Help with a possible DNS configuration error

Hello everyone,
I was testing some DoH, DoT, QUIC, etc. configurations through dnsproxy, explained in this tutorial => https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_dnsproxy

Some errors occurred during the configuration, which rendered my network inoperable, at least to the internet, but functional on the local network.

From what I could understand from the tutorial above, local resolution is handled by dnsmasq installed on the router, and "internet-facing" resolution is forwarded by dnsproxy to the specified resolvers.

Due to the error, I tried removing the dnsproxy configuration, removing the packages and the configuration file, and reverting to the previous configuration... It didn't work.

I also took some files from my previous backup, where the router was working (network.conf, dhcp.conf, and firewall.cont files), backed up the previous files, and restarted the services, again without success...

So, I came to ask you for help once again...

Here are some possible configurations.

ubus call system board

root@horus:~# ubus call system board
{
        "kernel": "6.6.104",
        "hostname": "horus",
        "system": "Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz",
        "model": "LG Electronics                   V320-M.BG31P1",
        "board_name": "lg-electronics-v320-m-bg31p1",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "x86/64",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}
root@horus:~#

cat \etc\config\dnsmasq (I remove dhcp part - it´s OK!)

config dnsmasq 'horus'
        option local '/hsh/'
        option domain 'hsh'
        option expandhosts '1'
        option rebind_protection '1'
        option localservice '1'
        option sequential_ip '1'
        option allservers '1'
        list cache_rr 'ANY'
        option domainneeded '1'
        option rebind_localhost '1'
        option localise_queries '1'
        option dhcpleasemax '52'
        option dnsforwardmax '600'
        option cachesize '2500'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        option dnsseccheckunsigned '0'
        option boguspriv '0'
        option authoritative '1'
        option port '53'

cat /etc/config/network

root@horus:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd90:c4a8:4ed1::/48'
        option packet_steering '1'
        option steering_flows '128'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.15.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'cliente@cliente'
        option password 'cliente'
        option ipv6 'auto'
        option ip6assign '64'

config interface 'onu_vsol'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.252'
        option delegate '0'
        option disabled '1'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'EDITED'
        option listen_port '1195'
        list addresses '192.168.20.1/24'
        

config wireguard_wireguard
        option description 'Cell_RR'
        option public_key 'EDITED'
        option private_key 'EDITED'
        option preshared_key 'EDITED'
        option endpoint_port '1195'
        option persistent_keepalive '25'
        option endpoint_host 'EDITED'
        list allowed_ips '192.168.20.11'
        list allowed_ips 'fd00:20::11'

root@horus:~#

cat /etc/config/firewall

root@horus:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'onu_vsol'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option src 'wan'
        option name 'Allow-Wireguard'
        list proto 'udp'
        option dest_port '1195'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wireguard'
        option masq '1'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config rule
        option target 'ACCEPT'
        option _name 'vsftpd'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1024-1035'
        option family 'ipv4'
        option name 'Allow-VsFTPd'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch_NAT_A'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.15.30'
        option dest_port '45000-65535'

root@horus:~#

While I'm at it, I'd like to take this opportunity to ask about optimization...

My x86 machine has 8 GB of RAM...

Is this configuration recommended, or should I consider this as a possible cause of the problem?

"net.core.rmem_max=7500000
net.core.wmem_max=7500000"

Reset to defaults and put your last working backup back would be the easiest and smartest

You can try removing this but there might be other problems too

Also add a public DNS server e.g. 9.9.9.9 at the wan interface

I will try, but...

I think it should have worked by now, once I removed the files and reverted to default, including the backup files that worked....

Hello @egc ...

I simple remove this line anda restart dnsmasq anda works like a charm!!!

I will reconfigure DNS proxy, because I wanna use DoH, DoT and QUIC DNS, but I will study better the tutorial - Maybe he works good, but I don´t understand it well and I left the configuration wrong, causing problems in the configuration.

Thanks for your help!

All three, https-dns-proxy wouldn't be enough?

Hello frollic...

I have a rather strange and interesting problem here on my network...

My wife occasionally needs to access the website https://santoandre.ginfes.com.br/...

Okay, this website, you log in to it and within it, it accesses you - apparently, it's a piece of software written in Java...

The problem is that when I install https-dns-proxy, I can access this site without any problems through some browsers, like Firefox, for example, but I can't if I try with Edge or Chrome... even if I whitelist the full URL or *.ginfes.com.br, I can't access it at all... if I stop the proxy, it accesses right away, and also, I can't find the site or URL in the report the proxy extracts, saying that it's not blocked in any way... but this, sorry, it´s caused by Adblock...

It's actually difficult to explain the situation, but I can try to record a GIF about it.

I will try to config again...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.