Archive > 21.1 Legacy Series
[Solved] Help troubleshooting why DNS over UDP does not reach DNS resolver
geo:
Hello,
I've reached a wall trying to troubleshoot this and hoping the community can help. I've tried searching forum posts for similar issues and haven't found any suggested fix.
I'm using OPNsense 21.1.5 (amd64) to route DNS requests to AdGuard Home (v0.106.1) installed on a raspberry pi (address 10.x.x.240) with Quad 9 as the upstream DNS resolver.
Ignoring the Guestnet VLAN to simplify the troubleshooting process, any DNS requests from my network LAN1 over UDP are not working while any DNS requests over TCP work. I can't figure out why UDP isn't working.
I've attached in image to pictorially represent my setup. For some reason UDP based requests appear to be blocked (see error messages) while TCP based requests.
My firewall rules are fairly basic having followed guides from homenetworkguy.com for guidance. I've attached screenshots of the firewall rules used for LAN along with NAT rules. On the WAN interface I only have rules to Block spamhaus DROP and EDROP.
On the AdGuard Home side there isn't any configuration that I've done that should be blocking requests.
Any suggestions on how to further troubleshoot this to figure out where and why UDP packets are being dropped/blocked?
Thank you,
George
rhubarb:
That NAT port forward rule seems strange. I think you might try disabling it and make sure your Outbound NAT rules are set to Automatic. Using defaults, OPNSense should hand out the DNS address given by AdGuard to the clients. You don't need a port forward rule because OPNSense will route return traffic to the host requesting DNS.
I assume AdGuard is providing an address over DHCP to OPNSense. I assume that address is private. If it is, make sure you're not blocking private addresses at the WAN level. Also, make sure that it does not interfere with the address space of your LANs.
You can put your SPAMHAUS Drop rules only once in Floating so you don't have to replicate them on every interface.
geo:
Hi rhubarb,
Thank will try you suggestion and remove the outbound NAT rule. The reason for the Outbound NAT rule was to enforce use of AdGuard + my choise of outbound DNS rather than permit use of other DNS providers (for example hardlinked DNS servers inside of IoT devices, i've seen alot of requests for 8.8.8.8 from devices).
DHCP address are handed out by OPNsense and AdGuard gets handed a fixed IP based.
rhubarb:
--- Quote from: geo on May 03, 2021, 09:00:52 pm ---Thank will try you suggestion and remove the outbound NAT rule. The reason for the Outbound NAT rule was to enforce use of AdGuard + my choise of outbound DNS rather than permit use of other DNS providers (for example hardlinked DNS servers inside of IoT devices, i've seen alot of requests for 8.8.8.8 from devices).
DHCP address are handed out by OPNsense and AdGuard gets handed a fixed IP based.
--- End quote ---
I think you meant remove the Port Forward WAN rule. Outbound NAT should still have a rule (likely Automatic).
That makes sense; you're doing a DNS redirect. I would disable it and get it working on a PC then work on your redirect.
wrt addresses, your WAN interface address should not be in the address space of your LANs. OPNSense lets you do this and it causes routing problems. (It happens often if AdGuard issues a 192.168.1.0/24 address and one of your LANs also uses this range.)
abulafia:
--- Quote from: geo on May 03, 2021, 02:10:22 pm ---I'm using OPNsense 21.1.5 (amd64) to route DNS requests to AdGuard Home (v0.106.1) installed on a raspberry pi (address 10.x.x.240) with Quad 9 as the upstream DNS resolver.
--- End quote ---
Why don't you install AdGuard Home (v0.106.1) directly on the OPNsense and do away with the Pi?
(1) Install minugmail's repo (see https://www.routerperformance.net/opnsense-repo/), (2) install AdGuard Home plugin in OPNsense, (3) set your OPNsense unbound resolver to another port than 53, (4) go to adguard home webpage to configure, (5) define your OPNsense unbound resolver:customport as a PTR / upstream DNS server in adguard home (for resolution of local names).
(6) Firewall: create floating rules to allow DNS requests to DNS (53), DoQ (784) and DoT (853); consider carefully whether to open DoH (443). NAT rules should be created automatically (I think).
once it works, re-create the redirection of DNS requests to your local DNS.
--
as to why your original setup isn't working for UDP, not sure, but have you tried to set the "Block all external DNS" rule to Destination: !LAN1_address or temporarily disabling it? Otherwise, that rule might be blocking all traffic to ports 53 (including your pihole). Try to remove that.
Can your LAN1 ping your Pi?
Is traffic back from the Pi to your LAN1 network permitted?
Navigation
[0] Message Index
[#] Next page
Go to full version