Today, I upgraded to
OpenWrt 22.03.2 r19803-9a599fee93 (git-22.288.45147-96ec0cd) but I didn't succeed in keeping settings/configuration + installed packages, so I re-configured everything from scratch. After doing so, adblock doesn't work and I have no internet connection.
Here's what I did:
opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk opkg install stubby
Made dnsmasq send all DNS requests to stubby and prevented dnsmasq from using
uci add_list dhcp.@dnsmasq[-1].server='127.0.0.1#5453' uci set dhcp.@dnsmasq[-1].noresolv=1
Prevented OpenWrt from sending DNS requests to the ISP's DNS:
uci set network.wan.peerdns='0' uci set network.wan.dns='127.0.0.1' uci set network.wan6.peerdns='0' uci set network.wan6.dns='0::1' uci commit && reload_config
/etc/config/stubby I enabled
option tls_min_version '1.2', removed all default resolvers and added custom ones. These worked fine before the upgrade.
Sources for the DNS server configs: Digitalcourage (scroll down a bit), Dismail
config resolver option address '22.214.171.124' option tls_auth_name 'dns3.digitalcourage.de' list spki 'sha256/2WFzfO2/56HpeR+v/l25NPf5dacfxLrudH5yZbWCfdo=' config resolver option address '126.96.36.199' option tls_auth_name 'fdns2.dismail.de' list spki 'sha256/yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=' config resolver option address '188.8.131.52' option tls_auth_name 'fdns1.dismail.de' list spki 'sha256/yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w='
DNS firewall rule
Allowed DNS traffic in the firewall:
uci add firewall rule uci set firewall.@rule[-1].target='ACCEPT' uci set firewall.@rule[-1].proto='udp' uci set firewall.@rule[-1].name='Allow-DNS-from-WAN' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].dest_port='53' uci commit firewall /etc/init.d/firewall restart
uci set dhcp.@dnsmasq[-1].dnssec=1 uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1 uci commit && reload_config
Made sure that DNSSEC works:
dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1
Indeed, the response included the
ad flag indicating DNSSEC is working.
Then, I installed and configured the
luci-app-adblock packages via luci. I set dnsmasq as the DNS backend and selected a few blocklists.
After applying the configuration, the adblocker only said
running / 0 domains blocked. Also, I was unable to open any website on any device connected to the WiFi after that (before setting up the adblocker, it had worked fine).
Now, I can't even open the luci dashboard or SSH into OpenWrt on two of my three laptops:
- Windows laptop, connected via LAN (WiFi module broken) to the OpenWrt router, can't open luci or connect via SSH
- Linux laptop, connected via WiFi to the OpenWrt router, can't open luci or connect via SSH
- Windows laptop, connected via WiFi to the OpenWrt router, CAN open luci and connect via SSH
Restarting adblock, dnsmasq, stubby and OpenWrt altogether didn't help.
However, resolving domains still works on all devices.
~$ nslookup openwrt.org 192.168.0.251 Server: 192.168.0.251 Address: 192.168.0.251#53 Non-authoritative answer: Name: openwrt.org Address: 184.108.40.206 Name: openwrt.org Address: 2a03:b0c0:3:d0::1af1:1
>nslookup openwrt.org Server: OpenWrt.lan Address: fd0a:6de3:87a0::1 Non-authoritative answer: Name: openwrt.org Addresses: 2a03:b0c0:3:d0::1af1:1 220.127.116.11
root@OpenWrt:~# nslookup openwrt.org Server: 127.0.0.1 Address: 127.0.0.1:53 Non-authoritative answer: Name: openwrt.org Address: 18.104.22.168 Non-authoritative answer: Name: openwrt.org Address: 2a03:b0c0:3:d0::1af1:1
I have no clue what the issue might be and don't know what to do. I'm happy about any advice.
Thanks for your help!