Solved RT-AC68U: In-router DNS resolution issues

[Llimona]

Note: Originally misclicked and created this thread way too early while starting to write it. Most of the content has been edited in. Apologies!

Running Merlin: 386.3_2

I have my network setup to use a pihole DNS filter. The Asus router advertises the pihole's local IP as a DNS server on DHCP and that works perfectly fine for all the devices within the network, except the router itself.

Anything within the router cannot resolve domains, this prevents things like OpenVPN clients, DDNS or even firmware update checks from working.

The way I have the DNS setup is (striken-through settings have been corrected based on suggestions from replies!):

LAN / DHCP Server / DNS and WINS Server Setting

• DNS Server 1: pihole's local ip
• DNS Server 2: pihole's local ip
• Advertise router's IP in addition to user-specified DNS: No
• WINS Server: (blank)

LAN / DNS Filter

• Enable DNS-based Filtering: On
• Global Filter Mode: Router
• Custom (user-defined) DNS 1: (blank)
• Custom (user-defined) DNS 2: (blank)
• Custom (user-defined) DNS 3: (blank)
• Client List:
  • pihole's MAC (No filter)

WAN / WAN DNS Setting
Tried many combinations of these to no avail. That's what I expected the router's requests to rely on but that might be a terrible assumption.

• Connect to DNS Server automatically: No
• DNS Server1: 1.1.1.1 (Cloudflare)
• DNS Server2: 1.1.1.2 1.0.0.1 (Cloudflare)
• Forward local domain queries to upstream DNS: Yes No
• Enable DNS Rebind protection: Yes
• Enable DNSSEC support: Yes
• Validate unsigned DNSSEC replies: Yes
• Prevent client auto DoH: Auto
• DNS Privacy Protocol: None

Example Log Extract

May  6 10:17:00 ovpn-client1[3043]: RESOLVE: Cannot resolve host address: <myvpnserverdomain : port> (Name or service not known)

Solution
If you are using dual WAN... make sure that you are editing the WAN DNS settings for the right WAN. /facepalm

 

[Crimliar]

Where have you set the router up to look for pihole? The WAN>Internet settings should be pointing to either your ISPs or Third-Party (Google, Cloudflare etc) DNS server. You should then set the LAN>DHCP server to point at the pihole.

That should work, save for a couple of failed attempts to run Diversion on my RT-AC86U it's been my set up for the last few years, and happily works with OpenVPN clients/servers, DDNS, and even Instant Guard.

 

[Llimona]

Where have you set the router up to look for pihole? The WAN>Internet settings should be pointing to either your ISPs or Third-Party (Google, Cloudflare etc) DNS server. You should then set the LAN>DHCP server to point at the pihole.

That should work, save for a couple of failed attempts to run Diversion on my RT-AC86U it's been my set up for the last few years, and happily works with OpenVPN clients/servers, DDNS, and even Instant Guard.

Thank you! Added the writeup of the settings. I believe they are set up as you suggest?

 

[dave14305]

The second Cloudflare entry should be 1.0.0.1. “Forward local domain queries to upstream DNS” should be No.

But those 2 points shouldn’t break the router using DNS. Something else is wrong, or Cloudflare is blocked somehow.

 

[Crimliar]

Couple of things to take note on:
You don't need to be using the LAN DNS filter page at all, you can turn that off, the pihole is already going to be filtering for you. *It has it's uses, but atm seem superfluous!

Forward local domain queries to upstream DNS: NO
Other than in very special circumstances this does nothing useful!

User either:
1.1.1.1 and 1.0.0.1 (unfiltered)
1.1.1.2 and 1.0.0.2 (filtered)

*Not sure that is going to fix the issue - I would still have expected it to be working!

 

[dave14305]

You don't need to be using the LAN DNS filter page at all, you can turn that off, the pihole is already going to be filtering for you. *It has it's uses, but atm seem superfluous!

DNS Filter is a firewall mechanism to prevent LAN clients from bypassing the chosen DNS service. Pi-Hole does not replace that.

 

[bennor]

WAN / WAN DNS Setting

• DNS Server1: 1.1.1.1 (Cloudflare)
• DNS Server2: 1.1.1.2 (Cloudflare)
• Forward local domain queries to upstream DNS: Yes

Like others indicated, use Cloudflare's 1.0.0.1 for the second DNS Server. And set Forward local domain queries to upstream DNS to No. My setup is similar with Pi-Hole, and there are no issues with the router checking for firmware updates.

 

[bennor]

You don't need to be using the LAN DNS filter page at all, you can turn that off, the pihole is already going to be filtering for you.

Generally, yes you do want to enable DNSFilter and configure it properly if using Pi-Hole. There are devices that have their own DNS servers hard coded, or if a client manually configures their own DNS servers. They will typically bypass Pi-Hole if you don't enable DNSFilter.

 

[Llimona]

Thank you for all the suggestions. Updated the WAN DNS settings according to the suggestions (edited the post to reflect the changes). The router is still not able to resolve domains, though. :/

 

[Llimona]

The second Cloudflare entry should be 1.0.0.1. “Forward local domain queries to upstream DNS” should be No.

But those 2 points shouldn’t break the router using DNS. Something else is wrong, or Cloudflare is blocked somehow.

Updated that! The Cloudflare IPs are reachable (pingable) from LAN devices if that's meaningful.

 

[Crimliar]

DNS Filter is a firewall mechanism to prevent LAN clients from bypassing the chosen DNS service. Pi-Hole does not replace that.

With no MAC addresses set to be filtered, it is doing nothing and is superfluous!

 

[bennor]

Thank you for all the suggestions. Updated the WAN DNS settings according to the suggestions (edited the post to reflect the changes). The router is still not able to resolve domains, though. :/

Then you have a configuration issue somewhere else. Check your Pi-Hole settings. What are you using for upstream servers in Pi-Hole? Can you ping a website from the device running the Pi-Hole? For that matter what device is running Pi-Hole? Is that device configured properly and is the Pi-Hole using the correct interface?

 

[ColinTaylor]

With no MAC addresses set to be filtered, it is doing nothing and is superfluous!

Look again. He has Global Filter Mode set to Router and only the pihole's MAC set to No filter.

 

[Llimona]

Then you have a configuration issue somewhere else. Check your Pi-Hole settings. What are you using for upstream servers in Pi-Hole? Can you ping a website from the device running the Pi-Hole? For that matter what device is running Pi-Hole? Is that device configured properly and is the Pi-Hole using the correct interface?

The device is a Synology NAS, pihole is running within a Docker container. The device has internet access from both the host and the container (the latter just checked by updating pihole's blacklist).

The pihole is using Google's DNS as the upstream (which I believe to be the default?). Will probably be updating that to Cloudflare's.

 

[bennor]

Couple of things to check on the Synology server. Make sure the Synology isn't configured to block certain network clients or certain IP address ranges. You may need to change the Pi-Hole setting "Interface listening behavior" to "Listen on all interfaces, permit all origins" for VPN connections to work right (see this posting on setting up Pi-Hole on Synology).

 

[Llimona]

Couple of things to check on the Synology server. Make sure the Synology isn't configured to block certain network clients or certain IP address ranges. You may need to change the Pi-Hole setting "Interface listening behavior" to "Listen on all interfaces, permit all origins" for VPN connections to work right (see this posting on setting up Pi-Hole on Synology).

Just tried that to no avail. :/
Temporarily disabled these as well:

• Never forward non-FQDNs
• Never forward reverse lookups for private IP ranges

 

[dave14305]

Just focus on the router being able to resolve names. Is the VPN client name unique to you? Any reason you can’t share the output of nslookup of that domain from the router?

 

[Llimona]

Just focus on the router being able to resolve names. Is the VPN client name unique to you? Any reason you can’t share the output of nslookup of that domain from the router?

Yes, that domain is unique to me. But the problem is the inability of the router to resolve any domains (while every other device in the LAN does fine).

For example:

admin@RT-AC68P-2960:/tmp/home/root# nslookup google.com
Server:    192.168.1.254
Address 1: 192.168.1.254

nslookup: can't resolve 'google.com'

No idea what that .254 address is about. None of the devices I'm aware of has that address.

 

[bennor]

Yes, that domain is unique to me. But the problem is the inability of the router to resolve any domains (while every other device in the LAN does fine).

For example:

admin@RT-AC68P-2960:/tmp/home/root# nslookup google.com
Server:    192.168.1.254
Address 1: 192.168.1.254

nslookup: can't resolve 'google.com'

No idea what that .254 address is about. None of the devices I'm aware of has that address.

Do you have a broadband modem (or router) or some other ISP provider equipment upstream from the Asus router? Do you have any active VPN connections (or Tor) initiated from within the Asus-Merlin interface?

 

[dave14305]

Yes, that domain is unique to me. But the problem is the inability of the router to resolve any domains (while every other device in the LAN does fine).

For example:

admin@RT-AC68P-2960:/tmp/home/root# nslookup google.com
Server:    192.168.1.254
Address 1: 192.168.1.254

nslookup: can't resolve 'google.com'

No idea what that .254 address is about. None of the devices I'm aware of has that address.

Yeah, that’s messed up. Something is overwriting /etc/resolv.conf.