Unable to make udp query from router

Installing and Using OpenWrt
1

Any hints why I am unable to make UDP domain query while TCP/ICMP works on router and from local net stations?

root@gw:~# dig pl -t any @199.9.14.201 +notcp
;; communications error to 199.9.14.201#53: host unreachable

but over TCP same works:

root@gw:~# dig pl -t any @199.9.14.201 +tcp
(...)
;; SERVER: 199.9.14.201#53(199.9.14.201) (TCP)

My laptop running own local bind server, fails to talk with root servers, because uses only UDP queries, while dns server on OpenWRT seems be using mostly TCP and works.

2

if there's no firewall involved, check if it's your ISP's blocking the requests.

1 Like
3

if there's no firewall involved

FW is default with only Masquerading checked.
tcpdump shows packet going out, but nothing returns on UDP,
so ISP is main suspect now.

1 Like
4

If your ISP owns the DNS server then yes, because you might not believe this...

Running tcpdump, I actually see 199.9.14.201 responding to DNS requests on UDP.

user@machine:~$ nslookup openwrt.org 199.9.14.201
Server:         199.9.14.201
Address:        199.9.14.201#53

Non-authoritative answer:
*** Can't find openwrt.org: No answer

But I see via tcpdump...

user@machine:~$ sudo tcpdump -vvvn port 53 and host 199.9.14.201
tcpdump: listening on enp10s0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:12:56.555784 IP (tos 0x0, ttl 64, id 28742, offset 0, flags [none], proto UDP (17), length 57)
    10.xxx.xxx.xx.50136 > 199.9.14.201.53: [bad udp cksum 0xe903 -> 0x43bd!] 15732+ A? openwrt.org. (29)
09:12:56.703621 IP (tos 0x28, ttl 50, id 61875, offset 0, flags [none], proto UDP (17), length 501)
    199.9.14.201.53 > 10.xxx.xxx.xxx.50136: [udp sum ok] 15732- q: A? openwrt.org. 0/6/12 ns: org. [2d] NS a0.org.afilias-nst.info., org. [2d] NS a2.org.afilias-nst.info., org. [2d] NS b0.org.afilias-nst.org., org. [2d] NS b2.org.afilias-nst.org., org. [2d] NS c0.org.afilias-nst.info., org. [2d] NS d0.org.afilias-nst.org. ar: b0.org.afilias-nst.org. [2d] A 199.19.54.1, b0.org.afilias-nst.org. [2d] AAAA 2001:500:c::1, b2.org.afilias-nst.org. [2d] A 199.249.120.1, b2.org.afilias-nst.org. [2d] AAAA 2001:500:48::1, d0.org.afilias-nst.org. [2d] A 199.19.57.1, d0.org.afilias-nst.org. [2d] AAAA 2001:500:f::1, a0.org.afilias-nst.info. [2d] A 199.19.56.1, a0.org.afilias-nst.info. [2d] AAAA 2001:500:e::1, a2.org.afilias-nst.info. [2d] A 199.249.112.1, a2.org.afilias-nst.info. [2d] AAAA 2001:500:40::1, c0.org.afilias-nst.info. [2d] A 199.19.53.1, c0.org.afilias-nst.info. [2d] AAAA 2001:500:b::1 (473)
09:12:56.704318 IP (tos 0x0, ttl 64, id 28753, offset 0, flags [none], proto UDP (17), length 57)
    10.xxx.xxx.xxx.52861 > 199.9.14.201.53: [bad udp cksum 0xe903 -> 0xcc20!] 36715+ AAAA? openwrt.org. (29)
09:12:56.851480 IP (tos 0x28, ttl 50, id 61888, offset 0, flags [none], proto UDP (17), length 501)
    199.9.14.201.53 > 10.xxx.xxx.xxx.52861: [udp sum ok] 36715- q: AAAA? openwrt.org. 0/6/12 ns: org. [2d] NS a0.org.afilias-nst.info., org. [2d] NS a2.org.afilias-nst.info., org. [2d] NS b0.org.afilias-nst.org., org. [2d] NS b2.org.afilias-nst.org., org. [2d] NS c0.org.afilias-nst.info., org. [2d] NS d0.org.afilias-nst.org. ar: b0.org.afilias-nst.org. [2d] A 199.19.54.1, b0.org.afilias-nst.org. [2d] AAAA 2001:500:c::1, b2.org.afilias-nst.org. [2d] A 199.249.120.1, b2.org.afilias-nst.org. [2d] AAAA 2001:500:48::1, d0.org.afilias-nst.org. [2d] A 199.19.57.1, d0.org.afilias-nst.org. [2d] AAAA 2001:500:f::1, a0.org.afilias-nst.info. [2d] A 199.19.56.1, a0.org.afilias-nst.info. [2d] AAAA 2001:500:e::1, a2.org.afilias-nst.info. [2d] A 199.249.112.1, a2.org.afilias-nst.info. [2d] AAAA 2001:500:40::1, c0.org.afilias-nst.info. [2d] A 199.19.53.1, c0.org.afilias-nst.info. [2d] AAAA 2001:500:b::1 (473)

Not sure why, but hope this helps.

1 Like
5

It is working for both tcp and udp. However in the first udp attempt it always gives a BADCOOKIE and retries, successfully this time.