DNS lookup issues since 24.10 upgrade

Installing and Using OpenWrt
1

Since upgrading to 24.10 I'm having issues with DNS resolution. Specifically on web browsers on my Linux machine. If I restore the config/software to 23.x the same config seems to work fine.

On Chrome, if I set Use Secure DNS to off, I am unable to browse the internet. The name resolution fails (ERR_NAME_NOT_RESOLVED). If I set Use Secure DNS to on and OS default, then the same, ERR_NAME_NOT_RESOLVED happens. If I select a provider from the drop down list then the internet works.

On 23.x Use Secure DNS is set to on OS default and that works alright.

At the OS level, nslookup works successfully to resolve names.

nslookup google.com                                                                            
Server:		192.168.50.1
Address:	192.168.50.1#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.204.78
Name:	google.com
Address: 2a00:1450:4009:827::200e

cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 192.168.50.1

I'm using adblock, https-dns-proxy and dnsmasq. adblock/https-dns-proxy are set to force DNS to go via the openwrt device.

Any help would be much appreciated.

root@rpi4:~# ubus call system board
{
	"kernel": "6.6.73",
	"hostname": "rpi4",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.5",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

root@rpi4:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '8.8.8.8'
	option delegate '0'
	option clientid 'xxx'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.49.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'

config interface 'iot'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.48.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'br-lan.2'
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option ipv6 '0'

root@rpi4:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'xxx'
	option confdir '/tmp/dnsmasq.d'
	option cachesize '5000'
	list server '/use-application-dns.net/'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '127.0.0.1#5053'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_server '127.0.0.1#5053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option interface 'guest'
	option limit '100'

config dhcp 'iot'
	option start '100'
	option leasetime '12h'
	option interface 'iot'
	option limit '100'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'



root@rpi4:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wgs0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option proto 'udp'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '5555'
	option name 'Allow-Wireguard-Inbound'
	option src 'wan'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'iot'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'iot DNS'
	option src 'iot'

config rule
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'iot DHCP'
	option proto 'udp'
	option src 'iot'

config forwarding
	option dest 'wan'
	option src 'iot'

config redirect 'adblock_guest53'
	option name 'Adblock DNS (guest, 53)'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_guest853'
	option name 'Adblock DNS (guest, 853)'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_guest5353'
	option name 'Adblock DNS (guest, 5353)'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_iot53'
	option name 'Adblock DNS (iot, 53)'
	option src 'iot'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_iot853'
	option name 'Adblock DNS (iot, 853)'
	option src 'iot'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_iot5353'
	option name 'Adblock DNS (iot, 5353)'
	option src 'iot'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'


root@rpi4:~# cat /etc/config/adblock 

config adblock 'global'
	option adb_enabled '1'
	option adb_debug '0'
	option adb_safesearch '0'
	option adb_dnsfilereset '0'
	option adb_mail '0'
	option adb_backup '1'
	option adb_maxqueue '4'
	option adb_dns 'dnsmasq'
	option adb_fetchutil 'uclient-fetch'
	option adb_dnsflush '1'
	option adb_forcedns '1'
	list adb_portlist '53'
	list adb_portlist '853'
	list adb_portlist '5353'
	option adb_repiface 'br-lan'
	option adb_report '1'
	option adb_triggerdelay '180'
	list adb_sources 'adaway'
	list adb_sources 'adguard'
	list adb_sources 'adguard_tracking'
	list adb_sources 'android_tracking'
	list adb_sources 'disconnect'
	list adb_sources 'easylist'
	list adb_sources 'easyprivacy'
	list adb_sources 'notracking'
	list adb_sources 'openphish'
	list adb_sources 'phishing_army'
	list adb_sources 'smarttv_tracking'
	list adb_sources 'spam404'
	list adb_sources 'stopforumspam'
	list adb_sources 'yoyo'
	option adb_dnsinstance '0'
	list adb_zonelist 'guest'
	list adb_zonelist 'iot'
	list adb_zonelist 'lan'


root@rpi4:~# cat /etc/config/https-dns-proxy 

config main 'config'
	option dnsmasq_config_update '*'
	option force_dns '1'
	list force_dns_port '53'
	list force_dns_port '853'
	option canary_domains_icloud '1'
	option canary_domains_mozilla '1'

config https-dns-proxy
	option resolver_url 'https://security.cloudflare-dns.com/dns-query'
2

The developer seems to have already changed something in https-dns-proxy

But this update has not entered the official assembly

3

@stangri - sorry to bother you. Would the above issue be related to an out of date version of https-dns-proxy for 24.10?

4

As a temporary solution, add to the rc.local file

( sleep 10 && /etc/init.d/https-dns-proxy start )
exit 0

This can also be done through Luci in the startup section

5

Thanks, I'll check if the service is started. I'm sure I ensured it was started. I have downgraded but will try upgrading again later and report back.

6

https-dns-proxy has great opportunities, it works together with dnsmasq and if it deepens, you can do whatever you want with dns

7

Update on this. I upgraded to 24.10 again, I switched to smartdns instead of https-dns-proxy and the issue still persisted. In both instances I used dnsmasq as the DNS backend, perhaps its something to do with this?

8

I fixed this by removing the following lines from /etc/config/dhcp

	option doh_backup_noresolv '-1'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_server '127.0.0.1#5053'
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.