DNS over TCP to router on guest network not working

bbunge · Jul 18, 2023

With DoT turned off:

Code:

Bridge table: broute

Bridge chain: BROUTING, entries: 16, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 -j SKIPLOG
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.50.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.50.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 -j SKIPLOG

ColinTaylor · Jul 18, 2023

Thanks @bbunge

Now we need someone running 388.2_2 to confirm the TCP option is incorrectly dependent on the DoT setting (I can't I'm not running that version).

dns · Jul 18, 2023

ColinTaylor said:
Thanks @bbunge

Now we need someone running 388.2_2 to confirm the TCP option is incorrectly dependent on the DoT setting (I can't I'm not running that version).

Do you mean the version of Merlin I'm running? Just run that command with DoT off and then again with it on?

dave14305 · Jul 18, 2023

I think you would also need to restart wireless to ensure the code runs again after disabling DNS Privacy. service restart_wireless

drinkingbird · Jul 19, 2023

Note that with guest wireless 1 once it passes ebtables broute it gets sent to iptables INPUT (for requests sent to the router DNS) so double check that one as well. On mine, it looks to only be accepting UDP for DNS in that chain.

On my 386.11 RT-AC1900
GW1
EBTABLES specifically blocks all TCP to the respective router interface IP/subnet
UDP is allowed via default accept (not specifically denied)
IPTABLES allows UDP DNS/53 only (and DHCP) - all TCP is dropped
So 2 layers of TCP blocking here.

GW2/3
EBTABLES specifically blocks all TCP to the respective router interface IP/subnet
UDP is allowed via default accept (not specifically denied)
IPTABLES allows all traffic, TCP and UDP
So EBTABLES denies TCP DNS, IPTABLES allows it but it never hits that
Note there is also something in the code that I haven't tracked down that blocks ARP between Guest 2/3 and the main LAN. So for anything other than the router interface, traffic does not work unless you add a static ARP to both machines. So UDP to main LAN is blocked that way, not via EBTABLES or IPTABLES (which both permit it).

Maybe newer code implements TCP/53 or maybe that is caused by some setting on the WAN DNS screen, not sure.

RT-AC1900 386.11 (no DOT or DNSSEC)

Guest Wireless 1
EBTABLES broute
-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT , pcnt = 3 -- bcnt = 639
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP , pcnt = 0 -- bcnt = 0
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP , pcnt = 11 -- bcnt = 664
DEFAULT ACCEPT - Allows all UDP to hit the bridge interface and pass to IPTABLES

IPTABLES INPUT (traffic destined to the router itself)
pkts bytes target prot opt in out source destination
6144 418K ACCEPT udp -- br1 any anywhere anywhere udp dpt:domain
41 13624 ACCEPT udp -- br1 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT udp -- br1 any anywhere anywhere udp dpt:bootpc
50 5337 DROP all -- br1 any anywhere anywhere

Guest Wireless 2/3
EBTABLES broute
-p IPv4 -i wl0.2 --ip-dst 10.0.0.1 --ip-proto icmp -j ACCEPT , pcnt = 0 -- bcnt = 364340
-p IPv4 -i wl0.2 --ip-dst 10.0.0.0/24 --ip-proto icmp -j DROP , pcnt = 0 -- bcnt = 0
-p IPv4 -i wl0.2 --ip-dst 10.0.0.0/24 --ip-proto tcp -j DROP , pcnt = 0 -- bcnt = 260
DEFAULT ACCEPT - Allows all UDP to pass to IPTABLES

IPTABLES INPUT
pkts bytes target prot opt in out source destination
46274 7069K ACCEPT all -- br0 any anywhere anywhere state NEW

As you can see GW2/3 relies heavily on EBTABLES (and the ARP blocking) and IPTABLES essentially just permits anything, where GW1 relies a bit more on IPTABLES, the ARP blocking is not present there.

Thread starter	Title	Forum	Replies	Date
T	Using DOT DNS breaks ECS	Asuswrt-Merlin	9	Apr 8, 2024
	Router DNS returning Refused	Asuswrt-Merlin	2	Apr 6, 2024
C	Need help with GT-AXE11000 and DNS Director	Asuswrt-Merlin	0	Apr 5, 2024
V	DNS server vs DNS-over TLS server list	Asuswrt-Merlin	3	Mar 17, 2024
R	Would any of this make my browsing more secure? (WAN DNS settings)	Asuswrt-Merlin	20	Mar 13, 2024
A	DNS/TLS IPv6.	Asuswrt-Merlin	4	Mar 8, 2024
X	DNS Director - question	Asuswrt-Merlin	6	Mar 1, 2024
X	RT-AX58U sudden DNS problem - URGENT	Asuswrt-Merlin	14	Feb 29, 2024
P	Solved Router DHCP and DNS not responding to changes	Asuswrt-Merlin	35	Feb 23, 2024
	DNS fails for local devices when there is no WAN!	Asuswrt-Merlin	2	Feb 19, 2024

Search

Search

DNS over TCP to router on guest network not working

bbunge

Part of the Furniture

ColinTaylor

Part of the Furniture

dns

New Around Here

dave14305

Part of the Furniture

drinkingbird

Part of the Furniture

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online