DoT + Stubby + dnsmasq 2024

hello there!

I'm trying to test in my device DoT with stubby and dnsmasq already have a second router with dnsproxy2 and doing dns hijacking for other purposes but I'm not able to make it work when using stubby, probably is something related with dns, is always dns right?

also i'm using openwrt 23.05.3

I followed the wiki guide
https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby
wiki last updated in 20240415.

I can use google.com but when I jump to any other domain.com is like blocked or I don't have any respond.

here is my stubby info

Stubby

config stubby 'global'
option manual '0'
option trigger 'wan'
# option triggerdelay '2'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
# option tls_connection_retries '2'
# option tls_backoff_time '3600'
# option timeout '5000'
# option dnssec_return_status '0'
option appdata_dir '/var/lib/stubby'
# option trust_anchors_backoff_time 2500
# option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key'
option edns_client_subnet_private '1'
option idle_timeout '10000'
option round_robin_upstreams '1'
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
# option log_level '7'
# option command_line_arguments ''
# option tls_cipher_list 'redacted'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

Upstream resolvers are specified using 'resolver' sections.

config resolver
option address '2606:4700:4700::1111'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'redacted'
# option tls_cipher_list 'redacted'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

config resolver
option address '2606:4700:4700::1001'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'redacted'
# option tls_cipher_list 'redacted'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'redacted'
# option tls_cipher_list 'redacted'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'redacted'
# option tls_cipher_list 'redacted'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

DHCP / dnsmasq
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '1'
        option dnssec '1'
        list server '127.0.0.1#5453'
        list server '0::1#5453'
        list interface 'br-lan'
        option localuse '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

any idea?

dnssec validation in dnsmasq neeeds full dnsmasq, as indicated in doc you linked proxy dnssec ie stubby validating works with default masqm

hello, I tried with full dnsmasq and still nothing. I've checked the link and doesn't say that I need to install dnsmasq-full but installed. got another issue with some incompatibility when installed but used this:

opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk

so I created a custom rom with dnsmasq-full but nothing.

some feedback.

nslookup
root@OpenWrt:~# nslookup openwrt.org localhost
Server:         localhost
Address:        [::1]:53

** server can't find openwrt.org: SERVFAIL

** server can't find openwrt.org: SERVFAIL

logs

logs dnsmasq

Fri Mar 22 22:09:50 2024 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses! Fri Mar 22 22:09:50 2024 user.notice dnsmasq: Allowing 127.0.0.0/8 responses Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000 Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus Fri Mar 22 22:09:50 2024 daemon.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Fri Mar 22 22:09:50 2024 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names Fri Mar 22 22:09:50 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 0 names Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using nameserver 10.105.10.1#53 Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000 Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus Fri Mar 22 22:10:44 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h Fri Mar 22 22:10:44 2024 daemon.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using nameserver 10.105.10.1#53 Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names Fri Mar 22 22:10:44 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names Fri Mar 22 22:10:44 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000 Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus Fri Mar 22 22:10:46 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h Fri Mar 22 22:10:46 2024 daemon.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using nameserver 10.105.10.1#53 Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names Fri Mar 22 22:10:46 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names Fri Mar 22 22:10:46 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses Fri Mar 22 22:10:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.146 e8:6a:64:a1:6a:6b Fri Mar 22 22:10:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.146 e8:6a:64:a1:6a:6b Zero Mon May 6 18:02:24 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000 Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus Mon May 6 18:02:40 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h Mon May 6 18:02:40 2024 daemon.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5453 Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using nameserver ::1#5453 Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names Mon May 6 18:02:40 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names Mon May 6 18:02:40 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses Mon May 6 18:02:50 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000 Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus Mon May 6 18:02:54 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h Mon May 6 18:02:54 2024 daemon.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5453 Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using nameserver ::1#5453 Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names Mon May 6 18:02:54 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names Mon May 6 18:02:54 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses Mon May 6 18:07:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.146 e8:6a:64:a1:6a:6b Mon May 6 18:07:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.146 e8:6a:64:a1:6a:6b Zero tcp 0 0 10.105.10.246:53 0.0.0.0:* LISTEN 3931/dnsmasq tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3931/dnsmasq tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 3931/dnsmasq tcp 0 0 fe80::3cda:1bff:fe17:faa:53 :::* LISTEN 3931/dnsmasq tcp 0 0 fe80::daec:5eff:fe32:245c:53 :::* LISTEN 3931/dnsmasq tcp 0 0 fe80::daec:5eff:fe32:245c:53 :::* LISTEN 3931/dnsmasq tcp 0 0 fd59:a2a6:9d08::1:53 :::* LISTEN 3931/dnsmasq tcp 0 0 ::1:53 :::* LISTEN 3931/dnsmasq udp 0 0 127.0.0.1:53 0.0.0.0:* 3931/dnsmasq udp 0 0 10.105.10.246:53 0.0.0.0:* 3931/dnsmasq udp 0 0 192.168.1.1:53 0.0.0.0:* 3931/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 3931/dnsmasq udp 0 0 ::1:53 :::* 3931/dnsmasq udp 0 0 fe80::3cda:1bff:fe17:faa:53 :::* 3931/dnsmasq udp 0 0 fe80::daec:5eff:fe32:245c:53 :::* 3931/dnsmasq udp 0 0 fd59:a2a6:9d08::1:53 :::* 3931/dnsmasq udp 0 0 fe80::daec:5eff:fe32:245c:53 :::*

logs stubby

Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.523849] STUBBY: Read config from file /var/etc/stubby/stubby.yml[18:02:14.525488] STUBBY: Stubby version: Stubby 0.4.3 Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.525983] STUBBY: DNSSEC Validation is OFF Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.526058] STUBBY: Transport list is: Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.526094] STUBBY: - TLS Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.526130] STUBBY: Privacy Usage Profile is Strict (Authentication required) Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.526171] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!) Mon May 6 18:02:14 2024 daemon.err stubby[3576]: [18:02:14.526208] STUBBY: Starting DAEMON.... Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.072198] STUBBY: Read config from file /var/etc/stubby/stubby.yml[18:02:56.073500] STUBBY: Stubby version: Stubby 0.4.3 Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.074050] STUBBY: DNSSEC Validation is ON Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.074129] STUBBY: Transport list is: Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.074171] STUBBY: - TLS Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.074221] STUBBY: Privacy Usage Profile is Strict (Authentication required) Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.074265] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!) Mon May 6 18:02:56 2024 daemon.err stubby[4026]: [18:02:56.074302] STUBBY: Starting DAEMON.... tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 4026/stubby tcp 0 0 ::1:5453 :::* LISTEN 4026/stubby udp 0 0 127.0.0.1:5453 0.0.0.0:* 4026/stubby udp 0 0 ::1:5453 :::*

I'm sure i'm missing something and probably is dns, like always is just can't figure out.

dig example.com localhost:5354
pkill -usr1 dnsmasq ; logread -e dnsmasq

i don't have dig in openwrt and i tried to install without success

Collected errors:
 * opkg_install_cmd: Cannot install package dig.

but I do have nslookup

nslookup example.com

`root@OpenWrt:~# nslookup example.com
Server: 10.105.10.1
Address: 10.105.10.1:53

Non-authoritative answer:
Name: example.com
Address: 93.184.215.14

Non-authoritative answer:
Name: example.com
Address: 2606:2800:21f:cb07:6820:80da:af6b:8b2c`

| Timestamp           | Process       | Message                                                                                             | Action        |
|---------------------|---------------|-----------------------------------------------------------------------------------------------------|---------------|
| Fri Mar 22 22:09:50 | dnsmasq       | DNS rebinding protection is active, will discard upstream RFC1918 responses!                         |               |
| Fri Mar 22 22:09:50 | dnsmasq       | Allowing 127.0.0.0/8 responses                                                                       |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | started, version 2.90 cachesize 1000                                                                 |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | DNS service limited to local subnets                                                                 |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack... |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | UBus support enabled: connected to system bus                                                        |               |
| Fri Mar 22 22:09:50 | dnsmasq-dhcp[1] | IPv6 router advertisement enabled                                                                   |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | using only locally-known addresses for test                                                          |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | using only locally-known addresses for onion                                                         |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry                                  |               |
| Fri Mar 22 22:09:50 | dnsmasq[1]    | read /etc/hosts - 12 names                                                                           |               |
| Fri Mar 22 22:10:44 | dnsmasq[1]    | reading /tmp/resolv.conf.d/resolv.conf.auto                                                          |               |
| Fri Mar 22 22:10:44 | dnsmasq[1]    | using nameserver 10.105.10.1#53                                                                      |               |
| Fri Mar 22 22:10:44 | dnsmasq[1]    | read /etc/hosts - 12 names                                                                           |               |
| Mon May 6 18:02:40  | dnsmasq[1]    | started, version 2.90 cachesize 1000                                                                 |               |
| Mon May 6 18:02:40  | dnsmasq[1]    | using nameserver 127.0.0.1#5453                                                                      |               |
| Mon May 6 18:02:40  | dnsmasq[1]    | using nameserver ::1#5453                                                                            |               |
| Mon May 6 18:02:40  | dnsmasq[1]    | read /etc/hosts - 12 names                                                                           |               |
| Mon May 6 18:02:54  | dnsmasq[1]    | started, version 2.90 cachesize 1000                                                                 |               |
| Mon May 6 18:02:54  | dnsmasq[1]    | using nameserver 127.0.0.1#5453                                                                      |               |
| Mon May 6 18:02:54  | dnsmasq[1]    | using nameserver ::1#5453                                                                            |               |
| Mon May 6 18:02:54  | dnsmasq[1]    | read /etc/hosts - 12 names                                                                           |               |

i wanted nslookup against stubby ie localhost:whatevrr
npo point in log without split lines using 3x backticks around.

stubby yml configuration:

root@OpenWrt:/etc/stubby# cat stubby.yml
# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

nslookup example.com localhost:5453

Response from nslookup for example.com

Server:         localhost:5453
Address:        [::1]:5453

** server can't find example.com: SERVFAIL

** server can't find example.com: SERVFAIL

could be the wiki has something wrong? I mean is a clean installation and I just followed line per line the script.

Do you use some doh blocklist that stubby cannot resolve anything?

I don't use a doh block-list but I'm under another router that they maybe have blocking doh, but if I use DNSscrypt/v1/v2 it works normally.

Thank you for your time @brada4 I'll travel in a few days and I may try again but I'll stick to dnscrypt.

1 Like

Thats rude from them...

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.