[Solved] Strange DNS entry returned by DHCP

andaluspc · June 16, 2024, 2:37pm

Hello team.
With my Cudy x6, I am setting up dhcp on openwrt to return a custom DNS IP (pi-hole). However, It always returns first DNS IP as 8.8.8.8 (which isn't configured anywhere in openwrt nor on upstream router)
On my android phone, I can see second DNS ip returned as one of IPs I configured under DHCP option 6. However, on my windows machine, only one DNS appears (which is 8.8.8.8)

I wonder where this 8.8.8.8 come from!!
I can see 8.8.8.8 appears in the following file
/etc/config/mwan3 (line says "list track_ip '8.8.8.8' ")
But don't think this is relevant to what I am using "wan" but not "mwan3" as my wan interface.
My DNS entries under lan interface where I am adding two option 6 entries:

Hope to hear some ideas of why this would possibly happen? is it a bug or I am missing something?

ncompact · June 16, 2024, 2:51pm

I assume that you have already restarted your Windows PC and it takes an IP address from the DHCP pool (or has it been configured with static IPs)?

have you already checked?

or you can do a targeted search and find the files of interest
(if it appears in other files):

find /etc/ -type f | xargs grep "8.8.8.8"

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/dhcp

LilRedDog · June 16, 2024, 10:18pm

Run the extended test and post the results.

And that is not how to designate a pi-hole as the dns server; just put in the ip address.
e.g.
dns

andaluspc · June 16, 2024, 10:41pm

Hi.
I searched on 8.8.8.8 using command "grep -r /etc/"

Below is output you requested. Notice that:

in output there is 1.1.1.1 and 1.1.1.3 as DNS IP addresses. Those are not appearing in my clients when taking from DHCP. I have 8.8.8.8 (unknown reason why it is there). Also, on my phone I have first IP I configured in DHCP option 6.
I am using lan GW that is not in same subnet as my lan. my lan IP is 192.168.3.1/24 while GW is 192.168.2.1/24. At the beginning GW was in same subnet, then I removed it, but when I wanted to configure it back it says GW can't be of same subent (which is strange! as I was previously part of same subnet.)

root@CudyX6:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "CudyX6",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "CUDY X6 v2",
        "board_name": "cudy,x6-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@CudyX6:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fde0:13ce:7a38::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'
        option peerdns '0'
        list dns '1.1.1.3'

cat /etcroot@CudyX6:~# cat /etc/config/firewall
c/config/dhcp
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

LilRedDog · June 16, 2024, 10:43pm

Amjad:

'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        ***list dns '1.1.1.1***'

Not pointing to your Pi-hole

psherman · June 16, 2024, 10:44pm

Remove the gateway from below. And the dns entry here doesn’t do anything.

Amjad:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        list dns '1.1.1.1'

Remove the bridge line from your wan interface. The dns addrsss specified here will be used unless the dhcp file specifies something else.

The dhcp file didn’t get copied over. Please get that one.

andaluspc · June 16, 2024, 10:45pm

It is not. neither to 1.1.1.1

LilRedDog · June 16, 2024, 10:47pm

So, force it under interfaces->lan->edit->advanced->Use Custom DNS Servers.

andaluspc · June 16, 2024, 10:48pm

I used this option as well with no hope.
After some reading, it seems when It ry to use "Use custom DNS servers", this is how to configure DNS for openwrt itself, not for DHCP pool.
If I want to make DHCP pool to advertise DNS in its leases, I need to use DHCP option 6 as I want end clients to use pi-hole, not pi-hole itself.
Correct me if I am mistaken.

psherman · June 16, 2024, 10:49pm

You can set the pihole as the system resolver and/or use dhcp option 6 to advertise it to the client hosts.

LilRedDog · June 16, 2024, 10:49pm

You want pi-hole to use itself so it can upgrade gravity and do updates on Raspberry OS.

And disable 'Use DNS servers advertised by peer' on the WAN side.

andaluspc · June 16, 2024, 10:53pm

already disabled.

LilRedDog · June 16, 2024, 10:54pm

If you have added the address to 'Use custom DNS servers' reboot and try again.

psherman · June 16, 2024, 10:55pm

cat /etc/config/dhcp

andaluspc · June 16, 2024, 11:01pm

Sorry for missing DHCP config. here it is below.
How to disable bridge on WAN? I seen o option like that in GUI.

root@CudyX6:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.3.201,192.168.3.222'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        list dhcp_option '6,192.168.3.222,192.168.3.201'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

psherman · June 16, 2024, 11:06pm

Remove the last line, and replace it with option ignore ‘1’

The lan is set properly to advertise 192.168.3.222 and .201 as the dns servers. Clients will likely use these, but are not mandated to do so.

Amjad:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.3.201,192.168.3.222'
        option force '1'

LilRedDog · June 16, 2024, 11:09pm

sigh

DHCP will advertise the router address and the router will forward to the custom DNS.

Been using OpenWrt since 2016 and Pi-hole for at least 5 years.

But I'm out. Luck.

andaluspc · June 16, 2024, 11:17pm

Thank. I did as per your advise. However, I am still getting ONLY 8.8.8.8 in windows and on my mobile I have DNS1 as 8.8.8.8 and DNS2 as 192.168.3.222 (which is first pi-hole I configured).

I am still unaware how 8.8.8.8 come to the picture (which isn't configured anywhere, neither on my openwrt nor on my upstream ISP router!!)

andaluspc · June 16, 2024, 11:18pm

Don't give up yet it is nice when it is challenging
My point is where 8.8.8.8 has come from!! this is my first thing we need to isolate.
because I already receive second DNS correctly as per openwrt DHCP. However, first DNS is always 8.8.8.8 (and windows 11 doesn't seem to accept second DNS. it only honors 8.8.8.8).

LilRedDog · June 16, 2024, 11:21pm

Then do the DNS leak test; it will show exactly where your leak is coming from.