UDM SE Local DNS Routing Issues

Noxum · September 26, 2024, 11:43am

Hey guys,

Hope you’re having a better day than I am!

I have a weird one today that I can’t wrap my head around it.
I just migrated from pfSense to the UDM SE and everything works great except the Local DNS routing inter-vlan.

Scenario
I have my personal network, VLAN10 and my server network, VLAN15.
The DNS Records are pointing to the IP address that lives in the VLAN15 network (e.g 10.100.15.51)

Issue
My laptop and phones live in the VLAN10 and from my laptop I’m able to resolve to my services as expected, no issues there.
The problem is with my iPhone for example, I cannot resolve internally to my services, it returns a time-out from CloudFlare (where the domain name is hosted), so it seems it’s resolving externally even though it has Local DNS Record pointing to an internal IP.

On my phone, if I dig/nslookup one of the DNS Record it shows that is pointing to the correct internal IP, so it’s connecting to the DNS Server.

On the laptop on another end, like I said above, I’m able to resolve normally BUT, if i try to connect to my emby server via the Emby App using the Local DNS Record it doesn’t connect, only if the laptop is in the same VLAN as the server (VLAN15).

To rule the possibility of still being a DNS issue, I deployed a PiHole, registered the Local DNS Records, but I get the same behaviour.

I’ve tried out all the possibilities, even with wide open Firewall Rules to no avail.

Am I being very thick, or is there something else that neither me or Ubiquiti Support are missing?

Thank you in advance for the help!

Mauro

xMAXIMUSx · September 26, 2024, 11:32pm

Instead of using DNS at all have you tried to reach your services by IP address to see if you are having the same issue?

Noxum · September 27, 2024, 6:40am

I can access by IP without any issues. Only by DNS that it seems is hoping directly to external DNS instead of the internal.

LTS_Tom · September 27, 2024, 12:16pm

Some phones force the browser to use DNS over HTTPS

Noxum · September 27, 2024, 2:17pm

Still doesn’t explain why on the laptop I can reach the emby server via Browser but not with the Emby app, unless i’m in the same subnet as the server. This can be Emby or Infused or any other Media Player app really, none of them work.

I noticed however that I have 1 out 15 DNS record that always work on the phone.
I should mention as well that I have an Apple TV that cannot reach the server using the DNS record.

Noxum · September 27, 2024, 2:55pm

You might be onto something…
I just tested the Emby app on a windows and a LG TV and it’s able to connect using the DNS record…

Isolating the issue only to Apple devices at this point. I don’t have an android to conclude this experiment but I’m sure this might be the case.

The question now is how do I fix this? Is this an Ubiquiti problem or an Apple problem? Anyway to force these clients out of this split DNS behaviour?

Noxum · September 27, 2024, 8:23pm

It seems that Apple Devices when querying it uses type 65 (HTTPS) instead of the traditional A Record through 53, this causes to whatever DNS Resolver UniFi uses under the hood to not being able to respond to that request and redirects to the upstream DNS Server.

To work around this I pointed the DNS server to PiHole where I added block to the following regex: .;querytype=HTTPS
Another way around this is to deploy unbound and serve those records there (most likely why I didn’t experience this issue before with pfSense).

Thank you Tom for the hint that helped me pointing in the right direction!