DoT issue with OpenWRT+Unbound or Stubby/DNSmasq and paid Adguard DNS

Hi,
since the update to the most recent version 23.05.3 (so the assumption) my customized configuration with paid Adguard DNS no longer works. But this exact configuration had worked for months before without any problems. The whole thing must have something to do with DNSSEC. As soon as I deactivate this in Unbound, everything works.
I am currently using the free version of Adguard DNS which works without any problems.

Does anyone have an idea what could be causing this and maybe even a solution?

Thanks in advance and greetings

updating to OpenWrt 23.05.4 - Service Release doesn't help.
At the moment the only option is to either disable DNSSEC or use Adguard free DNS

"No longer works" isn't really enough to work with.

What do your logs say?

Unfortunately, the standard logs do not provide anything about an issue.
I have already tried to analyze them.

Try switching to https-dns-proxy, or does your unbound provide something extra ?

It is by design, ad blocker has to strip dnssec to divert legit dns content. No ide what made you think it was ever other way.

@frollic why should i switch when this was working fine the last few months. what can https-dns-proxy do that unbound can't ?

@brada4 But that doesn't explain why it worked without problems for several months before

No idea, it was never supposed to work by protocol design.

Since I am a paying customer, I have now contacted Adguard support. Unfortunately, they have not responded yet. I am a little disappointed with how paying customers are treated here.

Still trying to find out whats the problem here :frowning:

Are you paying for OpenWRT ?

1 Like

no of course not :slight_smile:
I am a paying customer of Adguard DNS. I probably worded that a bit poorly.

1 Like

Then I guess you meant there ?

Why would you get anything here, for playing AGH ?

Because the problems started after updating OpenWRT :wink:

NM, wrong assumption made.

I think you are confusing something ... I don't use AGH
I'm using Adguard DNS with Unbound ->
https://openwrt.org/docs/guide-user/services/dns/dot_unbound

Have you checked whether there's been any changes to Unbound that could cause your issue?

I assumed you used the application, guess I was wrong, might not even be the same company as AGH ....

I found this in Unbound changelog https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog

25 July 2024: Wouter

  • Add root key 38696 from 2024 for DNSSEC validation. It is added
    to the default root keys in unbound-anchor. The content can be
    inspected with unbound-anchor -l.

This also fits roughly with the beginning of the problems.
Now I wonder who has to do what here ?

You have to take it up with the Unbound developers.

Meanwhile i tried DoT with Stubby+DNSMasq but exact same issue. As soon as I activate DNSSEC within DNSMasq problem occurs.
The stuff from ADGuard support said no problems on their side.

Then I assume that the problem has to do with OpenWRT and is not necessarily an Unbound or DNSMASQ problem. What are the similarities here?

1 Like