Wifi calling DNS request get rejected but why?

I have an Archer C7v2 with OpenWrt 18.06.1 and an Android smart phone that supports Wifi calling.
The phone is doing a DNS request to epdg.epc.mnc001.mcc262.pub.3gppnetwork.org to get the Wifi calling server IP for my Provider.

That works when I let the Openwrt dnsmasq answer the query:

20:55:06.169318 IP oneplus_5t.lan.42065 > router.lan.53: 1018+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
20:55:06.169942 IP router.lan.53 > oneplus_5t.lan.42065: 1018 4/0/0 A 109.237.187.226, A 109.237.187.129, A 109.237.187.225, A 109.237.187.130 (124)

but it doesn't work when I use a different DNS server on my LAN (Pi-hole at 192.168.0.253) and openwrt have to "route" that request from Wifi to the LAN switch:

21:03:43.718570 IP oneplus_5t.lan.46934 > 192.168.0.253.53: 43894+ A? www.amazon.com. (32)
21:03:43.738763 IP 192.168.0.253.53 > oneplus_5t.lan.46934: 43894 3/0/0 CNAME www.cdn.amazon.com., CNAME d3ag4hukkh62yn.cloudfront.net., A 143.204.97.106 (113)
21:03:43.830598 IP oneplus_5t.lan.44203 > 192.168.0.253.53: 27551+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
21:03:46.854402 IP oneplus_5t.lan.44203 > 192.168.0.253.53: 7336+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
21:03:50.863428 IP oneplus_5t.lan.44203 > 192.168.0.253.53: 2272+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
21:03:55.754442 IP oneplus_5t.lan.55456 > 192.168.0.253.53: 45826+ A? android.clients.google.com. (44)
21:03:55.774442 IP 192.168.0.253.53 > oneplus_5t.lan.55456: 45826 15/0/0 CNAME android.l.google.com., A 172.217.23.174, A 172.217.21.238, A 172.217.18.14, A 172.217.21.206, A 172.217.18.174, A 216.58.206.14, A 172.217.22.46, A 216.58.207.46, A 172.217.22.78, A 216.58.205.238, A 216.58.210.14, A 172.217.22.110, A 172.217.23.142, A 172.217.22.14 (292)

You can see in tcpdump that all DNS requests from the phone get an answer but the wifi calling DNS request are not answered.

I enabled firewall logging on the LAN zone and got this :

Sat Feb  2 22:15:48 2019 kern.warn kernel: [978605.434667] REJECT lan out: IN=br-lan OUT=br-lan MAC=a3:2d:b0:cd:a9:10:94:55:1e:43:3c:01:07:00 SRC=192.168.0.82 DST=192.168.0.253 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=48 DF PROTO=UDP SPT=40081 DPT=53 LEN=68
Sat Feb  2 22:15:51 2019 kern.warn kernel: [978609.078858] REJECT lan out: IN=br-lan OUT=br-lan MAC=a3:2d:b0:cd:a9:10:94:55:1e:43:3c:01:07:00 SRC=192.168.0.82 DST=192.168.0.253 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=49 DF PROTO=UDP SPT=40081 DPT=53 LEN=68
Sat Feb  2 22:15:55 2019 kern.warn kernel: [978613.119853] REJECT lan out: IN=br-lan OUT=br-lan MAC=a3:2d:b0:cd:a9:10:94:55:1e:43:3c:01:07:00 SRC=192.168.0.82 DST=192.168.0.253 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=50 DF PROTO=UDP SPT=40081 DPT=53 LEN=68

I do not have any firewall rules to block anything on the lan.
Other DNS request are working and it also works if I use a app on the phone to make the same DNS request that is getting blocked. The difference between blocked DNS and working DNS that the blocked requests are generated by a chipset driver on the phone.

I can make the DNS wifi calling DNS requests working with this Firewall rule:

config rule
        option target 'ACCEPT'
        option src 'lan'
        option proto 'udp'
        option dest_ip '192.168.0.253'
        option name 'wifi calling'
        option dest 'lan'

My question is, why do I have to create this rule and what is the difference between the DNS requests by the Android OS and the chipset driver ?

Usually you don't have to do it because default LAN-zone policy allows LAN-LAN forwarding.

1 Like

The case usually is as @vgaetera said.
Can you upload here the outputs of:
cat /etc/config/firewall
iptables -L -vn
iptables -t nat -L -vn