Resolv fqdn if server (nas) is in lan with https-dns-proxy

ray308 · September 27, 2022, 12:16pm

My router is running on;
Raspberry Pi 4 Model B Rev 1.2
OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.245.77575-63bfee6

When I use a fqdn's on my lan, It shows the correct website or service.

When I enable https-dns-proxy, I can only acces them by there ip adres in lan and resolving (do you call it like that?) is not working. Any idea why, or how to correct this when using https-dns-proxy?

trendy · September 27, 2022, 12:23pm

For a start it is needed to post uci export dhcp

ray308 · September 27, 2022, 12:26pm

Hi Trendy, didn't know what was needed

root@Router:/# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list doh_backup_server '/use-application-dns.net/'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dns_service '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'raspberrypi'
	option ip '192.168.1.172'
	option mac 'B8:27:EB:F6:F4:DC'

config host
	option name 'HarmonyHub'
	option ip '192.168.1.236'
	option mac '00:04:20:F6:00:68'

config host
	option name 'Kodi-Pi4'
	option ip '192.168.1.108'
	option mac 'DC:A6:32:FC:A7:53'

config dhcp 'ziggo_lan'
	option interface 'ziggo_lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'
	list dns '2001:b88:1202::10'
	list dns '2001:b88:1002::10'
	list dns '2001:730:3e42:1000::53'
	list dhcp_option '6,84.116.46.23,84.116.46.22'
	list dhcp_option '6,84.116.46.20,84.116.46.21'

config host
	option name 'VMB4000'
	option mac '9C:3D:CF:49:F1:8B'
	option ip '192.168.1.20'

config domain
	option ip '192.168.1.30'
	option name 'nas.lan'

config domain
	option ip '192.168.1.1'
	option name 'router.lan'

root@Router:/#

I just noticed this issue because my calender didn't sync on lan but did when I was out to the office today.

ray308 · September 27, 2022, 2:51pm

If I do a nslookup on a site that is running on docker on my nas (with reverse proxy)

raymond@MBP-van-Raymond ~ % nslookup flame.fakedomain.synology.me          
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	flame.fakedomain.synology.me
Address: xx.xx.xx.66.  (my external ip from my isp)

When I do this with the nas website

raymond@MBP-van-Raymond ~ % nslookup nas.fakeddomain.synology.me             
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find nas.fakeddomain.synology.me: NXDOMAIN

raymond@MBP-van-Raymond ~ %

trendy · September 27, 2022, 3:31pm

synology.me is not excluded from being sent to the https-dns-proxy, so it will be answered from upstream resolver.
However in one case you are resolving flame.fakedomain and in the other nas.fakedomain.

ray308 · September 27, 2022, 4:45pm

Yes, they all run on the same server but "flame' is on docker on my nas and 'nas' is just the nas his address self. Funny think is all worked fine (always did) but not with https-dns-proxy. So I'm wondering why this is the case.

ray308 · September 27, 2022, 5:23pm

When I disable /stop https-dns-proxy

raymond@MBP-van-Raymond ~ % nslookup nas.fakdomain.synology.me
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	nas.fakedomain.synology.me
Address: xx.xx.xx.66

raymond@MBP-van-Raymond ~ %

trendy · September 27, 2022, 7:01pm

Does it help if you use the list server '/synology.me/192.168.1.1 to force it?

ray308 · September 28, 2022, 8:31am

I’m going to give that a try, later today.

Something I noticed, when I do not use the provider I normally use, but for example cloudflare. It seems to work, so maybe it’s my dns providers settings?

I’ll let you know how it goes.