ohoh, you are pssd, that I'm pssd!
You're right. But I'm just not saying _bernd is responsible for that this is difficult (to me). And sure, I'm going to rtfm.
Edit: I followed exactly the wiki-how. But unfortunately somewhere on the way I did something, that causes this errors above that leads into disfunctionality of dnsproxy. You may post here where you see the reason and if you are a openwrt user since 2009 and probably have a solution to this, it would be highly appreciated if you share.
See, some people might not be that fluent in linux or cli. Maybe they come from windows and going the quite uncomfortable way to head over to another system, that is fundamentally different than the ones they used over the decades before.
It's just that it seams that some dudes over on YouTube make strange promises regarding how noob friendly OpenWrt is.
OpenWrt is intended for advanced users, network operators, people how need to develop and deploy their modified firmware and so on, and yes of course highly motivated users.
The learning curve is steep for sure but if you want to use OpenWrt and especially extra packages:
Try to get yourself some toy equipment so you do not have to fiddle with your core router.
Read as most as possible upfront. Half the tutorials are just trash because often they miss stuff.
I can not give you concrete help besides what's already stated in the thread.
Ensure every part is configured properly and tested and then clue everything together by pointing each resolver to the next one.
It also helps to have a look at the package GitHub repo and issue tracker. If you find some bug or weak spots in the documentation it's best to raise an issue directly.
Again, most OpenWrt ecosystem is intended for developers or people who know how to use Linux and how to navigate scattered "documentations".
Please don't feel pushed back or something. Stay on it but I just wanted to adjust expectations.
Regarding frustration tolerance: you need a lot of it with OpenWrt
How can someone know, if changing the option to a list entry solves the upstream issues? I mean I search the documentation of dnsproxy but barely could find anything to that topic.
So, DNSSEC works now, I'm using quad9 successfully, DNS leak test shows the right server, dnscheck.tools passes everything.
If my connections communicate via port 853 that means I successfully use DoT now, right?
If so, I'm a bit confused with the nslookup:
Server: 127.0.0.1
Address: 127.0.0.1:53
But I remember to set up the Intercept-DNS port forwarding rule in the firewall. So how do I check, if I'm really using DoT now (I mean with the pf-rule set)?
Thanks for answering my countless noob-questions! I really appreciate that and try to find out the most things of my own and its good to know, if I'm stuck, where to come. Yes _bernd, it's a steep learning curve!
Some thoughts of the actual situation using pro-tools as a noob: its like buying a professional DSLR Camera without being a professional cam-op. Why someone ever should go the slowly (and expensive) latter from no-feature-cam to full-feature-pro-cam? Just buy the best available with the most complex features helps you to grow your skills until you reach the top, so to say.
And nowadays where people getting more aware of their digital independence, you pros will experience more people coming over from the noob sphere and definitely more to come in future, simply because linux based OS are the ONLY solution for keeping a users privacy and security without monetarizing the shit out of it nowadays. So many times in my now 6 years of being a inux user, I was thinking "nice, that I have the possibility to use this software" but in the same second "who is adressed by this software?" An elite? Professional programmers coding for professional colleagues? Software that sparkling arround a little linux-bubble, not intuitive usable for everyone except highly passionated nerds?
*In my view opensource-software should explain more - be as simple as possible - and still guide the user if wanted. So that means a software that is designed for pros should also give the option for a guided usecase, dont you think? When I have 3 dependent inputfields for values and the second option requires, that I change the third option respectively, any software should output a hint to minimize the confusion-level by design. Even the "pros" are not that pro, that they can overview everything, even the developer itself are not able to do that. Its not linear. There exist an expectation to the users skill level, that is not clear and intransparent.
Software is for everyone.
So for this reason: cool that you are here to help to achieve that!
Most of the developers are volunteers doing it in their spare time for free and yes writing manuals is not only an art but also not very popular to do.
For writing good manuals you need to be a (near) native speaker, have in depth knowledge of the subject and the ability to imagine how a newbie would read your manual and the desire to do all that work in your spare time.
I hope you see the problem we are facing
So any help is welcome to improve this wonderful product
For reference if you run into these list / option problems again and there's not much as much documentation available, sometimes there's example configs available in the git repo.
Linked on the dnsproxy wiki page is the default config where is shows:
config dnsproxy 'servers'
list bootstrap 'tls://8.8.8.8'
list fallback 'tls://9.9.9.9'
list upstream 'tls://1.1.1.1'
Note the 'list' instead of 'option' there. I'm a beginner as well and dug around for this information last weekend when I trialed using dnsproxy. Glad others in the community helped you get it working!
The first creates an option which is incompatible when the startup script expects a list. I’ve also seen the mismatch happen with certain LuCI apps as well when only a single value was provided for a list.
dnsproxy has difficulties to let ipv6 in upstream. Some sites were loading as soon I was loading them twice, or in the third attempt. Hence when I'm running tests from the ISP router, the tests succeed regarding ipv6. But for IPv6 from the owrt-router there is no chance to pass the tests. What I understand is, that my ISP gives me a IPv6/64 and handles the routing (in the settings I have turned off Request IPv6-prefix. Due to that I never experienced the isp router loosing the ability to assign ipv4 adresses again).
With quad9 I had EOF issues (I think regarding to IPv6):
what can I do to resolve ipv6 adresses too, or should I turn that completely off?
are these error logs some kind of normal, because they popup even in the default settings?
do I miss anything obvisually important here?
do you know good ressources for learning that kind of stuff?
-> the firewall is letting through tls calls, ok.
-> the config seems ok, ok.
-> dnssec is running, ok.
-> firewall was off while testing and recieving errorlogs, k.
-> I understand that inside the openwrt router there are no ipv6 routings involved. And the routing is not coming from dhcp, but from dnsmasq on wan instead. But why dnsproxy is not working with ipv6? The web is empty for this kind of questions, ok.
-> maybe it would be better to have dns over https from the browsersettings, instead from the router, ok?
Regarding QUAD9, you MIGHT run into similar issues as me, using https-dns-proxy with them. I contacted quads support already, provided some packet traces to them yesterday, and now waiting for comments. Note, that I do NOT use IPv6. I suggest, you use cloudflare/google, until further notice. I have no issues using cloudflare with the proxy. As this thread is solved, and will be closed soon, watch my other threads regarding https-dns-proxy/quad9. BTW, which area are you located ?
The only thing I need to find out for now is, hows possible to have the ipv6 connectivity. Its a little confusing. [IPv6 connectivity of DNS resolver is ok, but IPv6 connectivity (via DNS) not. Huh? lol. xD
I mean I search the documentation of dnsproxy but barely could find anything to that topic.
