I didn’t deem this interesting or conclusive enough to write an extensive blog post, but I’ll explain the issues I was running into and the eventual resolution.
I was having issues resolving domains, specifically the *.microsoft TLD and a random *.gov website - but inconsistently, and ONLY when using Tailscale’s 100.100.100.100 magic DNS nameserver (which in my setup ultimately redirected to my pihole). The funny thing was whenever I was having these issues, if I performed a dig <problematic domain> on my WSL on the same computer, the domain would suddenly resolve! Oddly too, this seemed to happen pretty consistently while I was on a non-local network connected to Tailscale, and basically never while I was at home - but I ran into it with ALL domains this evening while testing.
The eventual fix was this: uncheck “Use DNSSEC” on my pihole. The pihole forwards any DNS requests not on a blocklist to my router, which then forwards upstream to Google DNS using DNSSEC. I couldn’t tell you enough about DNSSEC to tell you why having it enabled twice was an issue, but I could tell you that I do indeed trust my router over my LAN not to feed my pihole bogus or malicious domains, MitM on my LAN notwithstanding (god forbid).
One of the things I did during the troubleshooting process was disable DNSSEC and re-enable it on my OpenWRT router, which I had done several months prior, right before I started documenting, and so now is as good a time as any to record what I did.
Side note, I just purchased a Protectli v1211 to serve as an OpnSense firewall + router, and I plan to turn my OpenWRT router into a simple single-purpose WAP, so what I am recording here will likely be outmoded in a month or two, but regardless - here it is.
A note before I begin: all configuration is done via the luci web interface, I haven’t delved deep enough to figure my way around the uci CLI interface - counter to my usual approach to things, I know.
DNSSEC setup on OpenWRT
System → Software
- Update lists
- Search for ‘stubby’, install it
Use localhost as DNS on the LAN interface
Network → Interfaces → lan → Advanced Settings
- Use custom DNS servers
127.0.0.10::1
- DNS weight: 20
Note
For the WAN and WAN6 interfaces, must use an upstream DNS provider that supports DNSSEC. I opted for Google DNS.
Use custom upstream IPv4 DNS on the WAN interface
Network → Interfaces → wan → Advanced Settings
- Use custom DNS servers
8.8.8.88.8.4.4
- DNS weight: 50
Use custom upstream IPv6 DNS on the WAN6 interface
Network → Interfaces → wan6 → Advanced Settings
- Use custom DNS servers
2001:4860:4860::88882001:4860:4860::8844
- DNS weight: 55
Network → DHCP and DNS → Forwards
0::1#5453127.0.0.1#5453
Network → DHCP and DNS → Resolv & Hosts Files
- Ignore resolv file: checked
- Strict order: checked
”Normal” DNS setup on OpenWRT
Basically, revert the previous options. Some of these might be fine if left as is, but I reverted them to the defaults if I was unsure. OpenWRT seems to come with sane defaults and they were working before I enabled DNSSEC.
You can use still use custom upstream DNS on the WAN interfaces, but make sure to remove:
localhostDNS on LAN interface and DNS weight- DNS
localhostforwards under Network → DHCP and DNS → Forwards - Uncheck “Ignore resolv file” and “Strict order” under Network → DHCP and DNS → Resolv & Hosts files
- I also uninstalled stubby to be on the safe side
EOF