DNSCrypt proxy - Serve requests outside of the LAN interface

[NeoNefarious]

Setup

Package Name: dnscrypt-proxy Package Version: 2.0.44_1

Router Model: RT2600ac SRM version: 1.2.4-8081

Expected behavior

As a user I want to be able to query the DNS server across other subnets that are not part of the router LAN interface.

Actual behavior

All the DNS requests are being timed out.

Steps to reproduce

1. Use a main router which connects the Synology router on one interface with a different router on another interface. 2. The Synology WAN IP is 10.25.0.2 (gateway is 10.25.0.1, the main router). 3. The Synology LAN IP is 192.168.0.1 (gateway is the Synology router itself). 4. The second router WAN IP is 10.26.0.2 (gateway is 10.26.0.1, the main router). 5. The second router LAN IP is 192.168.3.1 (gateway is the second router itself). 6. Set up appropriate routes on the main router so that any device on either router LAN interfaces can communicate with each other. 7. Use NSLOOKUP by any device on the second router LAN network for www.google.com with DNS as 192.168.0.1 or 10.25.0.2. 8. The DNS requests all time out, the only successful requests are by the Synology router and its clients on the LAN network.

Sidenotes

I noticed that port 53 is in use by dnsmasq for the DHCP server of the Synology router. So, the DNS service is running on port 10053. I also tried using NSLOOKUP by specifically querying this port. I can verify by looking at the network traffic that requests arrive at the Synology router but each request times out. I do not know if this is an issue with dnscrypt, dnsmasq or the router itself. Any advice would be appreciated.

[publicarray]

Thanks for the report, I don't have time investigate it today but will in the next few days, the latest by this weekend. just ping me if I don't get to it Thanks.

Regarding the side note: Yes that is correct, The install script detects if dnsmasq is running and adds a small file to the configuration to forward DNS queries to dnscrypt-proxy on the port you mentioned. Can you check the IP address dnscrypt-proxy is listening on? Is it 0.0.0.0:10053? or 127.0.0.1:10053?

[publicarray]

Also, would you mind checking if everything works correctly when dnscrypt-proxy is stopped and you changed the DNS server to something like 1.1.1.1 in the settings? Thanks. It's just to determine if dnscript-proxy is actually causing a problem.

I've never had a network setup like this so please forgive the next question. So usually nodes in different subnets can't communicate. But you've setup routes. Hmm wouldn't it be easier to setup the second router to forward the DNS queries/and manage its own DHCP for that subnet?

I think I've hit the edge of my knowledge in that area so CCing @jedisct1 if you want to weigh in.

[NeoNefarious]

Momentarily dnscrypt-proxy is configured with this: listen_addresses = ['0.0.0.0:10053']

Running a netstat check in an SSH session gives me this: tcp 0 0 ::%4:10053 :::* LISTEN 17324/dnscrypt-prox udp 0 0 ::%1:10053 :::* 17324/dnscrypt-prox

Furthermore, the synology router and every client in the Synology LAN interface can successfully lookup domains. Everything outside of the Synology router fails even if I change the DNS server in the Synology router to 1.1.1.1. This was my initial conclusion, that dnsmasq is probably refusing to respond to outside queries.

Also, the second router has its own DHCP server for its subnet. I'm currently forwarding DNS requests from the second router to 1.1.1.1 but I wanted to use the Synology router as the DNS server to leverage the custom ad-blocking capabilities and cloaking rules.

Also, thanks for the quick replies!

[publicarray]

Thank you for the additional information. I'll respond properly after some sleep 😴

[NeoNefarious]

No worries, a good rest is very important!

[publicarray]

Sorry It's been a little while. My next suggestion would be to look at iptables and the firewall rules. Does the timeout happen quickly or does it take over 10 seconds? If it's short it's likely that dnsmasq responded rather than a firewall that just dropped the packet. But that is more speculation that fact. 😅. If you want you can have a look at the dnsmaq config files. They are in /etc/dhcpd/.

The new Synology update might fix the issue:

Fixed the issue where users might fail to access devices within the same local network via Synology Router's public IP address.

https://www.synology.com/en-global/releaseNote/RT2600ac

[NeoNefarious]

I installed the new update but it's still the same issue. I took a look at the files in /etc/dhcpd/ and found configurations for the local interfaces but none for the WAN interface of the router itself.

If I forcefully rewrite requests of port 53 to port 10053 of the Synology Router WAN IP then the requests are successfully resolved.

Should dnsmasq be configured to listen on 0.0.0.0:53 so that it can properly respond to queries outside of the LAN interfaces? If yes, then where could I find this config file?

[publicarray]

You could create 2 new files in /etc/dhcpd/

/etc/dhcpd/dhcpd-vendor-vendor.conf

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP on it.
no-dhcp-interface=

dhcpd-vendor-vendor.info

enable=yes

Restart dnsmasq: /etc/rc.network nat-restart-dhcp

Hope it works!

dnsmasq.conf.example

[NeoNefarious]

Sorry for the late reply.

As a workaround I created a port forwarding rule on the Synology router from port 53 to 10053. It seems to be working as intended for now.

Thank you for the assistance!