Hi there,
I have configured dnsmasq on my openwrt router but while wireless devices on the 2.4GHz network can access the wifi network, the ones on the 5GHz network cannot. iOS says that something blocks the encrypted communication with the DNS server.
I tried with a wired connection and the page https://dnsleaktest.com/ displays both DNS servers configured. Also, I compared the configuration of both wireless interfaces but I do not see a difference.
Checking the log reveals:
logread -f | grep dnsmasq
daemon.warn dnsmasq-dhcp[24600]: DHCP packet received on wlan1 which has no address
I also checked:
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
daemon.warn dnsmasq-dhcp[24600]: DHCP packet received on wlan1 which has no address
The comparison of the config files reveals:
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 127.0.0.1
# Interface wan6
nameserver ::1
What am I missing in my wireless configuration?
Thanks!
trendy
January 8, 2022, 6:38pm
2
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
2 Likes
{
"kernel": "5.4.154",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "AVM FRITZ!Box 4040",
"board_name": "avm,fritzbox-4040",
"release": {
"distribution": "OpenWrt",
"version": "21.02.1",
"revision": "r16325-88151b8303",
"target": "ipq40xx/generic",
"description": "OpenWrt 21.02.1 r16325-88151b8303"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '####:####:b664::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.200.1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
option dns '127.0.0.1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option peerdns '0'
option dns '0::1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config interface 'WIFI_50'
option proto 'static'
option device 'wlan1'
option ipaddr '192.168.160.1'
option netmask '255.255.255.0'
config interface 'WIFI_24'
option proto 'static'
option device 'wlan0'
option ipaddr '192.168.150.1'
option netmask '255.255.255.0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/soc/a000000.wifi'
option htmode 'HT20'
option country 'DE'
option cell_density '0'
option channel '13'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option network 'WIFI_24'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/a800000.wifi'
option htmode 'VHT80'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option network 'WIFI_50'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
list server '0::1#5453'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'WIFI_50'
option interface 'WIFI_50'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'WIFI_24'
option interface 'WIFI_24'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WIFI_50'
list network 'WIFI_24'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '#####:#####'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
lrwxrwxrwx 1 root root 16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Jan 6 15:07 /tmp/resolv.conf
-rw-r--r-- 1 root root 69 Jan 8 10:36 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 69 Jan 8 10:36 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 127.0.0.1
# Interface wan6
nameserver ::1
trendy
January 15, 2022, 5:19pm
4
Remove the dns from the wan, or use a proper upstream resolver.
Remove the wlan* lines, the ssid is assigned to an interface from the wireless option network 'WIFI50'
Hi trendy,
thanks for your suggestions.
option dns '127.0.0.1'
Just to clarify: I am using Adblock and Stubby with dnsmasq. I assume that this is the reason why the localhost ip address is set. Am I right?
config interface 'WIFI_24'
option device 'wlan0'
Do you want me to delete the whole configuration block for the interfaces WIFI_24 and WIFI_50?
Thanks
trendy
January 16, 2022, 9:59am
6
If you are using these, then they must be running on a different port, which cannot be configured here, so you don't need it anyway.
No, just the option device wlan0 and wlan1 lines.
Alright, I deleted those lines but still iOS keeps telling "This network is blocking encrypted DNS communication". Do we need to have a look at another configuration file?
trendy
January 16, 2022, 9:53pm
8
The error message is kinda vague and as you might have seen in other pages it can be solved with a couple of restarts, disconnect-connect, changing upstream dns.
