DNS on Wireguard through wrong interface
On my client, DNS would work until I enabled Wireguard. It should have routed through the Wireguard tunnel (10.5.0.1 below) but it wasn't - or it was and it was hitting a dead end!
So I ssh'd into the Wirgeuard server and checked the DNS resolution routes.
$ sudo resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1
Link 2 (eth0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.5.0.1
DNS Servers: 10.5.0.1
Link 3 (wg-net)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.5.0.1
DNS Servers: 10.5.0.1
DNS Domain: local ~.
(Just a reminder 10.100.100.1/24 is the Wireguard subnet, 10.5.0.1/24 is the router the Wireguard server is attached to.)
It turns out, it was an issue to have DNS defined under wg-net! I'm pretty sure it was leading to the wireguard server getting confused on what interface to use for DNS queries!
So I removed the DNS record
$ sudo resolvectl revert -i wg-netConfirmed it was removed
$ sudo resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 10.5.0.1
DNS Servers: 10.5.0.1
Fallback DNS Servers: 1.1.1.1
Link 2 (eth0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.5.0.1
DNS Servers: 10.5.0.1
Link 3 (wg-net)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedAnd DNS was now working when I was connected to Wireguard!
Why DNS was originally broken under Wireguard
I had included DNS = 10.5.0.1 in my wg-net.conf file thinking it was needed. Turns out that was not only not needed but the root of my issues!