DNS over TCP to router on guest network not working

[bbunge]

With DoT turned off:

Bridge table: broute

Bridge chain: BROUTING, entries: 16, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 -j SKIPLOG
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.50.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.50.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 -j SKIPLOG

 

[ColinTaylor]

Thanks @bbunge

Now we need someone running 388.2_2 to confirm the TCP option is incorrectly dependent on the DoT setting (I can't I'm not running that version).

 

[dns]

Thanks @bbunge

Now we need someone running 388.2_2 to confirm the TCP option is incorrectly dependent on the DoT setting (I can't I'm not running that version).

Do you mean the version of Merlin I'm running? Just run that command with DoT off and then again with it on?

 

[dave14305]

I think you would also need to restart wireless to ensure the code runs again after disabling DNS Privacy. service restart_wireless

 

[drinkingbird]

Note that with guest wireless 1 once it passes ebtables broute it gets sent to iptables INPUT (for requests sent to the router DNS) so double check that one as well. On mine, it looks to only be accepting UDP for DNS in that chain.

On my 386.11 RT-AC1900
GW1
EBTABLES specifically blocks all TCP to the respective router interface IP/subnet
UDP is allowed via default accept (not specifically denied)
IPTABLES allows UDP DNS/53 only (and DHCP) - all TCP is dropped
So 2 layers of TCP blocking here.

GW2/3
EBTABLES specifically blocks all TCP to the respective router interface IP/subnet
UDP is allowed via default accept (not specifically denied)
IPTABLES allows all traffic, TCP and UDP
So EBTABLES denies TCP DNS, IPTABLES allows it but it never hits that
Note there is also something in the code that I haven't tracked down that blocks ARP between Guest 2/3 and the main LAN. So for anything other than the router interface, traffic does not work unless you add a static ARP to both machines. So UDP to main LAN is blocked that way, not via EBTABLES or IPTABLES (which both permit it).

Maybe newer code implements TCP/53 or maybe that is caused by some setting on the WAN DNS screen, not sure.

RT-AC1900 386.11 (no DOT or DNSSEC)

Guest Wireless 1
EBTABLES broute
-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT , pcnt = 3 -- bcnt = 639
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP , pcnt = 0 -- bcnt = 0
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP , pcnt = 11 -- bcnt = 664
DEFAULT ACCEPT - Allows all UDP to hit the bridge interface and pass to IPTABLES

IPTABLES INPUT (traffic destined to the router itself)
pkts bytes target prot opt in out source destination
6144 418K ACCEPT udp -- br1 any anywhere anywhere udp dpt:domain
41 13624 ACCEPT udp -- br1 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT udp -- br1 any anywhere anywhere udp dpt:bootpc
50 5337 DROP all -- br1 any anywhere anywhere

Guest Wireless 2/3
EBTABLES broute
-p IPv4 -i wl0.2 --ip-dst 10.0.0.1 --ip-proto icmp -j ACCEPT , pcnt = 0 -- bcnt = 364340
-p IPv4 -i wl0.2 --ip-dst 10.0.0.0/24 --ip-proto icmp -j DROP , pcnt = 0 -- bcnt = 0
-p IPv4 -i wl0.2 --ip-dst 10.0.0.0/24 --ip-proto tcp -j DROP , pcnt = 0 -- bcnt = 260
DEFAULT ACCEPT - Allows all UDP to pass to IPTABLES

IPTABLES INPUT
pkts bytes target prot opt in out source destination
46274 7069K ACCEPT all -- br0 any anywhere anywhere state NEW

As you can see GW2/3 relies heavily on EBTABLES (and the ARP blocking) and IPTABLES essentially just permits anything, where GW1 relies a bit more on IPTABLES, the ARP blocking is not present there.