[SOLVED] NAT rules / Firewall rules / Zone assignment required for OpenWrt to query DNS and to forward client queries to upstream DNS servers

I'm relatively new to OpenWRT and I've spent a couple of weeks learning it, including compiling the image, creating VLAN subinterfaces on routed ports, setting up WireGuard, learning SQM, etc. I changed the default zone assignments while learning OpenWRT.

Last night I tried to replace my pfSense box with the OpenWRT box, and I realized that the OpenWRT box could not forward DNS queries to the DNS servers that I specified (8.8.8.8 and 8.8.4.4) on the Network > DHCP and DNS page. I am able to serve DHCP leases to the hosts behind OpenWRT. The leases contain the DNS server, which is the LAN IP of the OpenWRT box. I specified this as DHCP option 6 under the LAN interface. I can also serve the Search Domain from OpenWRT. However, DNS forwarding doesn't work, and neither can the OpenWRT box itself resolve a domain name (I tried to ping google.com from the OpenWRT shell and also to run nslookup from the shell without success).

Looking at the zone assignment, I don't see the OpenWRT itself being assigned to any zone, which makes me wonder how would a DNS query generated by the OpenWRT kernel be allowed to be sent out of the WAN interface. Also, I don't see a firewall rule that would allow the DNS reply to come back, although this may not be necessary, as the outgoing DNS request may be opening a pinhole that doesn't require an explicit firewall rule to allow the DNS replies to come back from DNS servers on the Internet.

If I serve an Internet-based DNS server IP directly to hosts on the LAN side via the dnsmasq DHCP server, I get DNS resolution working fine on LAN hosts, and I can browse any web site.

Could someone please help me get DNS forwarding working? I'm using the standard dnsmasq DNS and DHCP servers.

Thanks.

Can you try an openwrt standard image? What happens if you use dhcp and get the dns server from your provider?

Remove it, OpenWrt advertises its own IP for DNS by default.

Post your configs redacting the private parts:

uci show network; uci show dhcp; uci show firewall; \
ip address show; ip route show; ip rule show; \
head -n -0 /etc/resolv.* /tmp/resolv.*; \
netstat -l -n -p | grep -e dnsmasq; pgrep -f -a dnsmasq

Currently, the OpenWRT box is connected to my pfSense box (test environment) because when I tried to replace pfSense with OpenWRT, DNS resolution for LAN hosts wasn't working. So, you will see a private IP on eth0 from 192.168.200.0/24: it's a DHCP lease from my pfSense box, which contains pfSense's LAN IP (192.168.150.1) as the DNS server.

In this test environment, DNS resolution from the OpenWRT kernel doesn't work, and neither can a host connected to OpenWRT's LAN interface resolve DNS by sending DNS request's to OpenWRT's LAN interface (192.168.150.1). My test host is directly connected to OpenWRT's LAN interface (eth1) right now. The LAN host gets a DHCP lease from OpenWRT on 192.168.150.0/24. You will notice that I have a lot of VLAN subinterfaces configured under eth1. In my "production" environment, there's a VLAN-capable L3 switch connected to the LAN interface of the pfSense firewall, so the L3 connection between the switch and the pfSense LAN interface is on subnet 192.168.150.0/24. Therefore, in "production" there are no hosts on 192.168.150.0 and so DHCP is not enabled in pfSense on this subnet.

I'm configuring OpenWRT as a drop-in replacement for the pfSense box, but for now I'm trying to simplify the test environment so I connected a host directly to Open WRT's LAN interface (eth1) and enabled DHCP on this interface to simulate a simple flat LAN (by eliminating a L3 switch) just to make sure that I can get DNS resolution for hosts working on a flat LAN behind OpenWRT before I change to a more complex "production" LAN design.

When I connected the OpenWRT box's interface eth0 directly to the cable modem the other day, interface eth0 (WAN) on OpenWRT received a DHCP lease from my ISP, but the DNS resolution behavior was exactly the same as it is now: OpenWRT's kernel couldn't resolve DNS and neither could hosts on the LAN.

One thing I noticed in the output below is that the file resolv.conf lists the loopback (127.0.0.1) as the nameserver. This setting doesn't change whether I check or uncheck "Use DNS servers advertised by peer" under the OpenWRT WAN interface. So, I don't know if this is why DNS resolution is not working. Please take a look at it. The DNS IP served by pfSense to OpenWRT right now is 192.168.150.1 (the LAN interface IP on pfSense). When I created the output below, the OpenWRT box also had 192.168.150.1 on its LAN interface (because I'm trying to build a drop-in replacement router for my pfSense box). When I noticed it, I changed the LAN IP on the OpenWRT box from 192.168.150.1 to 192.168.150.2 and re-issued a DHCP lease to my test host connected to the LAN port on OpenWRT, but DNS resolution from the test host still didn't work, and the resolv.conf file still had *nameserver 127.0.0.1".

Thank you.

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd73:37xx:xxxx::/48'
network.globals.packet_steering='1'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan.hostname='*'
network.wan.macaddr='xx:xx:xx:xx:xx:xx'
network.lan=interface
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.150.1'
network.MRA=interface
network.MRA.proto='static'
network.MRA.ifname='eth1.220'
network.MRA.netmask='255.255.255.0'
network.MRA.type='bridge'
network.MRA.ipaddr='192.168.220.1'
network.COLLAB_LAB_PH1=interface
network.COLLAB_LAB_PH1.proto='static'
network.COLLAB_LAB_PH1.type='bridge'
network.COLLAB_LAB_PH1.ifname='eth1.240'
network.COLLAB_LAB_PH1.netmask='255.255.255.0'
network.COLLAB_LAB_PH1.ipaddr='192.168.240.1'
network.VOICE_HOME=interface
network.VOICE_HOME.proto='static'
network.VOICE_HOME.type='bridge'
network.VOICE_HOME.ifname='eth1.250'
network.VOICE_HOME.netmask='255.255.255.0'
network.VOICE_HOME.ipaddr='192.168.250.1'
network.UniFi_MGMT=interface
network.UniFi_MGMT.proto='static'
network.UniFi_MGMT.type='bridge'
network.UniFi_MGMT.ifname='eth1.2'
network.UniFi_MGMT.netmask='255.255.255.0'
network.UniFi_MGMT.ipaddr='192.168.2.1'
network.MIDI=interface
network.MIDI.proto='static'
network.MIDI.type='bridge'
network.MIDI.ifname='eth1.255'
network.MIDI.netmask='255.255.255.0'
network.MIDI.ipaddr='192.168.255.1'
network.@route[0]=route
network.@route[0].target='172.18.224.0'
network.@route[0].netmask='255.255.255.0'
network.@route[0].gateway='192.168.150.254'
network.@route[0].interface='lan'
network.@route[1]=route
network.@route[1].interface='lan'
network.@route[1].target='172.19.224.0/24'
network.@route[1].netmask='255.255.255.0'
network.@route[1].gateway='192.168.150.254'
network.@route[2]=route
network.@route[2].interface='lan'
network.@route[2].target='10.100.100.0'
network.@route[2].netmask='255.255.255.0'
network.@route[2].gateway='192.168.150.254'
network.@route[3]=route
network.@route[3].interface='lan'
network.@route[3].target='10.46.3.0'
network.@route[3].netmask='255.255.255.0'
network.@route[3].gateway='192.168.150.254'
network.UniFi_CFG=interface
network.UniFi_CFG.proto='static'
network.UniFi_CFG.type='bridge'
network.UniFi_CFG.ifname='eth1.1'
network.UniFi_CFG.ipaddr='192.168.2.1'
network.UniFi_CFG.netmask='255.255.255.0'
network.DATA_HOME=interface
network.DATA_HOME.proto='static'
network.DATA_HOME.type='bridge'
network.DATA_HOME.ifname='eth1.200'
network.DATA_HOME.ipaddr='192.168.200.1'
network.DATA_HOME.netmask='255.255.255.0'
network.DATA_HOME.dns='192.168.150.1'
network.COLLAB_LAB_PH2=interface
network.COLLAB_LAB_PH2.proto='static'
network.COLLAB_LAB_PH2.ifname='eth1.241'
network.COLLAB_LAB_PH2.type='bridge'
network.COLLAB_LAB_PH2.ipaddr='192.168.241.1'
network.COLLAB_LAB_PH2.netmask='255.255.255.0'
network.WG=interface
network.WG.proto='wireguard'
network.WG.addresses='10.0.0.1/32'
network.WG.private_key='xxxxxxxx'
network.WG.listen_port='59575'
network.@wireguard_WG[0]=wireguard_WG
network.@wireguard_WG[0].description='MacBook Pro'
network.@wireguard_WG[0].public_key='xxxxxxxxx'
network.@wireguard_WG[0].route_allowed_ips='1'
network.@wireguard_WG[0].persistent_keepalive='25'
network.@wireguard_WG[0].allowed_ips='10.0.0.2/32'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].domain='xxxxxxx'
dhcp.@dnsmasq[0].server='8.8.8.8'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcp_option='6,192.168.150.1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@defaults[0].flow_offloading='1'
firewall.@zone[0]=zone
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].name='inside'
firewall.@zone[0].network='DATA_HOME MIDI VOICE_HOME WG lan'
firewall.@zone[1]=zone
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].name='outside'
firewall.@zone[1].network='wan6 wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].src='outside'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].src='outside'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].src='outside'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='outside'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].src='outside'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].src='outside'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].src='outside'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].dest='inside'
firewall.@rule[7].src='outside'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].dest='inside'
firewall.@rule[8].src='outside'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].src='outside'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='dmz_mra'
firewall.@zone[2].network='MRA'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].name='collab'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].network='COLLAB_LAB_PH1 COLLAB_LAB_PH2'
firewall.@zone[4]=zone
firewall.@zone[4].input='ACCEPT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].name='UniFi_mgmt'
firewall.@zone[4].network='UniFi_MGMT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='inside'
firewall.@forwarding[0].dest='outside'
firewall.@zone[5]=zone
firewall.@zone[5].input='ACCEPT'
firewall.@zone[5].output='ACCEPT'
firewall.@zone[5].forward='REJECT'
firewall.@zone[5].name='UniFi_cfg'
firewall.@zone[5].network='UniFi_CFG'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='UniFi_mgmt'
firewall.@forwarding[1].dest='inside'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='inside'
firewall.@forwarding[2].dest='UniFi_mgmt'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='UniFi_cfg'
firewall.@forwarding[3].dest='inside'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='inside'
firewall.@forwarding[4].dest='UniFi_cfg'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='collab'
firewall.@forwarding[5].dest='inside'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='inside'
firewall.@forwarding[6].dest='collab'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].src='outside'
firewall.@forwarding[7].dest='UniFi_mgmt'
firewall.@forwarding[8]=forwarding
firewall.@forwarding[8].src='outside'
firewall.@forwarding[8].dest='dmz_mra'
firewall.@forwarding[9]=forwarding
firewall.@forwarding[9].src='outside'
firewall.@forwarding[9].dest='inside'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 00:01:c0:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.232/24 brd 192.168.200.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::201:c0ff:fexx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.150.1/24 brd 192.168.150.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fd73:79xx:xxxx::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::d237:45xx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether dc:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
10: br-DATA_HOME: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.1/24 brd 192.168.200.255 scope global br-DATA_HOME
       valid_lft forever preferred_lft forever
    inet6 fe80::d2xx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
12: eth1.200@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-DATA_HOME state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
13: br-MIDI: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.255.1/24 brd 192.168.255.255 scope global br-MIDI
       valid_lft forever preferred_lft forever
    inet6 fe80::d237:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
14: eth1.255@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-MIDI state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
15: br-MRA: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.220.1/24 brd 192.168.220.255 scope global br-MRA
       valid_lft forever preferred_lft forever
    inet6 fe80::d237:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
16: eth1.220@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-MRA state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
18: br-UniFi_CFG: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-UniFi_CFG
       valid_lft forever preferred_lft forever
    inet6 fe80::d2xx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
19: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-UniFi_CFG state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
20: br-UniFi_MGMT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-UniFi_MGMT
       valid_lft forever preferred_lft forever
    inet6 fe80::d2xx:xxxx:xxxx:xxxx64 scope link 
       valid_lft forever preferred_lft forever
21: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-UniFi_MGMT state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
23: br-VOICE_HOME: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.250.1/24 brd 192.168.250.255 scope global br-VOICE_HOME
       valid_lft forever preferred_lft forever
    inet6 fe80::d237:45xx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
24: eth1.250@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-VOICE_HOME state UP group default qlen 1000
    link/ether d0:37:45:xx:xx:xx brd ff:ff:ff:ff:ff:ff
26: WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/32 brd 255.255.255.255 scope global WG
       valid_lft forever preferred_lft forever
29: ifb4eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
    link/ether 36:89:5d:71:2d:47 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3489:5dff:fe71:2d47/64 scope link 
       valid_lft forever preferred_lft forever
default via 192.168.200.254 dev eth0 proto static src 192.168.200.232 
10.0.0.2 dev WG proto static scope link 
10.46.3.0/24 via 192.168.150.254 dev eth1 proto static 
10.100.100.0/24 via 192.168.150.254 dev eth1 proto static 
172.18.224.0/24 via 192.168.150.254 dev eth1 proto static 
172.19.224.0/24 via 192.168.150.254 dev eth1 proto static 
192.168.2.0/24 dev br-UniFi_CFG proto kernel scope link src 192.168.2.1 
192.168.2.0/24 dev br-UniFi_MGMT proto kernel scope link src 192.168.2.1 
192.168.150.0/24 dev eth1 proto kernel scope link src 192.168.150.1 
192.168.200.0/24 dev br-DATA_HOME proto kernel scope link src 192.168.200.1 
192.168.200.0/24 dev eth0 proto kernel scope link src 192.168.200.232 
192.168.220.0/24 dev br-MRA proto kernel scope link src 192.168.220.1 
192.168.250.0/24 dev br-VOICE_HOME proto kernel scope link src 192.168.250.1 
192.168.255.0/24 dev br-MIDI proto kernel scope link src 192.168.255.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
==> /etc/resolv.conf <==
search mydomain.com
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search mydomain.com
nameserver 127.0.0.1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.200.232:53      0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.150.1:53        0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.200.1:53        0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.255.1:53        0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.220.1:53        0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.2.1:53          0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 192.168.250.1:53        0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 10.0.0.1:53             0.0.0.0:*               LISTEN      11770/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::201:c0ff:fe19:99e7:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fd73:37xx:xxxx::1:53    :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                    LISTEN      11770/dnsmasq
tcp        0      0 fe80::3489:5dff:fe71:2d47:53 :::*                    LISTEN      11770/dnsmasq
udp        0      0 0.0.0.0:19575           0.0.0.0:*                           11770/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.200.232:53      0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.150.1:53        0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.200.1:53        0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.255.1:53        0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.220.1:53        0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.2.1:53          0.0.0.0:*                           11770/dnsmasq
udp        0      0 192.168.250.1:53        0.0.0.0:*                           11770/dnsmasq
udp        0      0 10.0.0.1:53             0.0.0.0:*                           11770/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           11770/dnsmasq
udp        0      0 0.0.0.0:29215           0.0.0.0:*                           11770/dnsmasq
udp        0      0 ::1:53                  :::*                                11770/dnsmasq
udp        0      0 fe80::201:c0ff:fe19:99e7:53 :::*                                11770/dnsmasq
udp        0      0 fd73:37xx:xxxx::1:53    :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::d237:45xx:xxxx:xxxx:53 :::*                                11770/dnsmasq
udp        0      0 fe80::3489:5dff:fe71:2d47:53 :::*                                11770/dnsmasq
11770 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid

Remove incorrect and redundant settings:

uci -q delete dhcp.@dnsmasq[0].server
uci -q delete dhcp.lan.dhcp_option
uci commit dhcp
/etc/init.d/dnsmasq restart
uci -q delete network.DATA_HOME.dns
uci commit network
/etc/init.d/network restart

Make sure to reconnect your clients to apply changes.

And configure an upstream DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

If the issue persists, post the updated diagnostics:

uci show network; uci show dhcp; \
head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
nslookup openwrt.org 8.8.8.8; \
nslookup openwrt.org localhost; \
nslookup openwrt.org

I can’t try the standard image because I’m running OpenWRT on a Raspberry Pi 4B, which has no standard image available yet.

If I serve hosts on the LAN an ISP DNS server IP or even Google DNS IPs, the hosts on the LAN can resolve DNS fine.

uci -q delete dhcp.@dnsmasq[0].server
uci -q delete dhcp.lan.dhcp_option
uci commit dhcp
/etc/init.d/dnsmasq restart
uci -q delete network.DATA_HOME.dns
uci commit network
/etc/init.d/network restart

This Worked!

So, what was causing the problem?

Can I not forward DNS requests from network hosts to the DNS servers specified in Luci > Network > DHCP and DNS?

Can I not send DHCP Option 6 as the DNS server IP instead of having DNS server IP automatically set to the OpenWRT interface IP on that subnet?

The network DATA_HOME had DNS server manually set to 192.168.150.1 This was a remnant of my initial learning of OpenWRT, when OpenWRT was connected to my "production" LAN with its LAN interface. So, perhaps this was causing the problem? Not sure how, though, because DATA_HOME was not being used anymore.

I need to look further into this. It may be a bug.

I believe, this is the root cause resulting in looping.

The proper way of using this feature is together with option noresolv and optionally localuse.

It's possible to use with external DNS, but should be used carefully with own interfaces due to the option localservice.
Also in general case, it requires to configure DHCP options for both dnsmasq and odhcpd.

@vgaetera
So, my problem is not completely solved. I'm now having some sort of intermittent DNS resolution. After I reboot OpenWRT (running on Raspberry Pi 4B), OpenWRT itself can resolve DNS, but after a few minutes, the DNS resolution no longer works. Same happens to the test host connected in the OpenWRT's LAN interface (eth1).

I've now configured this:

uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="8.8.8.8"
uci add_list dhcp.@dnsmasq[0].server="8.8.4.4"
uci commit dhcp
/etc/init.d/dnsmasq restart

uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

uci set dhcp.@dnsmasq[0].localuse="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

After I reboot the Raspberry Pi, I can resolve DNS queries:

nslookup google.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      google.com
Address 1: 142.250.9.139
Address 2: 142.250.9.100
Address 3: 142.250.9.113
Address 4: 142.250.9.102
Address 5: 142.250.9.101
Address 6: 142.250.9.138
Address 7: 2607:f8b0:4002:c02::66
Address 8: 2607:f8b0:4002:c02::8a
Address 9: 2607:f8b0:4002:c02::8b
Address 10: 2607:f8b0:4002:c02::65

But then, in a few minutes, DNS resolution stops working.

root@firewall:~# uptime
 22:13:05 up 22 min,  load average: 0.00, 0.00, 0.00

root@firewall:~# nslookup google.com
;; connection timed out; no servers could be reached

And at the same time, the host connected to OpenWRT's LAN interface can no longer resolve DNS.

P.S. I've just discovered that the problem is not just with DNS but with routing to the next hop. I can't even ping a Google IP once my DNS resolution stops working:

ping 142.250.9.139
PING 142.250.9.139 (142.250.9.139): 56 data bytes
^C
--- 142.250.9.139 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

I think I may have found the problem. Like I mentioned in my first post, I was making a drop-in OpenWRT replacement for my pfSense box. Hence, I was using the same VLAN subinterfaces on the LAN port of OpenWRT (eth1) as I have on the LAN port of pfSense. Because OpenWRT is currently connected to the upstream LAN switch with its WAN interface, interface eth0 (WAN) on OpenWRT gets its DHCP lease from pfSense from the DHCP scope on VLAN200 (that's my native VLAN on the LAN switch ports). So, to send a DNS request to the upstream DNS server (192.168.150.1 - pfSense LAN IP), OpenWRT has to send that request to its default gateway on 192.168.200.0/24, which is 192.168.200.254 - the SVI (aka VLAN interface) on the L3 switch.

After a reboot, OpenWRT has no problems sending its traffic destined for other IP networks to its default gateway on 192.168.200.0/24 out of its WAN interface (eht0). But, after some time (definitely less than 22 minutes), OpenWRT realizes that it has its own VLAN subinterface on 192.168.200.0/24 (and that subinterface is listed as UP), so I believe OpenWRT decides that to send traffic to its default gateway, it should use its own interface on subnet 192.168.200.0/24, which is interface eth1.200. If that is what happens, that traffic is black-holed.

So, I disabled interface eth1.200 in OpenWRT, and DNS resolution started working immediately.

config interface 'DATA_HOME'
	option proto 'static'
	option type 'bridge'
	option ifname 'eth1.200'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'
	option force_link '0'
	option auto '0'

and now DNS resolution and other traffic destined for networks located upstream from the L3 switch seems to be working fine. I will give it a few hours, and I think OpenWRT is ready to go in "production"!

Thanks again.