DoH proxy: https-dns-proxy new RFC8484-supporting package and Web UI

yxtc934 · May 8, 2023, 3:09am

uci set 'network.lan.ipv6=off' is NOT set
odhcpd disabled
All OpenWrt's interfaces are option ipv6 '0' and all WAN/VPNs are ipv4 only.
Well, local PCs have their link-local ipv6 addresses, but that's about all there is.

stangri · May 8, 2023, 3:21am

I'm testing 6-in-4 tunnel right now, so I don't have a working config with IPv6 completely turned off, but when I flash an image like that I'll double check if https-dns-proxy reports IPv6 addresses.

rhester72 · May 10, 2023, 1:09am

Most clients I've seen request (and receive) both v4 and v6 addresses no matter what...but if the underlying protocol stack won't support connecting via v6, then it won't (or will silently fail), thus that's generally not considered an issue.

If it's a major concern, and you're using dnsmasq, it's trivial to sub/block v6 addressing entirely.

timur.davletshin · September 5, 2023, 11:47am

Firefox does require DoH connection to be made between Firefox and provider for ECH to work. Who knows, maybe someone could tamper DNS data in you LAN?

For more information: https://bugzilla.mozilla.org/show_bug.cgi?id=1500289

stangri · October 25, 2023, 4:35am

I've added a brief https-dns-proxy status section to the Status->Overview in the most recent luci app build.

I welcome any suggestions what should be shown there.

yxtc934 · February 6, 2024, 4:59pm

What is the logic behind having multiple DNS servers here? I thought that if the first one goes down it should fall back to using the second one. But in reality, if the 1st server is down the DNS resolution is failing on me completely until I change the servers manually.
I have Mullvad (AdBlocking Filter) as the first and Cloudflare (Security Filter) as the second and sometimes Mullvad goes down and I have to login and switch them manually.

PerkelSimon · February 6, 2024, 7:49pm

do.we.need to.check ignore resolve file ?

stangri · February 7, 2024, 5:42pm

Wherever the proxies are queried simultaneously/consecutively is controlled by dnsmasq settings. Again, thru dnsmasq settings there is a multitude of use cases for more than one proxy instance, for example you can configure different clients in your network to use different proxies.

If you're letting https-dns-proxy manage your dnsmasq config(s) then no, it will do it for you. If you're managing dnsmasq config(s) manually, then yes.

PerkelSimon · February 7, 2024, 7:00pm

ok cause if I uncheck, I see one of the dns server that I use in https-dns-proxy and the 3 otherd are from my isp. But if I check the resolve file, I see my two dns servers from https-dns-proxy