Should this UDP port not be opened for both remote addresses

Hi All,

I was busy fixing an issue (which succeeded) and while doing so ICMP errors stating that certain ports were inaccessible caught my attention. First a little output from tcpdump:

21:04:58.976314 IP 10.141.18.245.56460 > 84.241.227.82.53: 30247+ A? reu.comws.homeconnectegw.com. (46)
21:04:58.976646 IP 10.141.18.245.56460 > 84.241.227.81.53: 30247+ A? reu.comws.homeconnectegw.com. (46)
21:04:59.106931 IP 84.241.227.82.53 > 10.141.18.245.56460: 30247- 3/0/0 A 3.125.31.128, A 52.58.30.142, A 3.74.11.149 (94)
21:04:59.126001 IP 84.241.227.81.53 > 10.141.18.245.56460: 30247 3/4/0 A 52.58.30.142, A 3.125.31.128, A 3.74.11.149 (231)
21:04:59.126441 IP 10.141.18.245 > 84.241.227.81: ICMP 10.141.18.245 udp port 56460 unreachable, length 26721:04:58.976314 IP 10.141.18.245.56460 > 84.241.227.82.53: 30247+ A? reu.comws.homeconnectegw.com. (46)
21:04:58.976646 IP 10.141.18.245.56460 > 84.241.227.81.53: 30247+ A? reu.comws.homeconnectegw.com. (46)
21:04:59.106931 IP 84.241.227.82.53 > 10.141.18.245.56460: 30247- 3/0/0 A 3.125.31.128, A 52.58.30.142, A 3.74.11.149 (94)
21:04:59.126001 IP 84.241.227.81.53 > 10.141.18.245.56460: 30247 3/4/0 A 52.58.30.142, A 3.125.31.128, A 3.74.11.149 (231)
21:04:59.126441 IP 10.141.18.245 > 84.241.227.81: ICMP 10.141.18.245 udp port 56460 unreachable, length 267

So what is happening here? The DNS server on my openwrt router gets a request which it forwards using UDP to the external DNS servers 84.241.227.81 and …82. Both external servers respond and my router issues a ICMP reply that the first external DNS server has no access to the requesting port. Besides this there is one more thing that is interesting (not visible in the tcpdump output): A little later (40-60 sec) the very same happens (i.e. identical messages yet with a different outgoing UDP port number) where I would expect the DNS server to remember the result and not ask again.

Does anyone have a clue what is happening here?

PvSw01

dnsmasq retries quite aggressively

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
: cat /etc/config/network # this only if you changed a lot from defaults
cat /etc/config/dhcp
cat /etc/config/firewall

After the first server responds, the local UDP connection is “closed” so the next server trying to respond on the same local port gets the ICMP message instead. I see that happening on my router as well, for both IPv4 and IPv6 DNS upstream servers.

The time-to-live for that particular DNS name is only 60 seconds, so that makes sense.

# dig A reu.comws.homeconnectegw.com.

; <<>> DiG 9.20.15 <<>> A reu.comws.homeconnectegw.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8285
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;reu.comws.homeconnectegw.com.  IN      A

;; ANSWER SECTION:
reu.comws.homeconnectegw.com. 60 IN     A       52.58.30.142
reu.comws.homeconnectegw.com. 60 IN     A       3.74.11.149
reu.comws.homeconnectegw.com. 60 IN     A       3.125.31.128

;; Query time: 30 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sat Jan 03 15:59:01 EST 2026
;; MSG SIZE  rcvd: 105

You can add followwing.nft in /etc/nftables.d/

chain handle_reject {
        meta skuid "dnsmasq" counter drop
        # udp sport 53 counter drop
}

That is normal, expected behaviour. dnsmasq closes the resolver socket when any other socket got the response. Linux sends ICMP unreach back. You can add custom rule against icmp payload to drop output icmp referring to udp53