Strange behavior of DNS resolution (0.59rc2 and 0.1027-test)

[Kalimeiro]

Expected Behavior

When ping wikipedia.org or nslookup wikipedia.org, we need to get response from OMR and showing IPV4/IPV6 of the domain.

Current Behavior

When ping or nslookup, we have a DNS timeout, resolution is impossible.

1 domain of 3 works.

VPS can ping and nslookup works.

We tried with another DNS forwarding in unbound/dnsmask conf, no difference.

Possible Solution

Absolutely no idea

Specifications

• OpenMPTCProuter version: 0.59-rc2
• OpenMPTCProuter VPS version: 0.1027-test
• OpenMPTCProuter VPS provider: OVH
• OpenMPTCProuter platform: RPI4
• Country: FR

[Kalimeiro]

for now, i use DNS over HTTPS directly on Firefox to work. But with this workaround omr-bypass not working (and it's normal because OMR DNS is bypassed by Firefox DoH)

[Kalimeiro]

OK i have found the problem, it was in /etc/config/unbound, we lost half of configuration without understand how it is possible.

My original config :

config unbound 'ub_main'
    option add_extra_dns '0'
    option add_local_fqdn '1'
    option add_wan_fqdn '0'
    option dhcp_link 'none'
    option dns64 '0'
    option domain 'lan'
    option domain_type 'static'
    option edns_size '1232'
    option extended_stats '0'
    option hide_binddata '1'
    option interface_auto '1'
    option localservice '1'
    option manual_conf '0'
    option num_threads '1'
    option rate_limit '0'
    option rebind_localhost '0'
    option rebind_protection '1'
    option resource 'default'
    option root_age '9'
    option ttl_min '120'
    option ttl_neg_max '1000'
    option unbound_control '0'
    option validator_ntp '1'
    option verbosity '1'
    option listen_port '5353'
    option enabled '1'
    option recursion 'aggressive'
    option validator '1'
    option protocol 'mixed'
    list iface_lan 'LAN_PRIVE'
    list iface_lan 'LAN_TV'
    list iface_lan 'lan'
    list iface_wan 'wan1'
    list iface_wan 'wan2'

config zone 'auth_icann'
    option enabled '0'
    option fallback '1'
    option url_dir 'https://www.internic.net/domain/'
    option zone_type 'auth_zone'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'

config zone 'fwd_isp'
    option enabled '0'
    option fallback '1'
    option resolv_conf '1'
    option zone_type 'forward_zone'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns.google'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list zone_name '.'

config zone 'fwd_cloudflare'
    option enabled '0'
    option fallback '1'
    option tls_index 'cloudflare-dns.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list zone_name '.'

config zone 'fwd_adguard_family'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns-family.adguard.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '176.103.130.132'
    list server '176.103.130.134'
    option zone_name '.'

config zone 'fwd_adguard_standard'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns.adguard.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '176.103.130.130'
    list server '176.103.130.131'
    option zone_name '.'

config zone 'fwd_cloudflare_family'
    option enabled '0'
    option fallback '1'
    option tls_index 'family.cloudflare-dns.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '1.1.1.3'
    list server '1.0.0.3'
    option zone_name '.'

config zone 'fwd_cloudflare_malware'
    option enabled '0'
    option fallback '1'
    option tls_index 'security.cloudflare-dns.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '1.1.1.2'
    list server '1.0.0.2'
    option zone_name '.'

config zone 'fwd_odvr'
    option enabled '0'
    option fallback '1'
    option tls_index 'odvr.nic.cz'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '193.17.47.1'
    list server '185.43.135.1'
    option zone_name '.'

config zone 'fwd_libredns'
    option enabled '0'
    option fallback '1'
    option tls_index 'doh.libredns.gr'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '116.202.176.26'
    option zone_name '.'

config zone 'fwd_quad9_recommended'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.9'
    list server '149.112.112.112'
    option zone_name '.'

config zone 'fwd_quad9_unsecured'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns10.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.10'
    list server '149.112.112.10'
    option zone_name '.'

config zone 'fwd_quad9_ecs'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns11.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.11'
    list server '149.112.112.11'
    option zone_name '.'

config zone 'fwd_quad9_secured'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns9.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.9'
    list server '149.112.112.9'
    option zone_name '.'

And the config from a another installation of OMR 0.59-rc2 i manage remotely :

config unbound
    option edns_size '1280'
    option extended_stats '0'
    option hide_binddata '1'
    option localservice '1'
    option manual_conf '0'
    option num_threads '1'
    option rebind_localhost '0'
    option rebind_protection '1'
    option resource 'default'
    option root_age '9'
    option ttl_min '120'
    option unbound_control '0'
    option verbosity '1'
    list trigger_interface 'lan'
    list trigger_interface 'wan'
    option listen_port '5353'
    option recursion 'aggressive'
    option domain 'LTE.local'
    option enabled '1'
    option validator '1'
    option validator_ntp '1'
    option protocol 'ip4_only'
    option rate_limit '0'
    option iface_lan 'lan'
    option dns64 '0'
    option dhcp_link 'dnsmasq'
    list iface_wan 'wan1'
    list iface_wan 'wan2'
    list iface_wan 'wan3'

config zone
    option enabled '0'
    option fallback '1'
    option url_dir 'https://www.internic.net/domain/'
    option zone_type 'auth_zone'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'

config zone
    option enabled '0'
    option fallback '1'
    option resolv_conf '1'
    option zone_type 'forward_zone'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'

config zone 'auth_icann'
    option fallback '1'
    option url_dir 'https://www.internic.net/domain/'
    option zone_type 'auth_zone'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list server 'lax.xfr.dns.icann.org'
    list server 'iad.xfr.dns.icann.org'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    list zone_name '.'
    list zone_name 'arpa.'
    list zone_name 'in-addr.arpa.'
    list zone_name 'ip6.arpa.'
    option enabled '1'

config zone 'fwd_isp'
    option enabled '0'
    option fallback '1'
    option resolv_conf '1'
    option zone_type 'forward_zone'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'
    list zone_name 'isp-bill.example.com.'
    list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns.google'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    list server '8.8.4.4'
    list server '8.8.8.8'
    list server '2001:4860:4860::8844'
    list server '2001:4860:4860::8888'
    option zone_name '.'

config zone 'fwd_cloudflare'
    option enabled '0'
    option fallback '1'
    option tls_index 'cloudflare-dns.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    list server '1.1.1.1'
    list server '1.0.0.1'
    list server '2606:4700:4700::1111'
    list server '2606:4700:4700::1001'
    option zone_name '.'

config zone 'fwd_adguard_family'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns-family.adguard.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '176.103.130.132'
    list server '176.103.130.134'
    option zone_name '.'

config zone 'fwd_adguard_standard'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns.adguard.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '176.103.130.130'
    list server '176.103.130.131'
    option zone_name '.'

config zone 'fwd_cloudflare_family'
    option enabled '0'
    option fallback '1'
    option tls_index 'family.cloudflare-dns.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '1.1.1.3'
    list server '1.0.0.3'
    option zone_name '.'

config zone 'fwd_cloudflare_malware'
    option enabled '0'
    option fallback '1'
    option tls_index 'security.cloudflare-dns.com'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '1.1.1.2'
    list server '1.0.0.2'
    option zone_name '.'

config zone 'fwd_odvr'
    option enabled '0'
    option fallback '1'
    option tls_index 'odvr.nic.cz'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '193.17.47.1'
    list server '185.43.135.1'
    option zone_name '.'

config zone 'fwd_libredns'
    option enabled '0'
    option fallback '1'
    option tls_index 'doh.libredns.gr'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '116.202.176.26'
    option zone_name '.'

config zone 'fwd_quad9_recommended'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.9'
    list server '149.112.112.112'
    option zone_name '.'

config zone 'fwd_quad9_unsecured'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns10.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.10'
    list server '149.112.112.10'
    option zone_name '.'

config zone 'fwd_quad9_ecs'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns11.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.11'
    list server '149.112.112.11'
    option zone_name '.'

config zone 'fwd_quad9_secured'
    option enabled '0'
    option fallback '1'
    option tls_index 'dns9.quad9.net'
    option tls_upstream '1'
    option zone_type 'forward_zone'
    list server '9.9.9.9'
    list server '149.112.112.9'
    option zone_name '.'

[Kalimeiro]

ok, i found a second problem, when i have upgrade my vps 0.1027-test with the latest github push, shorewall not correctly apply all new configuration like autohelpers=no, i have check and set manually, restart shorewall, and i can now nslookup and ping correctly.

I need to wait few hours to see if this resolved definitively the problem.

[Kalimeiro]

only tcinterfaces and policy files have been correctly apply with the vps script, not all others files.

[Kalimeiro]

many few hours later, it's OK.

[Ysurac]

I'm not able to reproduce the issue with DNS configuration. Do you have DNS working from the router ? (with a ping google.fr via SSH on the router for example) Do you use IPv6 or not ?

[Kalimeiro]

Now, yes i can ping and nslookup directly on OMR through SSH or WEB UI, and with my computer too. But it's the configuration of shorewall which solve the issue.

i have execute the debian10 script to update my 0.1027-test and only 2 files on shorewall has been update (tcinterfaces and policy). i have update manually all others files, restart shorewall, and instantly DNS lookup and ping works.

yes i use ipv6 from OMR but i don't use IPV6 from WAN to established proxy and vpn, because i have trouble and either I don't know how to configure an IPV6 network on the WAN interfaces, or there are OMR bugs.

[Kalimeiro]

[Ysurac]

I found the issue in VPS script, I will solve it.

[Kalimeiro]

for information, on a clean install of debian and install script VPS, it's OK.

we have the problem just when we upgrade the VPS.

[Ysurac]

Should be fixed now.