Private DNS behind NAT and Back to Home VPN

thj81 · April 5, 2024, 5:42am

Hello,

I have my own Private DNS instance (AdGuard Home) which I NAT over Mikrotik and port 853. On my phone under Private DNS I have my domain that points to Mikrotik WAN address. It is working correctly until I enable Back to Home connection on my phone. I get a message that Private DNS address is not reachable.

How can I debug and resolve this? I would appreciate all the help.

Firewall rules:

add action=accept chain=input comment="DNS over TLS" dst-port=853 protocol=\
    tcp
add action=accept chain=forward comment="DNS over TLS" dst-port=853 protocol=\
    tcp

NAT rules:

add action=dst-nat chain=dstnat comment="AdGuard DNS over TLS" disabled=yes \
    dst-address=!192.168.28.0/24 dst-address-type="" dst-port=853 protocol=\
    tcp to-addresses=192.168.28.21 to-ports=853
add action=dst-nat chain=dstnat comment="AdGuard DNS over TLS" dst-address=\
    !192.168.28.0/24 dst-address-type="" dst-port=853 protocol=tcp \
    src-address-list=T2_supernet to-addresses=192.168.28.21 to-ports=853
add action=dst-nat chain=dstnat comment="AdGuard DNS over TLS" dst-address=\
    !192.168.28.0/24 dst-address-type="" dst-port=853 protocol=tcp \
    src-address-list="Ekonomska statika" to-addresses=192.168.28.21 to-ports=\
    853

Thank you.

TheCat12 · April 5, 2024, 6:52am

Does at least one of the address lists contain the BTH subnet address? If not, add it

thj81 · April 5, 2024, 7:04am

I have added BTH subnet 192.168.216.0/24 to T2_supernet access list. Sadly it did not help.

TheCat12 · April 5, 2024, 7:20am

Then try and add the DNS server in the BTH App config:

Create/Select Tunnel → ⋮ → DNS Server

thj81 · April 5, 2024, 7:24am

Ha. I have remove the IP 192.168.261.1 under DNS server in my tunnel settings on the phone and Private DNS started working and I can see AdGuard catching the domain resolving. Is this correct way? To remove “optional” DNS server from tunnel config? Does it make sense?

TheCat12 · April 5, 2024, 7:26am

Yes, it makes a lot of sense and in your case it’s the correct way. After all it says it’s optional

thj81 · April 5, 2024, 7:33am

But why it did not access my Private DNS domain if I set the DNS to Mikrotik BTH IP address (192.168.216.1)? All DNS resolving goes over Private DNS address and if tunnel has DNS set to BHT address it should still resolve it. Sorry. Just want to understand the changes I make .

TheCat12 · April 5, 2024, 7:47am

I assume there is a conflict between the Private DNS you’ve set up and the one in the BTH settings because both point to the server (one through WAN and one through the WG subnet) and when you connect to BTH, it is as if you’re on the LAN level so one connection to WAN and one to LAN would result in the aforementioned conflict