[SOLVED] No DNS on Guest Network when preventing DNS leaks

tectonic · April 8, 2019, 9:45pm

Nope; UDP is fine:

nc -v -u -z -w 3 193.138.218.74 53
found 0 associations
found 1 connections:
     1:	flags=82<CONNECTED,PREFERRED>
	outif (null)
	src 10.0.0.176 port 60952
	dst 193.138.218.74 port 53
	rank info not available

Connection to 193.138.218.74 port 53 [udp/domain] succeeded!

vgaetera · April 9, 2019, 3:04am

If dhcp.@dnsmasq[x].noresolv=1 then dnsmasq sends queries only to dhcp.@dnsmasq[x].server.
If you can't get response from dnsmasq, it means dnsmasq doesn't receive a response from those servers.
Troubleshooting from OpenWrt:

nslookup example.org server_ip_address

tectonic · April 9, 2019, 9:37pm

Thanks, @vgaetera. Appreciate all the help you're giving me.

When run on my router, this:

*** Can't find openwrt.org: No answer

When run on a client device, it returns:

;; Truncated, retrying in TCP mode
Server:		193.138.218.74
Address:	193.138.218.74#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225

So, it looks like it's definitely peculiar to (Mullvad's) DNS resolver. It's only affecting my Philips Hue bridge, though. All other devices work fine.

Curiously, If I set dhcp.@dnsmasq[x].noresolv=1 and put DNS.watch addresses in dhcp.@dnsmasq[x].server, then the Hue Bridge connects fine. I wonder if ;; Truncated, retrying in TCP mode is significant? The Hue Bridge doesn't have TCP fallback (as far as I know), so whilst other client devices can fallback when UDP fails(?), the Hue device cannot.

How might I determine why 193.138.218.74 is reachable from client devices, but not the router?

tectonic · April 10, 2019, 6:20am

We have an explanation! No lookups over UDP on Mullvad's DNS server:

Most likely it is because OpenWRT does not handle lookups over TCP.

ie:

root@meepmeep:/mullvad# nslookup mullvad.net 193.138.218.74
;; Truncated, retrying in TCP mode.
Server: 193.138.218.74
Address: 193.138.218.74#53

Non-authoritative answer:
Name: mullvad.net
Address: 46.166.138.241

Our public DNS server will reply to try over TCP, and most clients handle that well, it seems some > routers (like OpenWRT does not)

Marking as 'solved'

vgaetera · April 10, 2019, 9:19am

Yep, it truncates UDP-response with tc flag:

# dig @193.138.218.74 openwrt.org +ignore

; <<>> DiG 9.11.2-P1 <<>> @193.138.218.74 openwrt.org +ignore
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56106
;; flags: qr tc rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9b00f22b4f6988f6 (echoed)
;; QUESTION SECTION:
;openwrt.org.			IN	A

;; Query time: 19 msec
;; SERVER: 193.138.218.74#53(193.138.218.74)
;; WHEN: Wed Apr 10 12:12:00 MSK 2019
;; MSG SIZE  rcvd: 52

system · April 20, 2019, 9:20am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.