Using netbird with dnsmasq

rcambrj · December 13, 2024, 4:00pm

Following the instructions in this github comment, I got OpenWRT connected to a new netbird network.

However, netbird tries to listen on port 53 of wt0 to expose its own nameserver resolution and if your OpenWRT machine is, like mine, configured with dnsmasq, that also tries to listen on port 53.

To solve this, I told netbird to listen for DNS requests on a different port:

netbird up --dns-resolver-address 127.0.0.1:5053

The unfortunate side effect is that this will prevent OpenWRT from resolving *.netbird.cloud addresses. I don't use these, so I didn't solve that problem.

It seems that this then gets persisted to /etc/netbird/config.json:

"CustomDNSAddress": "127.0.0.1:5053"

A file which you can then add OpenWRT's backup generator.

Lastly, dnsmasq needs to be told to restart whenever wt0 comes up, so add a new line to the existing service_triggers() section in /etc/init.d/dnsmasq -

service_triggers()
{
    [...]

    # restart when netbird interface changes
    procd_add_interface_trigger "interface.*" "netbird" /etc/init.d/dnsmasq restart
}

IGNORE (see my own reply): Alternatively, if the *.netbird.cloud resolution is important to you on OpenWRT, dnsmasq can be configured with a different DNS listener port. Unfortunately, dnsmasq can't be configured to listen on a different port per interface - that port applies to all interfaces on which dnsmasq listens. But you can probably workaround this by configuring firewall rules on the interfaces where you do want dnsmasq to be available on port 53.

Hopefully this helps some people.
Is there a better way? Do tell!

rcambrj · December 13, 2024, 4:08pm

A discovery!

In /etc/config/dhcp, the server directive can be used to specify a forward DNS service which points to the netbird service at 127.0.0.1:5053:

config dnsmasq
	[...]

	list server '/*.netbird.cloud/127.0.0.1#5053'

This way, *.netbird.cloud resolution will also work without needing any firewall workarounds.

wehagy · December 31, 2024, 6:41pm

I'm glad to hear that my reply on GitHub was helpful to someone!

I'm using a similar config for DNS, and from what I can see, your setup allows netbird to function only for the *.netbird.cloud domain, at the same time, you need to prevent DNS leaks to ensure that your DNS server is enforced.

My config is dnsmasq --> netbird --> custom DNS. The custom DNS is managed through the netbird dashboard, and I assume you're familiar with how to set this up. In my case, I have a server running Pi-hole to block ads, utilizing EDNS0 and a recursive DNS server, all configured with internal routes through netbird. However, that's a topic for another day...

If I'm not mistaken, by default, netbird tries to run the DNS server on port 53 at the same IP as the internal WireGuard interface (wt0), which falls within the range of 100.127.0.1 to 100.127.255.254. If that fails, it attempts 127.0.0.1, and if that also fails, it gives up. It will always give up because, in OpenWrt, all ports 53 is already occupied by dnsmasq. To resolve this, modify the file /etc/netbird/config.json to ensure that the changes are persistent.

[...]
    "CustomDNSAddress": "127.0.0.1:5335",
[...]

The 127.0.0.1 is mandatory because it is the IP address where the netbird DNS server will listen. The :5335 is the port, which can be any arbitrary number, except for :53, which is the default port where the dnsmasq DNS server listens.

Why is 127.0.0.1 mandatory? Sometimes, dnsmasq and netbird fight for the /etc/resolv.conf file. /etc/resolv.conf is responsible, simplifying, for informing OpenWrt about the DNS server. This file does not support custom ports, only IP addresses. If, for some reason, this file is changed to an arbitrary address from netbird, it is better for it to match the one from dnsmasq to ensure that OpenWrt does not lose domain name resolution.

Now add or change the values in the file cat /etc/config/dhcp:

config dnsmasq
[...]
        # Disable the use of the ISP's DNS server to effectively enable split DNS.
        option noresolv '1'
        # Prioritize the `list server` from top to bottom, this is good to have.
        option strictorder '1'
        # The two `arpa` configurations may have some side effects,
        # here, I'm limiting the resolution of local addresses to be local only,
        # without making requests to upstream servers.
        # This is for reference, but in my case, if not configured, it can become annoying.
        list server '/in-addr.arpa/'
        list server '/ip6.arpa/'
        # Allow the resolution of `netbird.io` to be sent to any arbitrary public DNS server, in this case, 9.9.9.9 (Quad9).
        # If you are self-hosting, replace `netbird.io` with the address of your server.
        # Without this, you will encounter a race condition,
        # `netbird` cannot connect because `dnsmasq` is unable to resolve addresses,
        # and `dnsmasq` cannot resolve addresses because `netbird` cannot connect.
        list server '/netbird.io/9.9.9.9'
        # Use `netbird` DNS server.
        list server '127.0.0.1#5335'
[...]

config dhcp 'lan'
[...]
        # Disable the IPv6 DNS server, it's cursed and has caused me some issues.
        # However, you can test it to see if it works for you.
        option dns_service '0'
        option ra_dns '0'
[...]

Some relevant OpenWrt wiki pages:

DHCP and DNS configuration /etc/config/dhcp
- All options
DHCP and DNS examples
- Split DNS
- Enforcing dnsmasq for local system, this is the default configuration, so there's no need to change it. However, it's good to have it for reference.
- DNS filtering
- DNS forwarding

Going further, you can configure the firewall to enforce the use of OpenWrt as the DNS server at all times to prevent DNS leaks. More information about this can be found in the DNS hijacking documentation.

This probably requires your own topic too, but without going into too much detail, here is my /etc/config/firewall for reference:

[...]
config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'

config rule
        option name 'Block-Public-DNS'
        option src '*'
        # Common ports used for DNS servers
        option dest_port '53 5353 5335 853'
        option target 'REJECT'
        option dest 'wan'

# IPv6 is cursed
config rule
        option name 'Block-IPV6-DNS'
        option src 'lan'
        option target 'REJECT'
        option family 'ipv6'
        # Common ports used for DNS servers
        option dest_port '53 5353 5335 853'
[...]

Now you are leveraging all the capabilities of netbird DNS server... Probably...

Haldi · January 2, 2025, 4:47pm

so in short the openWRT Netbird package is wrongly configured by default?....

rcambrj · January 2, 2025, 5:07pm

The netbird package isn't opinionated about and doesn't try to configure any part of the netbird service, rather it only makes the netbird application available and it's up to you to configure it correctly. The netbird application is by default wrongly configured for a machine where port 53 is already in use, yes.

Michael.Uray · August 4, 2025, 9:17pm

I dont see in Netbird version 0.51.2 that it opens a port for a DNS server when it gets started,
with "CustomDNSAddress": "127.0.0.1:5053", even not with "CustomDNSAddress": "" and dnsmasq stopped.

cat /etc/netbird/config.json
{
"PrivateKey": "\[hidden\]",
"PreSharedKey": "",
"ManagementURL": {
"Scheme": "https",
"Opaque": "",
"User": null,
"Host": "netbird.\[hidden\].com:443",
"Path": "",
"RawPath": "",
"OmitHost": false,
"ForceQuery": false,
"RawQuery": "",
"Fragment": "",
"RawFragment": ""
},
"AdminURL": {
"Scheme": "https",
"Opaque": "",
"User": null,
"Host": "netbird.\[hidden\].com:443",
"Path": "",
"RawPath": "",
"OmitHost": false,
"ForceQuery": false,
"RawQuery": "",
"Fragment": "",
"RawFragment": ""
},
"WgIface": "wt0",
"WgPort": 0,
"NetworkMonitor": null,
"IFaceBlackList": \[
"wt0",
"wt",
"utun",
"tun0",
"zt",
"ZeroTier",
"wg",
"ts",
"Tailscale",
"tailscale",
"docker",
"veth",
"br-",
"lo"
\],
"DisableIPv6Discovery": false,
"RosenpassEnabled": false,
"RosenpassPermissive": false,
"ServerSSHAllowed": false,
"DisableClientRoutes": false,
"DisableServerRoutes": false,
"DisableDNS": false,
"DisableFirewall": false,
"BlockLANAccess": false,
"BlockInbound": false,
"DisableNotifications": true,
"DNSLabels": null,
"SSHKey": "-----BEGIN PRIVATE KEY-----\\n\[hidden\]\\n-----END PRIVATE KEY-----\\n",
"NATExternalIPs": null,
"CustomDNSAddress": "127.0.0.1:5053",
"DisableAutoConnect": false,
"DNSRouteInterval": 60000000000,
"ClientCertPath": "",
"ClientCertKeyPath": "",
"LazyConnectionEnabled": false
}

\~# /etc/init.d/netbird restart
Stopping netbird.....
Stopped
Starting netbird

\~# netstat -an | grep LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:\*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:\*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:\*               LISTEN
tcp        0      0 :::443                  :::\*                    LISTEN
tcp        0      0 :::80                   :::\*                    LISTEN
tcp        0      0 :::22                   :::\*                    LISTEN
unix  2      \[ ACC \]     STREAM     LISTENING        306 /var/run/ubus/ubus.sock
unix  2      \[ ACC \]     STREAM     LISTENING      17103 /var/run/netbird.sock
unix  2      \[ ACC \]     STREAM     LISTENING      17240 /var/run/wireguard/wt0.sock

It is running and connected in general.

:~# /tmp/netbird status
OS: linux/mips
Daemon version: 0.51.2
CLI version: 0.51.2
Management: Connected
Signal: Connected
Relays: 3/3 Available
Nameservers: 0/0 Available
FQDN: [hidden].netbird.selfhosted
NetBird IP: 100.87.95.84/16
Interface type: Userspace
Quantum resistance: false
Lazy connection: true
Networks: -
Forwarding rules: 0
Peers count: 0/6 Connected

The status --detail show the following events:

Events:
  [WARNING] DNS (1d2c5789-f0f3-46ea-bc29-98711e94926e)
    Message: The host dns manager does not support match domains
    Time: 12 minutes, 13 seconds ago
    Metadata: manager: file
  [INFO] SYSTEM (da50b930-537a-4eef-9460-9d8ce768874e)
    Message: Network map updated
    Time: 12 minutes, 12 seconds ago
OS: linux/mips
Daemon version: 0.51.2
CLI version: 0.51.2
Management: Connected to https://netbird.[hidden].com:443
Signal: Connected to https://netbird.[hidden].com:443
Relays:
  [stun:netbird.[hidden].com:3478] is Available
  [turn:netbird.[hidden].com:3478?transport=udp] is Available
  [rels://netbird.[hidden].com:443/relay] is Available
Nameservers:
FQDN: [hidden].netbird.selfhosted
NetBird IP: 100.87.95.84/16
Interface type: Userspace
Quantum resistance: false
Lazy connection: true
Networks: -
Forwarding rules: 0
Peers count: 0/6 Connected

So far as I understand should it start its own DNS server to resolve the internal x.netbird.selfhosted names.

Any idea why the DNS server is not active?

rcambrj · August 5, 2025, 7:27am

Michael.Uray:

Events:
  [WARNING] DNS (1d2c5789-f0f3-46ea-bc29-98711e94926e)
    Message: The host dns manager does not support match domains
    Time: 12 minutes, 13 seconds ago
    Metadata: manager: file

I suspect that this is a good lead to follow. I don’t get that in my log, but I’m using an older version. However, you might not be alone.