Dnsmasq high CPU usage and issues resolving domains

sppmaster · September 16, 2025, 12:16pm

Following your advises today I spent some time trying to figure this out.

As I had a chance no one was using the Internet I completely disabled both https-dns-proxy (latest r1 build) and pbr r33 (because dnsmasq complained with errors) packages. I restored the config of the dnsmasq (seems it wasn’t completely automatically restored the last time I removed https-dns-proxy but maybe pbr caused an issue too) and rebooted the router. I didn’t touch any other router settings.

For more than an hour no more issues and no errors in the log. Considering that I constantly tried to cause the previous behaviour opening repeatedly dnscheck.tools and other programs that previously caused dnsmasq to hang and not resolve domains and spiked the CPU.

Now everything opens immediately with dnsmasq using only rarely 10-12% CPU for 2-3 seconds. Most of the time CPU usage is zero or 1-2%.

I don’t have an answer if both packages caused this or only one of them is current culprit. I know those builds are new and that’s why we test them and report if any issues have been found.

@stangri If you have any other advice what to try next I’ll try it.

Thanks.

egc · September 16, 2025, 12:38pm

Consider installing pbr and do not install htyps dns proxy

sppmaster · September 16, 2025, 1:00pm

Following this immediately - I installed pbr-1.1.9-r33 and enabled and ran it and dnsmasq went up to 100%. This showed in the log.


Tue Sep 16 15:39:17 2025 user.notice pbr [26779]: Using uplink IPv4 interface (on_start): wan [✓]
Tue Sep 16 15:39:17 2025 user.notice pbr [26779]: Found uplink IPv4 gateway (on_start): xxxxxxxx [✓]
Tue Sep 16 15:39:17 2025 user.notice pbr [26779]: Using uplink IPv6 interface (on_start): wan6 [✓]
Tue Sep 16 15:39:17 2025 user.notice pbr [26779]: Found uplink IPv6 gateway (on_start): xxxxxxxxxxxxxxxxxxxxx0 [✓]
Tue Sep 16 15:39:18 2025 user.notice pbr [26779]: Processing environment (on_start) [✓]
Tue Sep 16 15:39:19 2025 user.notice pbr [26779]: Setting up routing for 'wan/xxxxxxxxxxxxxxxxxxxxxxxxxxx0' [✓]
Tue Sep 16 15:39:20 2025 user.notice pbr [26779]: Setting up routing for 'wg0/xxxxxxxxxxxxxxx/::/0' [✓]
Tue Sep 16 15:39:21 2025 user.notice pbr [26779]: Setting up routing for 'wg1/xxxxxxxxxxxxxxxxxxxxx/128' [✓]
Tue Sep 16 15:39:21 2025 user.notice pbr [26779]: Setting up routing for 'wg2/xxxxxxxxxxxxxxxxxxxxx/128' [✓]
Tue Sep 16 15:39:22 2025 user.notice pbr [26779]: Setting up routing for 'wg3/xxxxxxxxxxxxxxxxxxxxx/128' [✓]
Tue Sep 16 15:39:22 2025 user.notice pbr [26779]: Setting up routing for 'wg4/xxxxxxxxxxxxxxx/::/0' [✓]
Tue Sep 16 15:39:23 2025 user.notice pbr [26779]: Routing 'Guest redirect 1' via wan [✓]
Tue Sep 16 15:39:24 2025 user.notice pbr [26779]: Routing 'Guest redirect 2' via wg1 [✓]
Tue Sep 16 15:39:24 2025 user.notice pbr [26779]: Routing 'Guest redirect 3' via wg0 [✓]
Tue Sep 16 15:39:24 2025 user.notice pbr [26779]: Routing 'Sites Redirect'' via wg2 [✓]
Tue Sep 16 15:39:24 2025 user.notice pbr [26779]: Routing 'MAC address' via wg0 [✓]
Tue Sep 16 15:39:26 2025 user.notice pbr [26779]: Running /usr/share/pbr/pbr.user.dnsprefetch [✓]
Tue Sep 16 15:39:26 2025 user.notice pbr [26779]: Installing fw4 nft file [✓]
Tue Sep 16 15:39:26 2025 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Tue Sep 16 15:39:26 2025 user.notice pbr [26779]: Restarting dnsmasq [✓]
Tue Sep 16 15:39:26 2025 user.notice pbr [26779]: Setting interface trigger for wan [✓]
Tue Sep 16 15:39:26 2025 user.notice pbr [26779]: Setting interface trigger for wan6 [✓]
Tue Sep 16 15:39:26 2025 user.notice pbr [26779]: Setting interface trigger for wg0 [✓]
Tue Sep 16 15:39:27 2025 user.notice pbr [26779]: Setting interface trigger for wg1 [✓]
Tue Sep 16 15:39:27 2025 user.notice pbr [26779]: Setting interface trigger for wg2 [✓]
Tue Sep 16 15:39:27 2025 user.notice pbr [26779]: Setting interface trigger for wg3 [✓]
Tue Sep 16 15:39:27 2025 user.notice pbr [26779]: Setting interface trigger for wg4 [✓]
Tue Sep 16 15:39:27 2025 user.notice pbr [26779]: pbr 1.1.9-r33 monitoring interfaces: wan wan6 wg0 wg1 wg2 wg3 wg4
Tue Sep 16 15:39:27 2025 user.notice pbr [26779]: pbr 1.1.9-r33 (fw4 nft file mode) started with gateways: wan/xxxxxxxxxxxxxxxxxxxxxx [✓] wg0/xxxxxxxxxxx/::/0 wg1/xxxxxxxxxxxxxxxxxx/128 wg2/xxxxxxxxxxxxxxxxxxx/128 wg3/xxxxxxxxxxxxxxxxxxx/128 wg4/xxxxxxxxx/::/0
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: started, version 2.91 cachesize 1000
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: DNS service limited to local subnets
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfile
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.2.150 -- 192.168.2.199, lease time 12h
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.149, lease time 2d
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for stbg.stanbicbank.co.zw
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using only locally-known addresses for oxfordproperties.co.zw
Tue Sep 16 15:39:27 2025 daemon.info dnsmasq[1]: using 262255 more local addresses
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using nameserver xxxxxxxx#53
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using nameserver xxxxxxxx#53
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using nameserver xxxxxxxxxx#53
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using nameserver xxxxxxxxxx#53
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for stbg.stanbicbank.co.zw
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using only locally-known addresses for oxfordproperties.co.zw
Tue Sep 16 15:39:28 2025 daemon.info dnsmasq[1]: using 262255 more local addresses
Tue Sep 16 15:39:30 2025 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Tue Sep 16 15:39:30 2025 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Tue Sep 16 15:39:30 2025 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Tue Sep 16 15:39:30 2025 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue Sep 16 15:39:30 2025 user.notice pbr [26779]: Resolving domain names in policies...
....
.....
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for dnsleaktest.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for browserleaks.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for spotify.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for expressvpn.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for ipv6-test.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for test-ipv6.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for youtube.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for whatismyipaddress.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for ipleak.net (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for ip.me (timed out)
......
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for speedtest.net (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for fast.com (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: WARNING: Lookup failed for dnscheck.tools (timed out)
Tue Sep 16 15:39:35 2025 user.notice pbr [26779]: Finished resolving 18 domain names in policies (16 failed) [✓]
Tue Sep 16 15:42:49 2025 user.notice pbr [31695]: Processing environment (on_interface_reload) [✓]
Tue Sep 16 15:42:50 2025 user.notice pbr [31695]: Setting up routing for 'wan/xxxxxxxxxxxxxxxxxxxxxxxxxx' [✓]
Tue Sep 16 15:42:50 2025 user.notice pbr [31695]: Setting up routing for 'wg0/xxxxxxxxxxxxxxxxxxxxxxxxxx/::/0' [✓]
Tue Sep 16 15:42:51 2025 user.notice pbr [31695]: Setting up routing for 'wg1/xxxxxxxxxxxxxxxxxxxxxxxxxx/128' [✓]
Tue Sep 16 15:42:52 2025 user.notice pbr [31695]: Setting up routing for 'wg2/xxxxxxxxxxxxxxxxxxxxxxxxxx/128' [✓]
Tue Sep 16 15:42:52 2025 user.notice pbr [31695]: Setting up routing for 'wg3/xxxxxxxxxxxxxxxxxxxxxxxxxx/128' [✓]
Tue Sep 16 15:42:53 2025 user.notice pbr [31695]: Setting up routing for 'wg4/xxxxxxxxxxxxx/::/0' [✓]
Tue Sep 16 15:42:55 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wan_4_dst_ip_cfg096ff5 Error: No such file or directory
Tue Sep 16 15:42:56 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wan_6_dst_ip_cfg096ff5 Error: No such file or directory
Tue Sep 16 15:42:58 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wan_4_dst_ip_cfg096ff5 Error: No such file or directory
Tue Sep 16 15:42:58 2025 user.notice pbr [31695]: Routing 'Guest redirect 1' via wan [✓]
Tue Sep 16 15:43:00 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_4_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:01 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_6_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:02 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_6_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:04 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_4_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:05 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_6_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:07 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_4_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:08 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_4_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:10 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_4_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:11 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg1_4_dst_ip_cfg0a6ff5 Error: No such file or directory
Tue Sep 16 15:43:11 2025 user.notice pbr [31695]: Routing 'Guest redirect 2' via wg1 [✓]
Tue Sep 16 15:43:11 2025 user.notice pbr [31695]: Routing 'Guest redirect 3' via wg0 [✓]
Tue Sep 16 15:43:12 2025 user.notice pbr [31695]: Routing 'Sites Redirect'' via wg2 [✓]
Tue Sep 16 15:43:12 2025 user.notice pbr [31695]: Routing 'MAC address' via wg0 [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Resolver set support disabled, domain names in policies not resolved [✗]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Running /usr/share/pbr/pbr.user.dnsprefetch [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Installing fw4 nft file [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wan [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wan6 [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wg0 [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wg1 [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wg2 [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wg3 [✓]
Tue Sep 16 15:43:13 2025 user.notice pbr [31695]: Setting interface trigger for wg4 [✓]

Ten minutes later when I open dnscheck.tools the issues surfaced again. Dnsmasq using the CPU 100% for more than 2-3 minutes. Slow opening (domain resolving) of pages, same errors in the log. Using ISP’s DNSes. Opening dnscheck.tools second and third time causes the same behaviour.

Additionally after stopping and disabling pbr a reboot is needed so dnsmasq can recover completely. Only dnsmasq restart doesn’t help.

sppmaster · September 16, 2025, 6:26pm

@antonk @dibdot @egc @stangri

One more key information about this case.

I’ve enabled https-dns-proxy again (pbr remains disabled) to try it alone.

No issues with it currently, dnsmasq working OK, no high CPU usage, nor errors in the log.

So the culprit for the current issues was pbr version 1.1.9-r33. About the solution - most probably just use another version (newer or older one) depending on the OpenWrt branch/version used.

antonk · September 16, 2025, 6:46pm

This pretty much narrows it down to pbr or pbr interaction with dnsmasq. So you'll need @stangri or someone else well acquainted with the pbr code to take the troubleshooting from here.