Wifi calling DNS request get rejected but why?

I have an Archer C7v2 with OpenWrt 18.06.1 and an Android smart phone that supports Wifi calling.
The phone is doing a DNS request to epdg.epc.mnc001.mcc262.pub.3gppnetwork.org to get the Wifi calling server IP for my Provider.

That works when I let the Openwrt dnsmasq answer the query:

20:55:06.169318 IP oneplus_5t.lan.42065 > router.lan.53: 1018+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
20:55:06.169942 IP router.lan.53 > oneplus_5t.lan.42065: 1018 4/0/0 A 109.237.187.226, A 109.237.187.129, A 109.237.187.225, A 109.237.187.130 (124)

but it doesn't work when I use a different DNS server on my LAN (Pi-hole at 192.168.0.253) and openwrt have to "route" that request from Wifi to the LAN switch:

21:03:43.718570 IP oneplus_5t.lan.46934 > 192.168.0.253.53: 43894+ A? www.amazon.com. (32)
21:03:43.738763 IP 192.168.0.253.53 > oneplus_5t.lan.46934: 43894 3/0/0 CNAME www.cdn.amazon.com., CNAME d3ag4hukkh62yn.cloudfront.net., A 143.204.97.106 (113)
21:03:43.830598 IP oneplus_5t.lan.44203 > 192.168.0.253.53: 27551+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
21:03:46.854402 IP oneplus_5t.lan.44203 > 192.168.0.253.53: 7336+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
21:03:50.863428 IP oneplus_5t.lan.44203 > 192.168.0.253.53: 2272+ A? epdg.epc.mnc001.mcc262.pub.3gppnetwork.org. (60)
21:03:55.754442 IP oneplus_5t.lan.55456 > 192.168.0.253.53: 45826+ A? android.clients.google.com. (44)
21:03:55.774442 IP 192.168.0.253.53 > oneplus_5t.lan.55456: 45826 15/0/0 CNAME android.l.google.com., A 172.217.23.174, A 172.217.21.238, A 172.217.18.14, A 172.217.21.206, A 172.217.18.174, A 216.58.206.14, A 172.217.22.46, A 216.58.207.46, A 172.217.22.78, A 216.58.205.238, A 216.58.210.14, A 172.217.22.110, A 172.217.23.142, A 172.217.22.14 (292)

You can see in tcpdump that all DNS requests from the phone get an answer but the wifi calling DNS request are not answered.

I enabled firewall logging on the LAN zone and got this :

Sat Feb  2 22:15:48 2019 kern.warn kernel: [978605.434667] REJECT lan out: IN=br-lan OUT=br-lan MAC=a3:2d:b0:cd:a9:10:94:55:1e:43:3c:01:07:00 SRC=192.168.0.82 DST=192.168.0.253 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=48 DF PROTO=UDP SPT=40081 DPT=53 LEN=68
Sat Feb  2 22:15:51 2019 kern.warn kernel: [978609.078858] REJECT lan out: IN=br-lan OUT=br-lan MAC=a3:2d:b0:cd:a9:10:94:55:1e:43:3c:01:07:00 SRC=192.168.0.82 DST=192.168.0.253 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=49 DF PROTO=UDP SPT=40081 DPT=53 LEN=68
Sat Feb  2 22:15:55 2019 kern.warn kernel: [978613.119853] REJECT lan out: IN=br-lan OUT=br-lan MAC=a3:2d:b0:cd:a9:10:94:55:1e:43:3c:01:07:00 SRC=192.168.0.82 DST=192.168.0.253 LEN=88 TOS=0x00 PREC=0x00 TTL=253 ID=50 DF PROTO=UDP SPT=40081 DPT=53 LEN=68

I do not have any firewall rules to block anything on the lan.
Other DNS request are working and it also works if I use a app on the phone to make the same DNS request that is getting blocked. The difference between blocked DNS and working DNS that the blocked requests are generated by a chipset driver on the phone.

I can make the DNS wifi calling DNS requests working with this Firewall rule:

config rule
        option target 'ACCEPT'
        option src 'lan'
        option proto 'udp'
        option dest_ip '192.168.0.253'
        option name 'wifi calling'
        option dest 'lan'

My question is, why do I have to create this rule and what is the difference between the DNS requests by the Android OS and the chipset driver ?

Usually you don't have to do it because default LAN-zone policy allows LAN-LAN forwarding.

1 Like

The case usually is as @vgaetera said.
Can you upload here the outputs of:
cat /etc/config/firewall
iptables -L -vn
iptables -t nat -L -vn

I have a slightly different setup using pSense, but I'm observing the exact same behavior.

Any Android phone attempting to start a wifi call (or switching to wifi-calling mid-call) fails when using any nameserver other than the router's, (ex: pi-hole or adguard). iOS seems to be unaffected.

However, if I add the pfSense equivalent firewall mentioned explicitly allowing DNS to the other DNS server, then it works. However since both devices are on the same network, and are already allowed to talk directly to each-other I don't see why such a firewall rule is needed to make it work.

In fact, in my setup, both my WiFi AP and DNS server are connected to a switch that is connected to the pfSense router, so in theory these packets should not even be hitting the firewall, yet somehow wifi calling breaks without this rule.

My best guess is that there may be a bug in Android's wifi calling implementation that only affects requests the modem directly makes.