Hi there,
I'm in a bit of a predicament; I really want to use DNS Crypt as I know that in the UK DNS queries are monitored, filtered and often blocked.
However, Since I installed DNSCrypt + DNSMasq on my OpenWrt 21.02.2 r1 I've been experiencing random DNS failures.
I cannot pinpoint what is that is failing, all the information I have ATM is the following:
- DNS queries take forever and eventually fail
- I am running DNS Crypt with DNS Masq on internal interfaces only
- I've used the DSA tutorial for DNS Crypt to the letter, no deviations or anything.
The problem is most frequently solved by me changing the DNSCrypt Resolver. Most often just doing that fixes the issue. The issue seems to appear every 48 hours or so, making me think it's a space or memory issue.
Going through logread
doesn't really tell me anything useful. The only hint for an issue comes from dnsmasq which keeps spamming with the same message over and over:
daemon.warn dnsmasq[5495]: possible DNS-rebind attack detected:
Making me wonder if that's the source of the issue.
When the issue does arise, no client can access anything. The router itself has the following issues.
If I try pinging without an explicit IP (which does work) then I get:
ping google.com
ping: bad address 'google.com'
If I try to do a lookup, I get:
nslookup openwrt.org 127.0.0.1
;; connection timed out; no servers could be reached
root@InnerRouter:~# nslookup openwrt.org
;; connection timed out; no servers could be reached
However, the servers are configured and running AFAIK:
root@InnerRouter:~# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
#nameserver 8.8.8.8
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
(Notice the I/O error?)
And I believe that the DNSCrypt-proxy is configured to run at 127.0.0.1#5253
and DNS-Masq runs at 53 and forwards them.
How can I go about finding what is happening, why this keeps consistently happing and how to fix it? I really don't want to give up on DNSCrypt! Any help is much appreciated!