Resolving LAN hostnames

Dear Community, I just configured a VPN tunnel (sections " DHCP and DNS settings" & "Change DNS on LAN Interface").
After that, I'm no longer able to reach any device in local network (e.g. router itself and modem) by its name, since DNS requests are sent to another address.
Is there something in the DNS/DHCP settings to be changed in order to restore the same behavior as before?
Thanks in advance for your help.

Just don't configure DHCP-Options on LAN.

2 Likes

You mean this, right?
It doesn't change anything, if this field stays empty.

You picture is not empty.

  • Empty it
  • Save and apply
  • Clear the DNS Cache on the client
  • Re-test

If this does not work, please provide the LAN and WAN configs.

Even flushing DNS cache doesn't work.
I attached screens of interface configs, I hope they can be helpful.

Meanwhile another issue has occurred. For 4 days VPN tunnel has been down. No configuration changes performed after connection had been successfully established.
Even a configuration restore to pre-VPN conditions and successive interface configuration from scratch could not help.
I can still use tunnel with the same key pair using Android Wireguard client, so one assumes issue is affecting only my home router.

You probably have a DNS leak. Ie, your VPN client is using it's upstream DNS servers instead of the DNS server on the other side of the VPN tunnel. Please confirm this by running this test while on a different network, but connected to your VPN:

https://www.dnsleaktest.com/

If you have a DNS leak, it will show the client's upstream DNS servers. If you have no leak, it will show the DNS servers as configured in Openwrt.

I already performed some tests, no DNS leak detected so far.

Anybody having a clue of what's going on?
How is it possible that a perfectly working connection suddenly stops doing its thing without any configuration change?

I think you should show us your /etc/config/network

A couple of reasons are possible; but the config would be good to see first.

# cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5c:dc7e:d327::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth1'
        option ipaddr '192.168.99.1'

config interface 'wan'
        option proto 'static'
        option broadcast '192.168.178.255'
        option ipaddr '192.168.254.254'
        option netmask '255.255.255.252'
        option gateway '192.168.254.253'
        option ifname 'eth0.2'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '67'
        option ports '0t 2t'

config interface 'Home'
        option proto 'static'
        option ifname 'eth1.67'
        option ipaddr '192.168.67.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config interface 'DMZ'
        option proto 'static'
        option ifname 'eth1.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.10.255'

config interface 'Guest'
        option proto 'static'
        option ifname 'eth1.254'
        option ipaddr '192.168.254.1'
        option netmask '255.255.255.128'
        option broadcast '192.168.254.127'
        option type 'bridge'

config interface 'Mgmt'
        option proto 'static'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.240'
        option ifname 'eth1.1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '10'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option vid '254'
        option ports '0t 2t'

config wireguard_WGINTERFACE
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option public_key 'wemUaSnT9wBRHgPHhlFnlMTAyFvXb2DzgnPM7ZzXwE4='
        option endpoint_host 'de6wireguard.mullvad.net'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '255'
        option ports '0t 3 4'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option force_link '1'
        list addresses '10.65.167.191'
        option private_key 'iFY2oV3vw0Vo+uR054tx2T15gOEutbMZIkejV4tL7EE='
        option listen_port '51820'

There was a typo in the line option endpoint_host. Apart from this, there seems to be a problem with name resolution, even after entering the correct endpoint host name.

According to config instructions:

DHCP and DNS settings
Navigate to the DHCP and DNS settings.
Next to DNS forwarding, add 10.64.0.1

Change DNS on LAN Interface
Navigate to Network→Interfaces→LAN and make the following changes:

  • IPv4 address – change this to "192.168.99.1" (this ensures that it won't conflict with our other
    routers commonly running on 192.168.0.1 or 192.168.1.1) . Keep in mind after this you will
    access the OpenWRT device on 192.168.99.1
  • DHCP-Options – set this to "6,10.64.0.1".

These below are respectively DNS and DHCP configuration:

root@efc-openwrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option start '2'
        option limit '254'
        option ra_management '1'
        list dhcp_option '6,10.64.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Home'
        option leasetime '12h'
        option interface 'Home'
        option start '2'
        option limit '254'
        list dhcp_option '6,10.64.0.1'

config dhcp 'DMZ'
        option interface 'DMZ'
        option ignore '1'

config dhcp 'Guest'
        option leasetime '12h'
        option interface 'Guest'
        option start '2'
        option limit '126'

config domain
        option name 'fritz.box'
        option ip '192.168.254.253'

config dhcp 'Mgmt'
        option interface 'Mgmt'
        option start '3'
        option limit '14'
        option leasetime '4h'

I decided to enter public Mullvad DNS addresses in modem's (a Fritz!Box connected to the OpenWRT router) DNS configuration and to delete additional DNS-DHCP settings in router's configuration.
On LAN interface, IP of modem is used as custom DNS server.
Now I can resolve LAN host names again, since there's no more forwarding to private Mullvad DNS IP.
Still I can't resolve remote VPN server host names, anyway.

Are the remote VPN host names grouped within a specific domain, like *.intranet.example.org? If that is the case, you could setup a DNS forwarding for this specific domain only by using the dnsmasq server option:

list server /intranet.example.org/10.64.0.1

For that to work properly you most likely need to (selectively) disable the rebind protection as well, otherwise dnsmasq will discard DNS replies with private IPs in them:

list rebind_domain intranet.example.org

If you insert DHCP option "6,10.64.0.1" in a VLAN interface (like HOME in my case), local host names aren't resolved anymore, that was the mistake all the time.

root@efc-openwrt:~# less /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        list server '/mullvad.net/10.64.0.1'
        list rebind_domain 'mullvad.net'
[…]

That doesn't help me solve VPN server names prior to bringing up WG interface. Should I create a DNS SNAT rule in the firewall?