After DoT setup Google/Cloudflare is used instead of Quad9

Hello dear OpenWRT forum members!

I followed this official user guide to the letter and added the Quad9 servers instead of the Google and Cloudflare servers. After completing the guide the resolution went via WoodyNet which is right for Quad9. Unfortunately after a reboot of the router (Nighthawk R7800 with master build from @hnyman ) the resolution shown by dnsleaktest.com is done via Google servers.

2020-05-28-104515_grim1004×310 22.8 KB

After following the troubleshooting section of the guide I get these outputs from the commands:

root@OpenWrt:~# /etc/init.d/log restart; /etc/init.d/dnsmasq restart; /etc/init.d/stubby restart
udhcpc: started, v1.31.1
udhcpc: sending discover
udhcpc: no lease, failing

After doing this the one WoodyNet server also vanished from the dnsleak list.

Thu May 28 10:46:08 2020 daemon.info dnsmasq[2299]: exiting on receipt of SIGTERM
Thu May 28 10:46:08 2020 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Thu May 28 10:46:08 2020 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: Connected to system UBus
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: started, version 2.81 cachesize 1000
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: DNS service limited to local subnets
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: UBus support enabled: connected to system bus
Thu May 28 10:46:12 2020 daemon.info dnsmasq-dhcp[3646]: DHCP, IP range 192.168.2.100 -- 192.168.2.249, lease time 12h
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain test
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain onion
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain localhost
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain local
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain invalid
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain bind
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 127.0.0.1#5054
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 127.0.0.1#5053
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain openwrt.pool.ntp.org
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 10.10.10.254#53 for domain openwrt.pool.ntp.org
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver ::1#5453
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 127.0.0.1#5453
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain lan
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: read /etc/hosts - 4 addresses
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: read /tmp/hosts/odhcpd - 1 addresses
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Thu May 28 10:46:12 2020 daemon.info dnsmasq-dhcp[3646]: read /etc/ethers - 0 addresses
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3646/dnsmasq
tcp        0      0 192.168.2.1:53          0.0.0.0:*               LISTEN      3646/dnsmasq
tcp        0      0 10.10.10.18:53          0.0.0.0:*               LISTEN      3646/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fe80::3e37:86ff:fe29:1909:53 :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fe80::3e37:86ff:fe29:1908:53 :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fd22:bdcd:a38d::1:53    :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fe80::3e37:86ff:fe29:1908:53 :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fe80::3e37:86ff:fe29:1909:53 :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fe80::3e37:86ff:fe29:190a:53 :::*                    LISTEN      3646/dnsmasq
tcp        0      0 fe80::3e37:86ff:fe29:190b:53 :::*                    LISTEN      3646/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           3646/dnsmasq
udp        0      0 192.168.2.1:53          0.0.0.0:*                           3646/dnsmasq
udp        0      0 10.10.10.18:53          0.0.0.0:*                           3646/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           3646/dnsmasq
udp        0      0 ::1:53                  :::*                                3646/dnsmasq
udp        0      0 fe80::3e37:86ff:fe29:1909:53 :::*                                3646/dnsmasq
udp        0      0 fe80::3e37:86ff:fe29:1908:53 :::*                                3646/dnsmasq
udp        0      0 fd22:bdcd:a38d::1:53    :::*                                3646/dnsmasq
udp        0      0 fe80::3e37:86ff:fe29:1908:53 :::*                                3646/dnsmasq
udp        0      0 fe80::3e37:86ff:fe29:1909:53 :::*                                3646/dnsmasq
udp        0      0 fe80::3e37:86ff:fe29:190a:53 :::*                                3646/dnsmasq
udp        0      0 fe80::3e37:86ff:fe29:190b:53 :::*                                3646/dnsmasq

Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404248] STUBBY: Read config from file /var/etc/stubby/stubby.yml
Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404744] STUBBY: DNSSEC Validation is OFF
Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404773] STUBBY: Transport list is:
Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404792] STUBBY:   - TLS
Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404813] STUBBY: Privacy Usage Profile is Strict (Authentication required)
Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404834] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Thu May 28 10:46:12 2020 daemon.err stubby[3701]: [08:46:12.404855] STUBBY: Starting DAEMON....
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      3701/stubby
tcp        0      0 ::1:5453                :::*                    LISTEN      3701/stubby
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           3701/stubby
udp        0      0 ::1:5453                :::*                                3701/stubby

root@OpenWrt:~# pgrep -f -a dnsmasq; pgrep -f -a stubby
3646 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
3701 /usr/sbin/stubby -C /var/etc/stubby/stubby.yml

root@OpenWrt:~# uci show dhcp; uci show stubby
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].doh_backup_server='127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].server='127.0.0.1#5453' '0::1#5453' '/openwrt.pool.ntp.org/10.10.10.254' '/openwrt.pool.ntp.org/' '127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].localuse='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
stubby.global=stubby
stubby.global.manual='0'
stubby.global.trigger='wan'
stubby.global.dns_transport='GETDNS_TRANSPORT_TLS'
stubby.global.tls_authentication='1'
stubby.global.tls_query_padding_blocksize='128'
stubby.global.appdata_dir='/var/lib/stubby'
stubby.global.edns_client_subnet_private='1'
stubby.global.idle_timeout='10000'
stubby.global.round_robin_upstreams='1'
stubby.global.listen_address='127.0.0.1@5453' '0::1@5453'
stubby.dns6a=resolver
stubby.dns6a.address='2620:fe::fe'
stubby.dns6a.tls_auth_name='dns.quad9.net'
stubby.dns6b=resolver
stubby.dns6b.address='2620:fe::9'
stubby.dns6b.tls_auth_name='dns.quad9.net'
stubby.dnsa=resolver
stubby.dnsa.address='9.9.9.9'
stubby.dnsa.tls_auth_name='dns.quad9.net'
stubby.dnsb=resolver
stubby.dnsb.address='149.112.112.112'
stubby.dnsb.tls_auth_name='dns.quad9.net'

As well as the content of my stubby.yml

# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

In which you see that the Cloudflare servers are set instead of the specified Quad9 servers as can be seen in the output of

uci show dhcp; uci show stubby

just one box above it.

Could one of you shed some light on this?

EDIT: After executing this part again

uci -q delete dhcp.@dnsmasq[0].server
uci get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read -r STUBBY_SERV
do
uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
done

the WoodyNet server are again the only ones used. After a reboot the Google servers are used again. The stubby.yml was unchanged and still pointing to Cloudflare, which adds to my confusion.

Directly editing /etc/config/network like below might do the trick for you - works for me. Just add the lines "list dns x.x.x.x" of course:

config interface 'wan'                         
        option ifname 'eth0.2'                 
        option proto 'dhcp'                    
        list dns '1.1.1.1'                     
        list dns '9.9.9.9'                     
        option peerdns '0'                     

EDIT: DO NOT DO THIS if you want to encrypt your DNS traffic. I misunderstood the question. If not useful to leave this as an example of what NOT to do, I'd be fine with a moderator just deleting this post.

Thank you for your answer, but the whole point of this exercise is to use DNS over TLS with Quad9. So an encrypted DNS query that can't be tracked, traced or altered by my ISP or anyone between my router and the DNS server.

You can use

• Strikethrough: [s]strikethrough[/s]
  to correct some mistake as well.

Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 127.0.0.1#5054
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 127.0.0.1#5053
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using only locally-known addresses for domain openwrt.pool.ntp.org
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 10.10.10.254#53 for domain openwrt.pool.ntp.org
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver ::1#5453
Thu May 28 10:46:12 2020 daemon.info dnsmasq[3646]: using nameserver 127.0.0.1#5453

If I guess dnsmasq is using 127.0.0.1#5054 first, 127.0.0.1#5053 second, ::1#5453 3rd, 127.0.0.1#5453 last.

On log I also can see that there is 10.10.10.18:53 and 192.168.2.1:53 listening on port 53. One of them is upstream server/router?

If you want stubby only use ::1#5453 and 127.0.0.1#5453 and purge any other from dnsmasq config.

1st Fix your DNSmasq config.

2nd Check clients DNS Servers (what they get). If there is any other then IP from your OpenWrt Box. You don't want that. So disable any other DHCP Server on your network. Make sure that there is on WAN side no other DNS accepted ("Use DNS servers advertised by peer" option in OpenWrt) and make sure that there is no other DHCP in your lan or option "Force DHCP on this network even if another server is detected".

3rd Check DNS from Client and OpenWrt Box. Don't use those webpages. Use the command dig (e. g. dig openwrt.org) instead. From client and form openwrt (ssh). Install it if needed. There is also a Windows client available.

You want to have a result like:

[user@host ~]$ dig openwrt.org

; <<>> DiG 9.16.3 <<>> openwrt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57905
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;openwrt.org.                   IN      A

;; ANSWER SECTION:
openwrt.org.            600     IN      A       139.59.209.225

;; Query time: 196 msec
;; **SERVER: 192.168.1.1#53(192.168.1.1)**
;; WHEN: Do Mai 28 16:17:51 CEST 2020
;; MSG SIZE  rcvd: 56

On client you want to have SERVER: 192.168.1.1#53(192.168.1.1) <-- or any other IP you've choosen from your OpenWrt Box
On OpenWrt Box you want to have: SERVER: 127.0.0.1#53(127.0.0.1) <-- DNSmasq listening.
On IPv6 the equivalents.

Thank you for the comprehensive answer!

I tried that and it works till the next reboot. I uncommented the lines in /etc/config/dhcp and removed them with luci as described here

list server '127.0.0.1#5053'
list server '127.0.0.1#5054'

but after each boot these lines are back in the config and Google servers are back in business. I'm not sure which servers are queried via these two lines as I've also disabled

Use DNS servers advertised by peer

btw the 10.10.10.18 is the WAN address of the OpenWRT-box behind my (obligatory) campus router.

I got that already before I asked the question, that's why I don't know why the 5053 and 5054 query Google DNS servers.

Ofc its back. You have still

dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].doh_backup_server='127.0.0.1#5053' '127.0.0.1#5054'

in your dnsmasq config. You only want stubby [dhcp.@dnsmasq[0].server='127.0.0.1#5453' '0::1#5453'] as DNS. I don't know why you have configured DOH on top (installed any other software doing this?). In the guide you linked this lines are not mentioned. Do not mix up several DNS configurations if you don't know what are you doing.

The mystery is solved! The DoH(!) client was also active and wrote these lines

into the list of DNS servers. I now deleted the Google and Cloudflare and added the Quad9 DoH server in the DoH config. Finally my dhcp config only includes this, even after a reboot:

list server '127.0.0.1#5453'
list server '127.0.0.1#5053'

and both techniques work at the same time, without any further DNS leakage!

What could go wrong if DoH and DoT do run in parallel? I've disabled DoH.

rly? Look at your topic and you see what could go wrong! You had to ask ppl to read your whole thread because you mixed things and simply forgot about that fact ... If I read your comment you could have written also thx for wasting time to anybody trying to help.

As a supporter on the Manjaro forum I know very well what it means to cope with the stupidity of other people, but I stay calm and point out what might have gone wrong and point them in the right direction. Both of us may have learned something from this. I'm not proud that I forgot about something I might have installed a few months back, but I surely have not configured it. I'm quite new to OpenWRT and am still learning the ins and outs of OpenWRT. This thread helped me to understand the inner workings of OpenWRT which differ significantly from other distros.

In retrospect it is quite clear what went wrong. Thank you for your help!

All fine. I didn't await any comment from you on this. I simply grasped it not as a serious question in connection with the second part. For me it was sounding like. "All easy with this configuration. I just forgot something so what can go wrong?" I was just a bit like a barking dog which never bites.

What could go wrong if DoH and DoT do run in parallel?

To answer this question:

Ofc you can run both parallel. But don't forget about this circumvent.
But why would someone do this? You can choose strict-order in dnsmasq config and stubby is out of business if in 2nd place. Otherwiese all get requested and the fastest is choosen (which is almost the same).
I only would do so if I would like to split/subnet my lan and want to have different DNS (or explicit DOH) for each range.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.