Since upgrading to 24.10 I'm having issues with DNS resolution. Specifically on web browsers on my Linux machine. If I restore the config/software to 23.x the same config seems to work fine.
On Chrome, if I set Use Secure DNS to off, I am unable to browse the internet. The name resolution fails (ERR_NAME_NOT_RESOLVED). If I set Use Secure DNS to on and OS default, then the same, ERR_NAME_NOT_RESOLVED happens. If I select a provider from the drop down list then the internet works.
On 23.x Use Secure DNS is set to on OS default and that works alright.
At the OS level, nslookup works successfully to resolve names.
nslookup google.com
Server: 192.168.50.1
Address: 192.168.50.1#53
Non-authoritative answer:
Name: google.com
Address: 216.58.204.78
Name: google.com
Address: 2a00:1450:4009:827::200e
cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 192.168.50.1
I'm using adblock, https-dns-proxy and dnsmasq. adblock/https-dns-proxy are set to force DNS to go via the openwrt device.
Any help would be much appreciated.
root@rpi4:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "rpi4",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.5",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@rpi4:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth0'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
option delegate '0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:u*'
config device
option name 'br-lan.1'
option type '8021q'
option ifname 'br-lan'
option vid '1'
option ipv6 '0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option hostname '*'
option peerdns '0'
list dns '8.8.8.8'
option delegate '0'
option clientid 'xxx'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth0:t'
config interface 'guest'
option device 'br-lan.3'
option proto 'static'
option ipaddr '192.168.49.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'br-lan.3'
option type '8021q'
option ifname 'br-lan'
option vid '3'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth0:t'
config interface 'iot'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.48.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'br-lan.2'
option type '8021q'
option ifname 'br-lan'
option vid '2'
option ipv6 '0'
root@rpi4:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list rebind_domain 'xxx'
option confdir '/tmp/dnsmasq.d'
option cachesize '5000'
list server '/use-application-dns.net/'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '127.0.0.1#5053'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_server '127.0.0.1#5053'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'guest'
option start '100'
option leasetime '12h'
option interface 'guest'
option limit '100'
config dhcp 'iot'
option start '100'
option leasetime '12h'
option interface 'iot'
option limit '100'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@rpi4:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wgs0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'modem'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'guest'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option dest_port '67-68'
option name 'Guest DHCP'
option proto 'udp'
option src 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '5555'
option name 'Allow-Wireguard-Inbound'
option src 'wan'
config zone
option name 'iot'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
list network 'iot'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'iot DNS'
option src 'iot'
config rule
option target 'ACCEPT'
option dest_port '67-68'
option name 'iot DHCP'
option proto 'udp'
option src 'iot'
config forwarding
option dest 'wan'
option src 'iot'
config redirect 'adblock_guest53'
option name 'Adblock DNS (guest, 53)'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config redirect 'adblock_guest853'
option name 'Adblock DNS (guest, 853)'
option src 'guest'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option family 'any'
config redirect 'adblock_guest5353'
option name 'Adblock DNS (guest, 5353)'
option src 'guest'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
option family 'any'
config redirect 'adblock_iot53'
option name 'Adblock DNS (iot, 53)'
option src 'iot'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config redirect 'adblock_iot853'
option name 'Adblock DNS (iot, 853)'
option src 'iot'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option family 'any'
config redirect 'adblock_iot5353'
option name 'Adblock DNS (iot, 5353)'
option src 'iot'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
option family 'any'
root@rpi4:~# cat /etc/config/adblock
config adblock 'global'
option adb_enabled '1'
option adb_debug '0'
option adb_safesearch '0'
option adb_dnsfilereset '0'
option adb_mail '0'
option adb_backup '1'
option adb_maxqueue '4'
option adb_dns 'dnsmasq'
option adb_fetchutil 'uclient-fetch'
option adb_dnsflush '1'
option adb_forcedns '1'
list adb_portlist '53'
list adb_portlist '853'
list adb_portlist '5353'
option adb_repiface 'br-lan'
option adb_report '1'
option adb_triggerdelay '180'
list adb_sources 'adaway'
list adb_sources 'adguard'
list adb_sources 'adguard_tracking'
list adb_sources 'android_tracking'
list adb_sources 'disconnect'
list adb_sources 'easylist'
list adb_sources 'easyprivacy'
list adb_sources 'notracking'
list adb_sources 'openphish'
list adb_sources 'phishing_army'
list adb_sources 'smarttv_tracking'
list adb_sources 'spam404'
list adb_sources 'stopforumspam'
list adb_sources 'yoyo'
option adb_dnsinstance '0'
list adb_zonelist 'guest'
list adb_zonelist 'iot'
list adb_zonelist 'lan'
root@rpi4:~# cat /etc/config/https-dns-proxy
config main 'config'
option dnsmasq_config_update '*'
option force_dns '1'
list force_dns_port '53'
list force_dns_port '853'
option canary_domains_icloud '1'
option canary_domains_mozilla '1'
config https-dns-proxy
option resolver_url 'https://security.cloudflare-dns.com/dns-query'