[Solved] Dnsmask don't respond to DNS requests from wireguard

Hello,

I'm using OpenWrt 23.05.3 on a mikrotik RB760iGS and I set up a wireguard server. The wireguard client (my phone) can connect to the wireguard server, IP traffic is working great, I can ping my local network and get oustide through the NAT. all good on this part.

except that no DNS queries from my phone to my router local dnsmasq DNS server got an answer.

The query is received by the dnsmasq process as I checked it by stracing the process. The DNS request is well received by dnsmasq but dnsmasq never send a response. All other queries works (from my lan).

I set localservice option to 0 but it is exactly the same.

any help would be appreciated on this. I search bug reports, forum and did not find something related to my problem.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd42:42:42::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'wan'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'wan'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'lan2'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'lan3'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'lan4'
	option macaddr '11:22:33:44:55:66'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.42.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'

config device
	option name 'lan5'
	option macaddr 'AA:BB:CC:DD:EE:FF'

config device
	option name 'lan5.832'
	option type '8021q'
	option ifname 'lan5'
	option vid '832'
	list egress_qos_mapping '0:0'
	list egress_qos_mapping '6:6'
	option macaddr 'AA:BB:CC:DD:EE:FF'

config interface 'wan4'
	option proto 'dhcp'
	option device 'lan5.832'
	option hostname '*'
	option broadcast '1'
	option norelease '1'
	option peerdns '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'lan5.832'
	option reqprefix 'auto'
	option reqaddress 'none'
	option defaultreqopts '0'
	option noclientfqdn '1'
	option noacceptreconfig '1'
	option peerdns '0'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51820'
	list addresses '42.42.42.42'
	list addresses '1:1:1:1::1'

config wireguard_wireguard
	option description 'phone'
	option public_key 'xxx'
	option private_key 'xxx'
	option preshared_key 'xxxx'
	option route_allowed_ips '1'
	list allowed_ips '192.168.100.10/32'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wireguard'

config zone
	option name 'wan4'
	list network 'wan4'
	option family 'ipv4'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config zone
	option name 'wan6'
	list network 'wan6'
	list device 'lan5.832'
	option family 'ipv6'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan4'

config forwarding
	option src 'lan'
	option dest 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan4'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan4'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan4'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan6'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan6'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan6'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan6'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'wireguard'
	option src 'wan4'
	list dest_ip 'pub.lic.ip.v4'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option name 'wireguard ipv6'
	option src 'wan6'
	list dest_ip 'pu:bl:ic:ip::v6'
	option dest_port '51820'
	option target 'ACCEPT'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option local '/local/'
	option domain 'local'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '0'
	option ednspacket_max '1232'
	option quietdhcp '1'
	option logqueries '1'
	list interface 'lan'
	list server '9.9.9.9'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '254'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'none'
	list dhcp_option 'option:ntp-server,192.168.42.1'

config dhcp 'wan4'
	option interface 'wan4'
	option ignore '1'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'

config dhcp 'wireguard'
	option interface 'wireguard'
	option ignore '1'

strace on the dnsmasq process on request from wireguard client

recvmsg(6, {msg_name={sa_family=AF_INET, sin_port=htons(7472), sin_addr=inet_addr("192.168.100.10")}, msg_namelen=28 => 16, msg_iov=[{iov_base="\340\313\1\0\0\1\0\0\0\0\0\0\4free\2fr\0\0\1\0\1", iov_len=1232}], msg_iovlen=1, msg_control=[{cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=IP_PKTINFO, cmsg_data={ipi_ifindex=if_nametoindex("wireguard"), ipi_spec_dst=inet_addr("192.168.42.1"), ipi_addr=inet_addr("192.168.42.1")}}], msg_controllen=24, msg_flags=0}, 0) = 25
ioctl(6, SIOCGIFNAME, {ifr_ifindex=12, ifr_name="wireguard"}) = 0
ioctl(6, SIOCGIFFLAGS, {ifr_name="wireguard", ifr_flags=IFF_UP|IFF_POINTOPOINT|IFF_RUNNING|IFF_NOARP}) = 0
setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "br-lan\0", 7) = 0

strace from a local client on the lan

recvmsg(6, {msg_name={sa_family=AF_INET, sin_port=htons(47517), sin_addr=inet_addr("192.168.42.231")}, msg_namelen=28 => 16, msg_iov=[{iov_base="\6n\1 \0\1\0\0\0\0\0\1\3www\4free\2fr\0\0\1\0\1\0\0)\4\320\0\0\0\0\0\f\0\n\0\10\257A0r\24\252\370\177", iov_len=1232}], msg_iovlen=1, msg_control=[{cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=IP_PKTINFO, cmsg_data={ipi_ifindex=if_nametoindex("br-lan"), ipi_spec_dst=inet_addr("192.168.42.1"), ipi_addr=inet_addr("192.168.42.1")}}], msg_controllen=24, msg_flags=0}, 0) = 52
ioctl(6, SIOCGIFNAME, {ifr_ifindex=10, ifr_name="br-lan"}) = 0
getpid()                                = 1
munmap(0x77e3b000, 27)                  = 0
open("/etc/TZ", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_CLOEXEC) = 26
statx(26, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=STATX_ATTR_MOUNT_ROOT, stx_mode=S_IFREG|0644, stx_size=27, ...}) = 0
mmap2(NULL, 27, PROT_READ, MAP_SHARED, 26, 0) = 0x77e3b000
close(26)                               = 0
getpid()                                = 1
write(25, "<30>May 12 21:09:15 dnsmasq[1]: 15625 192.168.42.231/47517 query[A] www.free.fr from 192.168.42.231", 99) = 99
getpid()                                = 1
munmap(0x77e3b000, 27)                  = 0
open("/etc/TZ", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_CLOEXEC) = 26
statx(26, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=STATX_ATTR_MOUNT_ROOT, stx_mode=S_IFREG|0644, stx_size=27, ...}) = 0
mmap2(NULL, 27, PROT_READ, MAP_SHARED, 26, 0) = 0x77e3b000
close(26)                               = 0
getpid()                                = 1
write(25, "<30>May 12 21:09:15 dnsmasq[1]: 15625 192.168.42.231/47517 cached www.free.fr is 212.27.48.10", 93) = 93
sendmsg(6, {msg_name={sa_family=AF_INET, sin_port=htons(47517), sin_addr=inet_addr("192.168.42.231")}, msg_namelen=16, msg_iov=[{iov_base="\6n\201\200\0\1\0\1\0\0\0\1\3www\4free\2fr\0\0\1\0\1\300\f\0\1\0\1\0\0\2D\0\4\324\0330\n\0\0)\4\320\0\0\0\0\0\0", iov_len=56}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 56
setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "br-lan\0", 7) = 0

dnsmasq seems to ignore the request it has received from the wireguard interface and I have no clue why :frowning:

Thanks for your help

replying to myself ... after reading the dnsmasq man page, I realized that the localservice option is ignored if the interface option is set.

I just had to add list interface 'wireguard' in the section config dnsmasq of the /etc/config/dhcp file and that was it.

lesson of the day: RTFM :face_with_head_bandage: :brick:

2 Likes

Alternatively, there is usually no need to set the interface. If not specified, dnsmasq will listen on all interfaces by default, but the firewall will prevent access from networks/zones that should not have access.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.