[SOLVED] Dnsmasq serving clients but not router itself

autogris · December 1, 2025, 7:10pm

I have a Raspberry Pi 3b+ with OpenWRT v24.10.4 r28959-29397011cc. It works mostly fine, clients can connect, and have dns requests served (for example, running "nslookup example.com 192.168.1.1). But the router itself can't get DNS request right (for example, opkg update won't work, nslookup/ping won't resolve address, etc). This doesn't look like the problem presented here: Internet working on clients but not router itself and dns . Let me explain the scenario so we may get some hints of what the problem is:

At first it was set up to receive connection from another router through its only ethernet port, and then serve clients via its wifi. It all worked out fine with its auto configuration of zones and firewall and some minor tweaks in other settings (it set a "lan" zone bridged to eth0, br-lan and a "wan" zone described as "br-wan" which I think also bridged to eth0), until I decided to connect directly to the modem, removing the intermediate router. The new working configuration bridged "lan" to phy0-ap0 and "wan" directly serving eth0. In "wan" I've unticked DNS from gateway and added custom external dns servers. With the old configuration, both client and routers got dns request resolved, with the new one, only clients works. No changes in firewall or other related settings where made when the zone configurations were changed to receive the modem directly on the eth0.

Right now I'm relying on a workaround: editing /etc/resolv.conf and adding the external nameservers, but this obviously is problematic and keeps getting reset from time to time, but it works.

My /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/etc/dnsmasq.d'
        option filter_aaaa '1'
        list interface 'lan'
        list listen_address '127.0.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'
        list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
        option interface 'wan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host
        option name '[redacted]'
        option ip '192.168.1.6'
        list mac '[redacted]'

config host
        option name '[redacted]'
        option ip '192.168.1.8'
        list mac '[redacted]'

My /etc/config/network:

config loopback
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[redacted]::/48'
        option packet_steering '1'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'phy0-ap0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        list dns_search 'wan'
        list dns '76.76.2.5'
        list dns '76.76.10.5'

config interface 'wan'
        option proto 'dhcp'
        option force_link '1'
        option hostname '*'
        option device 'eth0'
        option peerdns '0'
        list dns '76.76.2.5'
        list dns '76.76.10.5'

config device
        option name 'phy0-ap0'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

My /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option log '1'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'

Running "netstat -utpln | grep :53" won't list 127.0.0.1:53

tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      3484/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           3484/dnsmasq

I also have a danted/sockd proxy running in the router, I've noticed that accessing this proxy, if dnsmasq cached a domain ip when /etc/resolv.conf was tweaked, after resolv.conf reset to its non-working version, the proxy served (albeit slowly) the cached domain correctly but not never previously accessed domain.

I've tried to stop sockd service and bcp38 service (despite dns working in the old setup with both services running).

In the old setup I've noticed that DNS was slow and sometimes intermitent (had to reload pages in client as it sometimes couldn't resolve).

I have tried setting alternative dns to "wan", "lan" and now both wan and lan (current config), this didn't work also.

I've force added a "listen_address '127.0.0.1'" option to dnsmasq config, it had no effect.

Some additional info:
ip -4 addr

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet [redacted].4/23 brd [redacted].255 scope global eth0
       valid_lft forever preferred_lft forever
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever

ip -4 ro li tab all

default via [redacted].1 dev eth0  src [redacted].4 
[redacted].0/23 dev eth0 scope link  src [redacted].4 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
local [redacted].4 dev eth0 table local scope host  src [redacted].4 
broadcast [redacted].255 dev eth0 table local scope link  src [redacted].4 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1

ip -4 ru

0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

lrwxrwxrwx    1 root     root            16 Oct 19 13:37 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Dec  1 14:00 /tmp/resolv.conf

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           129 Dec  1 14:00 resolv.conf.auto

Resolv.conf plain, without workaround of forcing external nameservers:

==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

Can you help me troubleshoot this? Thanks.

brada4 · December 1, 2025, 7:16pm

Is dnsmasq listening on loopback addresses

netstat -lnup | grep :53

autogris · December 1, 2025, 7:17pm

Nope:

netstat -lnup | grep :53
udp 0 0 192.168.1.1:53 0.0.0.0:* 3484/dnsmasq

brada4 · December 1, 2025, 7:21pm

remove this line.

autogris · December 1, 2025, 7:22pm

It makes no difference, I've added it trying to force 127.0.0.1 to listen when problem started (with no success).

autogris · December 1, 2025, 7:24pm

Just a further additional note, when running nslookup in the router it gives me a strange "write" error:

nslookup example.com 127.0.0.1
nslookup: write to '127.0.0.1': Operation not permitted
;; connection timed out; no servers could be reached

mk24 · December 1, 2025, 7:25pm

You need to listen on interface lo or simply remove that line so it listens on all interfaces. The firewall will prevent DNS from being served on an interface you don't want it to. By default, the firewall blocks most input (incoming connections) from wan including DNS.

I don't know if the kernel allows a service to selectively bind to listen on multiple (but not all) interfaces without running multiple instances of the service. Thus the paradigm to use the firewall to control access.

This really is a place where moving away from the default configuration is not to your advantage.

autogris · December 1, 2025, 7:26pm

You mean this line?
list interface 'lan'
Should I change it to ?
list interface 'lo lan'

dave14305 · December 1, 2025, 7:27pm

You should not be offering dhcp service on the WAN. You want to be a dhcp client, not a server.

autogris · December 1, 2025, 7:29pm

Sorry, my networking understanding is limited. Modem is connected to wan (ie. eth0), isn't that needed for lan getting the modem default gateway?

dave14305 · December 1, 2025, 7:31pm

No, it usually looks like this:

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

dave14305 · December 1, 2025, 7:34pm

You’ve missed the word interface between config and loopback.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

You likely have no loopback lo right now.

autogris · December 1, 2025, 7:35pm

I've retested it without the "list interface 'lan'" as it was originally, but as expected the problem persists. When I changed the network equipment setup I didn't changed anything from DNS or firewall, it simply stopped working dns internally, which makes me suspect that some configuration was adequate in a situation where internet was served from an upper router but not adequate when it was served directly from modem.

By the way, I've tried to add a firewall rule where it accepts udp from wan to device in destination port 53 (I think this is a bad idea, but just testing), but that also didn't work.

autogris · December 1, 2025, 7:38pm

Nice! That solved the problem, thank you very much!

mk24 · December 1, 2025, 7:40pm

Good catch there. Since there isn't a loopback interface you can't loop back DNS and other services which is essential for the OS to work at all. ping 127.0.0.1 must work.

In the dnsmasq config, remove listen_address as well. Make sure you have restarted dnsmasq, or perhaps reboot the whole router.

Then try a nslookup to 127.0.0.1 again.

system · December 11, 2025, 7:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.