Solved DNS resolution works for devices, but not router itself?

[spindrift]

EDIT: Solved! I was using CIDR filtering in AdGuardHome, and set it so the only clients allowed to submit requests were:
10.0.0.0/24 # LAN subnet
10.6.0.0/24 # WireGuard subnet

...Trouble is, dnsmasq uses 127.0.0.1, so that effectively prevented the router itself from being able to make DNS queries, even though its IP was "technically" included.
It worked as soon as I added 127.0.0.1 to the allowed clients list.

Embarrassing.

---

Installed services

• AdGuardHome
• Unbound

Router config

• Device: AX86U (latest firmware)
• WAN DNS: 1.1.1.1 (Cloudflare)
• LAN DNS: Router (via DNS Director)
• IPv6: Off
• Firewall: Off
• VPN: WireGuard Server, default settings (no clients connected)

Not quite sure when this started, though I first noticed it when I was trying to change DDNS providers, and realized it was failing because the hostnames couldn't be resolved regardless of provider (logs show "Temporary failure in name resolution").
I SSH'd in and confirmed that traceroute, nslookup, ping, all forms of reaching the internet through hostnames fails, though pinging IPs works.
AdGuardHome and Unbound both seem to be doing fine as per init.d, and nothing in my dnsmasq has changed.

Interestingly, resolution works fine for devices on the network. Their DNS settings show the router (as per DNS Director), which means they should be hitting dnsmasq > unbound > adguardhome.

And since I'm using external DNS for the WAN, I'd imagine queries from the router itself should work even if the other devices weren't.

I'm sure a factory reset could fix it, but I'd prefer not to, as I finally got all my DHCP assignments and services just as I like them.

Any thoughts on where to poke next?

 

[bbunge]

Latest firmware? Latest stable firmware or latest Alpha firmware or latest Beta firmware?

Really, you turned the firewall off?

 

[spindrift]

Latest firmware? Latest stable firmware or latest Alpha firmware or latest Beta firmware?

Really, you turned the firewall off?

Latest stable—388.2_2. And yes, I turned the firewall off. Was that "really" an "are you sure you did?" or an "I can't believe you did"?

 

[Viktor Jaep]

Latest stable—388.2_2. And yes, I turned the firewall off. Was that "really" an "are you sure you did?" or an "I can't believe you did"?

Have you tried running @eibgrad's DNS monitor script, and seeing if that yields any other interesting results?

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

 

[jsbeddow]

Really? Marked SOLVED, but no hints on how?

 

[spindrift]

Have you tried running @eibgrad's DNS monitor script, and seeing if that yields any other interesting results?

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

Thanks for the suggestion! I was looking for a way to observe DNS traffic, so that's super helpful.
As it happens, I figured it out (details in edited post). I was using CIDR filtering on AdGuardHome to restrict queries to LAN devices, and neglected to add 127.0.0.1. Big noob moment.

 

[spindrift]

Really? Marked SOLVED, but no hints on how?

You happened to reply right between me editing the thread label and me editing the post with an explanation.

 

[ColinTaylor]

or an "I can't believe you did"?

This.

 

[spindrift]

This.

Makes sense. I disabled it awhile ago while trying to debug a service hosting issue, and forgot to re-enable it, then kept it off while I was sorting out the DNS thing. It's re-enabled now.

That said, its operation is a little opaque to me, considering I haven't configured it besides flipping it on. Do you know if it does anything besides DoS protection by default? The ASUS page is also light on details.

 

[drinkingbird]

Makes sense. I disabled it awhile ago while trying to debug a service hosting issue, and forgot to re-enable it, then kept it off while I was sorting out the DNS thing. It's re-enabled now.

That said, its operation is a little opaque to me, considering I haven't configured it besides flipping it on. Do you know if it does anything besides DoS protection by default? The ASUS page is also light on details.

It does a whole lot, in addition to all the iptables rules, it monitors state and ensures unsolicited inbound connections don't get in, provides guest network isolation, handles parts of parental controls, URL filtering, etc etc.

 

[spindrift]

It does a whole lot, in addition to all the iptables rules, it monitors state and ensures unsolicited inbound connections don't get in, provides guest network isolation, handles parts of parental controls, URL filtering, etc etc.

Appreciate it! I'll dig further into how it works, and definitely keep it running.