Dnsproxy config error

Installing and Using OpenWrt
1

Hi,

I use the last version of dnsproxy (adguard) and I have an error from the log, and I can not use dnsproxy, the error seems to be in the default config, maybe someone here could find it in the config?
thanks

also, I compared the default config from 23.05 version vs 24.10 or master, and the three are the same.
error message:

Sat Feb  1 11:38:14 2025 daemon.info dnsproxy[10745]: jail: exec-ing /usr/bin/dnsproxy
Sat Feb  1 11:38:15 2025 daemon.err dnsproxy[10745]: parsing options: positional arguments are not allowed, please check your command line arguments; detected positional arguments: [false]
Sat Feb  1 11:38:15 2025 daemon.info dnsproxy[10745]: jail: jail (10770) exited with exit: 2

and my config (this is the default config)

# For documents, please see https://github.com/AdguardTeam/dnsproxy#usage

config dnsproxy 'global'
	option enabled '1'
	list listen_addr '127.0.0.1'
#	list listen_addr '::1'
	list listen_port '5353'
	option log_file ''
	option http3 '1'
	option insecure '0'
	option ipv6_disabled '1'
	option timeout ''
	option max_go_routines ''
	option rate_limit ''
	option refuse_any '0'
	option udp_buf_size ''
	option upstream_mode ''
	option verbose '1'

config dnsproxy 'bogus_nxdomain'
	list ip_addr ''

config dnsproxy 'cache'
	option enabled '1'
	option cache_optimistic '1'
	option size '6553500'
	option min_ttl ''
	option max_ttl ''

config dnsproxy 'dns64'
	option enabled '0'
	option dns64_prefix '64:ff9b::'

config dnsproxy 'edns'
	option enabled '0'
	option edns_addr ''

config dnsproxy 'hosts'
	option enabled '0'
	list hosts_files ''

config dnsproxy 'private_rdns'
	option enabled '0'
	list upstream '127.0.0.1:53'

config dnsproxy 'servers'
	list bootstrap 'tls://8.8.8.8'
	list fallback 'tls://9.9.9.9'
	list upstream 'tls://1.1.1.1'

config dnsproxy 'tls'
	option enabled '0'
	option tls_crt ''
	option tls_key ''
	option https_port '8443'
	option tls_port '853'
	option quic_port '853'
2

I'd look at the init.d service file instead....

I assume https://github.com/openwrt/packages/issues/25864 is yours ?

3

no, but, also, I tried the last version. I compiled it and same problem.

both init.d files are identical.

4

Did you compare the files I asked about ?
They're not recompiled.

1 Like
5

yes with meld

6

Then do a ps, when (unfortunately) running the working binary, then use the same params while executing it manually as root.

1 Like
7

I tried with the same config that I use usually since a year (dnsproxy config) also, I deleted all my dnsproxy settings and rm dnsproxy in init.d and config. After I upload the new version and using the new config, I kept the basic config and same error.

First time after a year, that I use dnsproxy and update it when adguard launch a new update, that I have an error when I start that app.

9

Not exactly what I asked you to do ... :slight_smile:

1 Like
10

you I do ps command?
I did it, but about dnsproxy, it says what is my config

11

That's probably correct, but I'd like that command line to be executed by you, from the prompt.

1 Like
12

yes this is what I did, I did ps in the terminal

root@ninjanoir:~# ps -ww
  PID USER       VSZ STAT COMMAND
    1 root      2340 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [pool_workqueue_]
    4 root         0 IW<  [kworker/R-rcu_g]
    5 root         0 IW<  [kworker/R-rcu_p]
    6 root         0 IW<  [kworker/R-slub_]
    7 root         0 IW<  [kworker/R-netns]
    9 root         0 IW<  [kworker/0:0H-ev]
   12 root         0 IW<  [kworker/R-mm_pe]
   13 root         0 IW   [rcu_tasks_trace]
   14 root         0 SW   [ksoftirqd/0]
   15 root         0 IW   [rcu_sched]
   16 root         0 SW   [migration/0]
   17 root         0 SW   [cpuhp/0]
   18 root         0 SW   [cpuhp/1]
   19 root         0 SW   [migration/1]
   20 root         0 SW   [ksoftirqd/1]
   23 root         0 SW   [cpuhp/2]
   24 root         0 SW   [migration/2]
   25 root         0 SW   [ksoftirqd/2]
   28 root         0 SW   [cpuhp/3]
   29 root         0 SW   [migration/3]
   30 root         0 SW   [ksoftirqd/3]
   33 root         0 IW<  [kworker/R-inet_]
   35 root         0 SW   [oom_reaper]
   36 root         0 IW<  [kworker/R-write]
   37 root         0 SW   [kcompactd0]
   38 root         0 IW<  [kworker/R-pencr]
   39 root         0 IW<  [kworker/R-pdecr]
   40 root         0 IW<  [kworker/R-crypt]
   41 root         0 IW<  [kworker/R-kbloc]
   44 root         0 IW<  [kworker/R-ata_s]
   46 root         0 SW   [watchdogd]
   57 root         0 SW   [kswapd0]
   59 root         0 IW<  [kworker/R-kthro]
   60 root         0 IW<  [kworker/0:1H-kb]
  139 root         0 SW   [hwrng]
  264 root         0 IW<  [kworker/R-mld]
  266 root         0 IW<  [kworker/R-ipv6_]
  267 root         0 IW<  [kworker/3:1H-kb]
  269 root         0 IW<  [kworker/R-dsa_o]
  450 root         0 IW<  [kworker/R-mmc_c]
  528 root         0 SW   [napi/mtk_eth-5]
  529 root         0 SW   [napi/mtk_eth-6]
  542 root         0 SW   [irq/81-mt7530]
  570 root         0 SW   [irq/62-mdio-bus]
  578 root         0 IW<  [kworker/1:1H-kb]
  580 root         0 IW<  [kworker/2:1H-kb]
  609 root         0 SW   [irq/24-keys]
  706 root         0 SW   [scsi_eh_0]
  707 root         0 IW<  [kworker/R-scsi_]
  709 root         0 SW   [usb-storage]
  752 root         0 SW   [f2fs_ckpt-7:0]
  753 root         0 SW   [f2fs_flush-7:0]
  754 root         0 SW   [f2fs_discard-7:]
  755 root         0 SW   [f2fs_gc-7:0]
  872 ubus      1480 S    /sbin/ubusd
  878 root       932 S    /sbin/askfirst /usr/libexec/login.sh
  918 root      1088 S    /sbin/urngd
  964 root      1956 S    /usr/sbin/haveged -F -w 1024 -d 32 -i 32 -v 1
 1046 root         0 IW<  [kworker/R-cifsi]
 1047 root         0 IW<  [kworker/R-smb3d]
 1048 root         0 IW<  [kworker/R-cifsf]
 1049 root         0 IW<  [kworker/R-cifso]
 1050 root         0 IW<  [kworker/R-defer]
 1051 root         0 IW<  [kworker/R-serve]
 1052 root         0 IW<  [kworker/R-cfid_]
 1098 root         0 IW<  [kworker/R-crypt]
 1117 root         0 SW   [irq/129-1032000]
 1118 root         0 IW<  [kworker/R-wq_ri]
 1119 root         0 SW   [irq/130-1032000]
 1120 root         0 IW<  [kworker/R-wq_ri]
 1121 root         0 SW   [irq/131-1032000]
 1122 root         0 IW<  [kworker/R-wq_ri]
 1123 root         0 SW   [irq/132-1032000]
 1124 root         0 IW<  [kworker/R-wq_ri]
 1179 root         0 IW<  [kworker/R-cfg80]
 1204 root         0 SW   [napi/phy0-7]
 1205 root         0 SW   [napi/phy0-8]
 1206 root         0 SW   [napi/phy0-9]
 1207 root         0 SW   [napi/phy0-10]
 1208 root         0 SW   [napi/phy0-11]
 1209 root         0 SW   [napi/phy0-12]
 1215 root         0 SW   [jbd2/sda1-8]
 1216 root         0 IW<  [kworker/R-ext4-]
 1226 root         0 SW   [mt76-tx phy0]
 1860 root      3984 S    /sbin/rpcd -s /var/run/ubus/ubus.sock -t 30
 2261 root      2788 S    {hostapd} /sbin/ujail -t 5 -n hostapd -U network -G network -C /etc/capabilities/wpad.json -c -- /usr/sbin/hostapd -s -g /var/run/hostapd/global
 2262 root      2788 S    {wpa_supplicant} /sbin/ujail -t 5 -n wpa_supplicant -U network -G network -C /etc/capabilities/wpad.json -c -- /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
 2306 network  10840 S    /usr/sbin/hostapd -s -g /var/run/hostapd/global
 2307 network   9976 S    /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
 2344 root      2724 S    /sbin/netifd
 2516 root      1344 S    /usr/sbin/crond -f -c /etc/crontabs -l 7
 2748 root         0 SW   [irq/61-mdio-bus]
 3007 root      8056 S    /usr/sbin/uhttpd -f -h /www -r  -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0.0.0:80 -p [::]:80 -C /etc/uhttpd.crt -K /etc/uhttpd.key -s 0.0.0.0:443 -s [::]:443 -q
 3090 root      1880 S    /usr/bin/dbus-daemon --system --nofork
 3171 nobody    2396 S    avahi-daemon: running [openwrt.local]
 3407 root      1164 S    /usr/sbin/dropbear -F -P /var/run/dropbear.main.pid -p 192.168.1.1:22 -s -g -K 300 -T 3 -W 1048576
 3450 root      4920 SN   /usr/sbin/collectd -C /tmp/collectd.conf -f
 4256 minidlna 23836 S    /usr/sbin/minidlnad -S -f /var/etc/minidlna.conf
 4425 root      1236 S    /usr/sbin/irqbalance -f -c 2 -t 10
 5044 root      2040 S    {banip-service.s} /bin/sh /usr/bin/banip-service.sh boot
 5526 root      1340 S    udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -x hostname:openwrt -C -R -O 121
 5597 root         0 IW<  [kworker/R-wg-cr]
 8938 root      2040 S    {banip-service.s} /bin/sh /usr/bin/banip-service.sh boot
 8939 root      2040 S    {banip-service.s} /bin/sh /usr/bin/banip-service.sh boot
 8940 root      1600 S    /sbin/logread -fe Exit before auth from\|luci: failed login\|error: maximum authentication attempts exceeded\|sshd.*Connection closed by.*\[preauth\]\|SecurityEvent=\InvalidAccountID\.*RemoteAddress=
 9183 root      1396 S    {watchcat.sh} /bin/sh /usr/bin/watchcat.sh ping_reboot 21600 30 1.1.1.1 30 standard any
 9237 root      1340 S    sleep 21549
 9246 root      2788 S    {ntpd} /sbin/ujail -t 5 -n ntpd -U ntp -G ntp -C /etc/capabilities/ntpd.json -c -u -r /bin/ubus -r /usr/bin/env -r /usr/bin/jshn -r /usr/sbin/ntpd-hotplug -r /usr/share/libubox/jshn.sh -- /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p time.cloudflare.com -p 162.159.200.123 -p 194.177.4.1 -p 213.222.217.11 -p 80.50.102.114 -p 193.219.28.60 -p 0.openwrt.pool.ntp.org
 9260 ntp       1340 S    /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p time.cloudflare.com -p 162.159.200.123 -p 194.177.4.1 -p 213.222.217.11 -p 80.50.102.114 -p 193.219.28.60 -p 0.openwrt.pool.ntp.org
20278 logd      2048 S    /sbin/logd -S 128
20433 root      2788 S    {dnsmasq} /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/busybox -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tmp/dnsmasq.cfg01411c.d -r /tmp/hosts -r /usr/bin/env -r /usr/bin/jshn -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /usr/share/libubox/jshn.sh -r /var/etc/dnsmasq.conf.cfg01411c -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
20458 dnsmasq  66520 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
20512 root      2920 S    {dnsproxy} /sbin/ujail -t 5 -n dnsproxy -U dnsproxy -C /etc/capabilities/dnsproxy.json -l -o -r /etc/hosts -r /etc/ssl/certs/ca-certificates.crt -- /usr/bin/dnsproxy --http3 --ipv6-disabled --listen 127.0.0.1 --port 5353 --bootstrap 76.76.2.22 --fallback https://dns.cloudflare.com/dns-query --upstream quic://myID.dns.controld.com:853 --cache --cache-optimistic --cache-size 6553500 --hosts-file-enabled false
20537 dnsproxy 1210m S    /usr/bin/dnsproxy --http3 --ipv6-disabled --listen 127.0.0.1 --port 5353 --bootstrap 76.76.2.22 --fallback https://dns.cloudflare.com/dns-query --upstream quic://myID.dns.controld.com:853 --cache --cache-optimistic --cache-size 6553500 --hosts-file-enabled false
20594 root         0 IW<  [kworker/2:2H]
20616 root         0 IW<  [kworker/1:0H]
20617 root         0 IW<  [kworker/3:2H]
20719 root         0 IW   [kworker/u8:1-ev]
20905 root         0 IW   [kworker/u8:0-ev]
20916 root         0 IW   [kworker/2:0-wg-]
20974 root         0 IW   [kworker/u8:2-ph]
20978 root         0 IW   [kworker/1:2-wg-]
20987 root         0 IW   [kworker/0:2-wg-]
20988 root         0 IW   [kworker/3:1-wg-]
20989 root         0 IW   [kworker/2:1-wg-]
20991 root         0 IW   [kworker/3:2-wg-]
20992 root         0 IW   [kworker/0:1-wg-]
20993 root         0 IW   [kworker/1:1-wg-]
20994 root         0 IW   [kworker/2:2-wg-]
20995 root         0 IW   [kworker/u8:3-ev]
21004 root         0 IW   [kworker/0:0-wg-]
21005 root         0 IW   [kworker/3:0-wg-]
21006 root      1184 R    /usr/sbin/dropbear -F -P /var/run/dropbear.main.pid -p 192.168.1.1:22 -s -g -K 300 -T 3 -W 1048576 -2 8
21007 root      1356 S    -ash
21017 root         0 IW   [kworker/1:0-wg-]
21018 root      1348 R    ps -ww
13

So you got the command line, try running it manually, as root.

Keep in mind it'll mess up the permissions on any files it creates, since they will get the wrong owner set.

2 Likes
14

Using sudo??

15

If you'd like, just want to know if it actually starts.

1 Like
16 
{dnsproxy} /sbin/ujail -t 5 -n dnsproxy -U dnsproxy -C /etc/capabilities/dnsproxy.json -l -o -r /etc/hosts -r /etc/ssl/certs/ca-certificates.crt -- /usr/bin/dnsproxy --http3 --ipv6-disabled --listen 127.0.0.1 --port 5353 --bootstrap 76.76.2.22 --fallback https://dns.cloudflare.com/dns-query --upstream quic://myID.dns.controld.com:853 --cache --cache-optimistic --cache-size 6553500 --hosts-file-enabled false
20537 dnsproxy 1210m S    /usr/bin/dnsproxy --http3 --ipv6-disabled --listen 127.0.0.1 --port 5353 --bootstrap 76.76.2.22 --fallback https://dns.cloudflare.com/dns-query --upstream quic://myID.dns.controld.com:853 --cache --cache-optimistic --cache-size 6553500 --hosts-file-enabled false
20594 root         0 IW<  [kworker/2:2H]

to be sure, what would be the command?

17

Skip the ujail part, so everything preceding "dnsproxy".

18

does not work or I don't know how to use it, first tme someone tell me to do that or use that, sorry

19

execute it like this (I think I've managed to copy everything, minus the ujail stuff), to see if it starts, at all

dnsproxy -U dnsproxy -C /etc/capabilities/dnsproxy.json -l -o -r /etc/hosts -r /etc/ssl/certs/ca-certificates.crt -- /usr/bin/dnsproxy --http3 --ipv6-disabled --listen 127.0.0.1 --port 5353 --bootstrap 76.76.2.22 --fallback https://dns.cloudflare.com/dns-query --upstream quic://myID.dns.controld.com:853 --cache --cache-optimistic --cache-size 6553500 --hosts-file-enabled false
1 Like
20

I take the place of my son @ peacefullheight
not really, it does not start with that

# dnsproxy -U dnsproxy -C /etc/capabilities/dnsproxy.json -l -o -r /et
c/hosts -r /etc/ssl/certs/ca-certificates.crt -- /usr/bin/dnsproxy --http3 --ipv6-disa
bled --listen 127.0.0.1 --port 5353 --bootstrap 76.76.2.22 --fallback https://dns.clou
dflare.com/dns-query --upstream quic://myID.dns.controld.com:853 --cache --cache-optim
istic --cache-size 6553500 --hosts-file-enabled false
flag provided but not defined: -U
Usage of dnsproxy:
  --bogus-nxdomain=subnet
    	Transform the responses containing at least a single IP that matches specified addresses and CIDRs into NXDOMAIN.  Can be specified multiple times.
  --bootstrap/-b
    	Bootstrap DNS for DoH and DoT, can be specified multiple times (default: use system-provided).
  --cache
    	If specified, DNS cache is enabled.
  --cache-max-ttl=uint32
    	Maximum TTL value for DNS entries, in seconds.
  --cache-min-ttl=uint32
    	Minimum TTL value for DNS entries, in seconds. Capped at 3600. Artificially extending TTLs should only be done with careful consideration.
  --cache-optimistic
    	If specified, optimistic DNS cache is enabled.
  --cache-size=int
    	Cache size (in bytes). Default: 64k.
  --config-path=path
    	YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
  --dns64
    	If specified, dnsproxy will act as a DNS64 server.
  --dns64-prefix=subnet
    	Prefix used to handle DNS64. If not specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::.  Can be specified multiple times.
  --dnscrypt-config=path/-g path
    	Path to a file with DNSCrypt configuration. You can generate one using https://github.com/ameshkov/dnscrypt.
  --dnscrypt-port=port/-y port
    	Listening ports for DNSCrypt.
  --edns
    	Use EDNS Client Subnet extension.
  --edns-addr=address
    	Send EDNS Client Address.
  --fallback/-f
    	Fallback resolvers to use when regular ones are unavailable, can be specified multiple times. You can also specify path to a file with the list of servers.
  --help/-h
    	Print this help message and quit.
  --hosts-file-enabled
    	If specified, use hosts files for resolving.
  --hosts-files=path
    	List of paths to the hosts files, can be specified multiple times.
  --http3
    	Enable HTTP/3 support.
  --https-port=port/-s port
    	Listening ports for DNS-over-HTTPS.
  --https-server-name=name
    	Set the Server header for the responses from the HTTPS server.
  --https-userinfo=name
    	If set, all DoH queries are required to have this basic authentication information.
  --insecure
    	Disable secure TLS certificate validation.
  --ipv6-disabled
    	If specified, all AAAA requests will be replied with NoError RCode and empty answer.
  --listen=address/-l address
    	Listening addresses.
  --max-go-routines=uint
    	Set the maximum number of go routines. A zero value will not not set a maximum.
  --output=path/-o path
    	Path to the log file.
  --port=port/-p port
    	Listening ports. Zero value disables TCP and UDP listeners.
  --pprof
    	If present, exposes pprof information on localhost:6060.
  --private-rdns-upstream
    	Private DNS upstreams to use for reverse DNS lookups of private addresses, can be specified multiple times.
  --private-subnets=subnet
    	Private subnets to use for reverse DNS lookups of private addresses.
  --quic-port=port/-q port
    	Listening ports for DNS-over-QUIC.
  --ratelimit=int/-r int
    	Ratelimit (requests per second).
  --ratelimit-subnet-len-ipv4=int
    	Ratelimit subnet length for IPv4.
  --ratelimit-subnet-len-ipv6=int
    	Ratelimit subnet length for IPv6.
  --refuse-any
    	If specified, refuses ANY requests.
  --timeout=duration
    	Timeout for outbound DNS queries to remote upstream servers in a human-readable form
  --tls-crt=path/-c path
    	Path to a file with the certificate chain.
  --tls-key=path/-k path
    	Path to a file with the private key.
  --tls-max-version=version
    	Maximum TLS version, for example 1.3.
  --tls-min-version=version
    	Minimum TLS version, for example 1.0.
  --tls-port=port/-t port
    	Listening ports for DNS-over-TLS.
  --udp-buf-size=int
    	Set the size of the UDP buffer in bytes. A value <= 0 will use the system default.
  --upstream/-u
    	An upstream to be used (can be specified multiple times). You can also specify path to a file with the list of servers.
  --upstream-mode=mode
    	Defines the upstreams logic mode, possible values: load_balance, parallel, fastest_addr (default: load_balance).
  --use-private-rdns
    	If specified, use private upstreams for reverse DNS lookups of private addresses.
  --verbose/-v
    	Verbose output.
  --version
    	Prints the program version.
parsing options: flag provided but not defined: -U
21

then the obvious question, does it start without the -U dnspoxy ?
seems the param isn't valid (anymore ?).