LAN hosts use directly 10.64.0.1 that is advertised from the DHCP server.
Why would there be a leak to a different resolver?
Or do you mean that they use the IPv6 NS?
Yep, option dhcp_option applies to Dnsmasq only and overrides DHCP-option-6 for DHCPv4.
So, @tectonic should also use option dns which applies to odhcpd and overrides DHCP-option-6 for DHCPv6.
In this case it may be worth replacing Dnsmasq with odhcpd for both DHCPv4 and DHCPv6.
Note that pushing 3-rd party DNS-servers via DHCP-option-6 will effectively disable Adblock.
If you need Adblock, then you should use another method.
Thanks very much, @vgaetera and @trendy for your assistance. I think I'm beginning to make sense of this. From what you've said, do I understand correctly that my DNS leaks are as a result of resolvfile which defaults to /tmp/resolv.conf.auto when not specified explicitly, and that this gets created by the WAN DHCP client.
So, setting 'Ignore Resolve File' and specifying list dhcp_option '6,84.200.69.80,84.200.70.40' for guest-zone clients fixes the leak.
However, if I'm to use Stubby for DNS over TLS, then I have to accept leaks to (e.g.) Cloudflare for lan-zone clients. The only way to get around this is to have multiple dnsmasq instances whereby the guest-zone could use Stubby, but the lan-zone could use 10.64.0.1 (and ignore resolv.conf.auto).
I'll get the first version working (i.e. without Stubby) and then have a go at the separate dnsmasq instance...
I think, think it's working. I see no DNS leaks on lan-zone clients, but guest-zone clients are using DoT and DNSSEC. Adblock is working in both zones.
Critical review appreciated: if there's anything that jumps out as 'not right', or there is scope to improve/refine, I'd gladly welcome your feedback. Otherwise, I'll mark this as 'solved'.
Possible future extension: add a 'kidsafe' network with safe-search and filtering (e.g. with OpenDNS Family Shield and the safe-search package. Note to self: list addnhosts '/etc/safe-search/enabled')
Wired clients are seeing dns failures. For example, my HDHomerun Connect logs show "webclient error (dns failed)". Similarly, my Philips Hue Bridge (also wired) cannot connect to meethue. Curiously, whilst the Hue Bridge has an IP address of 192.168.1.119, https://www.meethue.com/api/nupnp reports an IP address of 10.10.10.249.
Somehow, the multiple dnsmasq instances has messed things up. I suspect list interface and list nointerface settings are incorrect, but I can't determine what it might be.
uci set firewall.adblock_dns_53.dest_ip="$(uci get network.lan.ipaddr)"
uci set firewall.adblock_dns_guest_53.dest_ip="$(uci get network.guest.ipaddr)"
uci commit firewall
service firewall restart
Test name resolution from client PC:
nslookup example.org
Verify iptables rules.
Check that PIDs on interfaces match runtime configurations for those interfaces.
Thanks, that's been applied and seems to have sorted my HDHomerun Connect; logs there are clean now.
The Philips Hue is also connecting to the Philips cloud service, but in order to resolve it, I had to remove option noresolv '1' from config dnsmasq 'main'. This means that devices are using the list of resolvers in resolv.conf.auto. I'm back to 'square one' with the DNS leaks. Here's what I'm seeing:
If I set option noresolv '0', then the Philips Hue loses connection to the Philips cloud service, and nslookup openwrt.org shows:
So, it seems that the Hue Bridge uses UDP exclusively, and, for whatever reason, using my VPN provider's public resolver (193.138.218.74) doesn't accept UDP connections.
Is there a way by which I can enforce the order such that 193.138.218.74 is always preferred, but, if that fails, a second resolver is queried?
nc -v -u -z -w 3 193.138.218.74 53
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif (null)
src 10.0.0.176 port 60952
dst 193.138.218.74 port 53
rank info not available
Connection to 193.138.218.74 port 53 [udp/domain] succeeded!
If dhcp.@dnsmasq[x].noresolv=1 then dnsmasq sends queries only to dhcp.@dnsmasq[x].server.
If you can't get response from dnsmasq, it means dnsmasq doesn't receive a response from those servers.
Troubleshooting from OpenWrt:
So, it looks like it's definitely peculiar to (Mullvad's) DNS resolver. It's only affecting my Philips Hue bridge, though. All other devices work fine.
Curiously, If I set dhcp.@dnsmasq[x].noresolv=1 and put DNS.watch addresses in dhcp.@dnsmasq[x].server, then the Hue Bridge connects fine. I wonder if ;; Truncated, retrying in TCP mode is significant? The Hue Bridge doesn't have TCP fallback (as far as I know), so whilst other client devices can fallback when UDP fails(?), the Hue device cannot.
How might I determine why 193.138.218.74 is reachable from client devices, but not the router?