:ca72:8158::1.53: [udp sum ok] 42888+ A? detectportal.brave-http-only.com. (50)
18:30:24.944772 IP6 (flowlabel 0x86330, hlim 64, next-header UDP (17) payload length: 45) fdc6:ca72:8158::8fe.52548 > fdc6:ca72:8158::1.53: [udp sum ok] 43503+ A? dns.adguard-dns.com. (37)
18:30:25.372415 IP (tos 0x0, ttl 64, id 46724, offset 0, flags [DF], proto UDP (17), length 65)
    192.168.1.122.8841 > 192.168.1.1.53: 26934+ A? dns.adguard-dns.com. (37)
18:30:25.470851 IP6 (flowlabel 0x394bc, hlim 64, next-header UDP (17) payload length: 45) fdc6:ca72:8158::8fe.42307 > fdc6:ca72:8158::1.53: [udp sum ok] 44575+ A? dns.adguard-dns.com. (37)

(sorry for the spam)

aluciani · June 5, 2025, 6:26pm

At this point, yeah, but why would the ISP block me for doing this when they add the option to put the box in bridge mode ?

mk24 · June 5, 2025, 6:36pm

Tcpdump the wan do you see DNS requests leaving the wan port? If that is happening but they are not answered it must be the ISP blocked them.

Secure DNS makes one regular DNS request to look up its server then it communicates directly and encrypted from then on. You could fake this by setting a static /etc/hosts entry with the public IP of dns.adguard-dns.com then the initial request does not require the Internet.

aluciani · June 5, 2025, 6:48pm

I did

# sudo tcpdump  -vnnni eth1 udp port 53 # eth1 = wan

Nothing in output. I don t know OpenWRT default settings, but should I add a custom rule in the firewall or something ?

aluciani · June 5, 2025, 6:57pm

Oh I didn t thought about that.
I did it, now I have this on wan :

# tcpdump  -vnnni eth1 udp port 53
my.public.ip.54208 > 94.140.14.14.53: 31213+ A? 3.openwrt.pool.ntp.org. (40)
18:54:29.794422 IP (tos 0x0, ttl 64, id 22220, offset 0, flags [DF], proto UDP (17), length 68)

But still no connection internet

frollic · June 5, 2025, 7:02pm

querying 94.140.14.14 works, or wasn't there any reply ?

aluciani · June 5, 2025, 7:11pm

I m not sure how to check if it worked ... But on my computer I still cannot access/ping google.com

In NETWORK->INTERFACE
I ve switch off the 'use DNS servers advertised by peer' and replaced with adguard ipv4 and ipv6 address. Now I have this , but still cannot ping google :

root@OpenWrt:~# tcpdump  -vnnni eth1 udp port 53
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:05:53.456932 IP (tos 0x0, ttl 64, id 12124, offset 0, flags [DF], proto UDP (17), length 68)
    my.ipv4.address.48839 > 94.140.14.14.53: 24287+ A? 3.openwrt.pool.ntp.org. (40)
19:05:53.457012 IP (tos 0x0, ttl 64, id 12125, offset 0, flags [DF], proto UDP (17), length 68)
    my.ipv4.address.48839 > 94.140.14.14.53: 24287+ A? 3.openwrt.pool.ntp.org. (40)
19:05:53.457070 IP (tos 0x0, ttl 64, id 15405, offset 0, flags [DF], proto UDP (17), length 68)
    my.ipv4.address.48839 > 94.140.15.15.53: 24287+ A? 3.openwrt.pool.ntp.org. (40)
19:05:53.457169 IP6 (flowlabel 0x40492, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.58850 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4749 -> 0x83cb!] 24287+ A? 3.openwrt.pool.ntp.org. (40)
19:05:53.457225 IP6 (flowlabel 0xd77d9, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.58850 > 2a10:50c0::ad2:ff.53: [bad udp cksum 0x474a -> 0x83ca!] 24287+ A? 3.openwrt.pool.ntp.org. (40)
19:05:53.457405 IP6 (flowlabel 0x57c9c, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.35206 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4749 -> 0x3b3c!] 944+ AAAA? 3.openwrt.pool.ntp.org. (40)
19:05:53.467159 IP6 (flowlabel 0xab1e7, hlim 48, next-header UDP (17) payload length: 112) 2a10:50c0::ad1:ff.53 > my.ipv6.address.58850: [udp sum ok] 24287 4/0/0 3.openwrt.pool.ntp.org. A 79.143.250.33, 3.openwrt.pool.ntp.org. A 37.59.63.125, 3.openwrt.pool.ntp.org. A 5.189.185.174, 3.openwrt.pool.ntp.org. A 109.190.177.203 (104)
19:05:53.467318 IP6 (flowlabel 0x31cb2, hlim 48, next-header UDP (17) payload length: 112) 2a10:50c0::ad2:ff.53 > my.ipv6.address.58850: [udp sum ok] 24287 4/0/0 3.openwrt.pool.ntp.org. A 109.190.177.203, 3.openwrt.pool.ntp.org. A 79.143.250.33, 3.openwrt.pool.ntp.org. A 37.59.63.125, 3.openwrt.pool.ntp.org. A 5.189.185.174 (104)
19:05:53.467364 IP6 (flowlabel 0x745df, hlim 48, next-header UDP (17) payload length: 103) 2a10:50c0::ad1:ff.53 > my.ipv6.address.35206: [udp sum ok] 944 0/1/0 (95)
19:05:53.468519 IP6 (flowlabel 0xe3ad9, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.33109 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4749 -> 0x8d0a!] 47663+ A? 1.openwrt.pool.ntp.org. (40)
19:05:53.468726 IP6 (flowlabel 0x1e6c1, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.35706 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4749 -> 0x5bc6!] 57651+ AAAA? 1.openwrt.pool.ntp.org. (40)
19:05:53.479081 IP6 (flowlabel 0x83ec5, hlim 48, next-header UDP (17) payload length: 103) 2a10:50c0::ad1:ff.53 > my.ipv6.address.35706: [udp sum ok] 57651 0/1/0 (95)
19:05:53.479484 IP6 (flowlabel 0xe7fab, hlim 49, next-header UDP (17) payload length: 112) 2a10:50c0::ad1:ff.53 > my.ipv6.address.33109: [udp sum ok] 47663 4/0/0 1.openwrt.pool.ntp.org. A 109.190.177.205, 1.openwrt.pool.ntp.org. A 79.143.250.33, 1.openwrt.pool.ntp.org. A 51.68.44.27, 1.openwrt.pool.ntp.org. A 5.39.80.51 (104)
19:05:53.480425 IP6 (flowlabel 0xae128, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.34766 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4749 -> 0xb852!] 34927+ A? 0.openwrt.pool.ntp.org. (40)
19:05:53.480602 IP6 (flowlabel 0xcdb92, hlim 64, next-header UDP (17) payload length: 48) my.ipv6.address.55819 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4749 -> 0x64bd!] 35244+ AAAA? 0.openwrt.pool.ntp.org. (40)
19:05:53.490846 IP6 (flowlabel 0xcbbbe, hlim 49, next-header UDP (17) payload length: 103) 2a10:50c0::ad1:ff.53 > my.ipv6.address.55819: [udp sum ok] 35244 0/1/0 (95)
19:05:53.491000 IP6 (flowlabel 0xd19cb, hlim 49, next-header UDP (17) payload length: 112) 2a10:50c0::ad1:ff.53 > my.ipv6.address.34766: [udp sum ok] 34927 4/0/0 0.openwrt.pool.ntp.org. A 163.172.179.38, 0.openwrt.pool.ntp.org. A 82.65.248.56, 0.openwrt.pool.ntp.org. A 82.67.41.119, 0.openwrt.pool.ntp.org. A 80.245.24.151 (104)
19:06:03.423184 IP6 (flowlabel 0x67597, hlim 64, next-header UDP (17) payload length: 45) my.ipv6.address.43781 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4746 -> 0x0523!] 60703+ HTTPS? dns.adguard-dns.com. (37)
19:06:03.433064 IP6 (flowlabel 0xfd65b, hlim 49, next-header UDP (17) payload length: 105) 2a10:50c0::ad1:ff.53 > my.ipv6.address.43781: [udp sum ok] 60703 0/1/0 (97)
19:06:03.499262 IP6 (flowlabel 0x14076, hlim 64, next-header UDP (17) payload length: 45) my.ipv6.address.54335 > 2a10:50c0::ad1:ff.53: [bad udp cksum 0x4746 -> 0x77c4!] 20804+ HTTPS? dns.adguard-dns.com. (37)

aluciani · June 5, 2025, 7:15pm

Ok now I m lost ...
I can now ping openwrt.org :

ping openwrt.org
PING openwrt.org (64.226.122.113) 56(84) bytes of data.
64 bytes from wiki-03.infra.openwrt.org (64.226.122.113): icmp_seq=1 ttl=52 time=10.6 ms
64 bytes from wiki-03.infra.openwrt.org (64.226.122.113): icmp_seq=2 ttl=52 time=11.1 ms
64 bytes from wiki-03.infra.openwrt.org (64.226.122.113): icmp_seq=3 ttl=52 time=11.5 ms
64 bytes from wiki-03.infra.openwrt.org (64.226.122.113): icmp_seq=4 ttl=52 time=10.7 ms
^C
--- openwrt.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 10.602/10.993/11.492/0.350 ms

But I can't access it from my browser

# This site can’t be reached

**openwrt.org**’s DNS address could not be found. Diagnosing the problem.

DNS_PROBE_POSSIBLE

aluciani · June 5, 2025, 8:06pm

Well it seems I m now able to get/ping/access website from the OpenWRT routerm i just wget the webpage and it was successfull ... but not from the br-lan

Pico · June 5, 2025, 8:42pm

what private IP range does the ISP modem use in bridge and non-bridge mode?