How to get HTTP DNS Proxy working?

I am trying to configure HTTPS DNS Proxy (https-dns-proxy) for the first time. My knowledge of networking is basic.

What I have done to configure it through luCI:

• Deleted the Cloudflare and Google instances.
• Added a Mullvad instance.
• Selected the Mullvad option from the list of options.
• Put Quad9's IP4 and IP6 addresses, separated by a comma, in the field for the bootstrap DNS.
• Saved, applied, re-started.

I used a Cloudflare site (one.one.one.one something) to check for DNS over HTTPS. Cloudflare said that DNS over HTTPS was not being used.

And a DNS leak test showed that my ISP's DNS server is being used.

I have read the documentation and related discussions on the forum. I have not found information that would help me, maybe because I do not understand enough.

Troubleshooting results

service log restart; service dnsmasq restart; service https-dns

-proxy restart
udhcpc: started, v1.37.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
Starting https-dns-proxy 2026.03.18-r3 instances ✓
Updating notrack rules ✓
Setting trigger for wan ✓

logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq

Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: started, version 2.91 cachesize 1000
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfile
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Sat May 23 07:58:17 2026 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5054
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzzzzkplpllllpppllpppl.com
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzfzgzbz.com
Sat May 23 07:58:17 2026 daemon.info dnsmasq[1]: using 339921 more local addresses
Sat May 23 07:58:19 2026 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Sat May 23 07:58:19 2026 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Sat May 23 07:58:19 2026 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      28562/dnsmasq
tcp        0      0 104.166.245.132:53      0.0.0.0:*               LISTEN      28562/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      28562/dnsmasq
tcp        0      0 fd55:4a9b:b532::1:53    :::*                    LISTEN      28562/dnsmasq
tcp        0      0 2604:2d80:c004:0:5582:d679:1a99:b36c:53 :::*                    LISTEN      28562/dnsmasq
tcp        0      0 2604:2d80:d585:e100::1:53 :::*                    LISTEN      28562/dnsmasq
tcp        0      0 fe80::82af:caff:fe55:5d67:53 :::*                    LISTEN      28562/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      28562/dnsmasq
tcp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                    LISTEN      28562/dnsmasq
tcp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                    LISTEN      28562/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           28562/dnsmasq
udp        0      0 104.166.245.132:53      0.0.0.0:*                           28562/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           28562/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           28562/dnsmasq
udp        0      0 ::1:53                  :::*                                28562/dnsmasq
udp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                                28562/dnsmasq
udp        0      0 2604:2d80:c004:0:5582:d679:1a99:b36c:53 :::*                                28562/dnsmasq
udp        0      0 fe80::82af:caff:fe55:5d67:53 :::*                                28562/dnsmasq
udp        0      0 2604:2d80:d585:e100::1:53 :::*                                28562/dnsmasq
udp        0      0 fd55:4a9b:b532::1:53    :::*                                28562/dnsmasq
udp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                                28562/dnsmasq

logread -e https-dns; netstat -l -n -p | grep -e https-dns

Sat May 23 07:58:17 2026 user.notice https-dns-proxy [28523]: Starting https-dns-proxy 2026.03.18-r3 instances ✓
Sat May 23 07:58:17 2026 user.notice https-dns-proxy [28523]: Updating notrack rules ✓
Sat May 23 07:58:17 2026 user.notice https-dns-proxy [28523]: Setting trigger for wan ✓
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      26711/https-dns-pro
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           26711/https-dns-pro

pgrep -f -a dnsmasq; pgrep -f -a https-dns

28519 /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/busybox -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tmp/dnsmasq.cfg01411c.d -r /tmp/hosts -r /usr/bin/env -r /usr/bin/jshn -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /usr/share/libubox/jshn.sh -r /var/etc/dnsmasq.conf.cfg01411c -r /var/run/adblock-lean/abl-blocklist.gz -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
28562 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
26711 /usr/sbin/https-dns-proxy -r https://all.dns.mullvad.net/dns-query -p 5053 -b 9.9.9.9,149.112.112.112 -4 -u nobody -g nogroup

head -v -n -0 /etc/resolv. /tmp/resolv.* /tmp/resolv.*/**

==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 9.9.9.9
nameserver 149.112.112.112
# Interface wan6
nameserver 2620:fe::fe
nameserver 2620:fe::nine_o_clock:

uci show dhcp; uci show https-dns-proxy

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].addnmount='/bin/busybox' '/var/run/adblock-lean/abl-blocklist.gz'
dhcp.@dnsmasq[0].server='127.0.0.1#5054' '/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_server='127.0.0.1#5054' '/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053'
dhcp.@dnsmasq[0].doh_server='127.0.0.1#5053'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/odhcpd.leases'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.odhcpd.piodir='/tmp/odhcpd-piodir'
dhcp.odhcpd.hostsdir='/tmp/hosts'
https-dns-proxy.config=main
https-dns-proxy.config.canary_domains_icloud='1'
https-dns-proxy.config.canary_domains_mozilla='1'
https-dns-proxy.config.dnsmasq_config_update='*'
https-dns-proxy.config.force_dns='1'
https-dns-proxy.config.notrack_dns='1'
https-dns-proxy.config.force_dns_port='53' '853'
https-dns-proxy.config.force_dns_src_interface='lan'
https-dns-proxy.config.procd_trigger_wan6='0'
https-dns-proxy.config.heartbeat_domain='heartbeat.melmac.ca'
https-dns-proxy.config.heartbeat_sleep_timeout='10'
https-dns-proxy.config.heartbeat_wait_timeout='10'
https-dns-proxy.config.user='nobody'
https-dns-proxy.config.group='nogroup'
https-dns-proxy.config.listen_addr='127.0.0.1'
https-dns-proxy.@https-dns-proxy[0]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[0].resolver_url='https://all.dns.mullvad.net/dns-query'
https-dns-proxy.@https-dns-proxy[0].bootstrap_dns='9.9.9.9,149.112.112.112'

Many thanks for any help.

You don’t have a https-dns-proxy listening on port 5054 after deleting the defaults, so this should be removed.

Is this a typo?

Cloudflare test site won’t likely work for Mullvad DoH.

First, you need https-dns-proxy listen on a port. Thus:

https-dns-proxy.@https-dns-proxy[0].listen_port='5053'

Second

dhcp.@dnsmasq[0]@dnsmasqserver='127.0.0.1#5054'......

dhcp.@dnsmasq[0].doh_backup_server='127.0.0.1#5054

Left, because you deleted second proxy

Both to be deleted as well. There is nobody listening there.

After applying the chages, reboot and pls provide

a) logread | grep dnsmasq #Should use 127.0.0.1:5053 as only upstream DNS now

b) ps | grep https-dns-proxy #Should be using mullvad

c) netstat -tulpn | grep 53 #Should also show https-dns-proxy listen on 5053

BTW: mullvad and quad9 both work for me, but (very) slow. cloudflare much faster.

May be, best approach is you restart from beginning: Flash your openwrt again with standard image, install https-dns-proxy and check, that it works with standard config. Then change one proxy to mullvad, verify ops, and finally delete second proxy. How did you do that ? In case, there is a possibility in LuCI to do that (I never use LuCI), then there seems to be a bug, because of the leftovers in the configs.

Second that

and if it works make a backup so that you can always go back to a working config

Many thanks to each of you.

Re-starting from the beginning can be done in two ways: sysupgrade without keeping settings or kernel with minimal file system. Which should I use?

I assume just the kernel so that no optional packages are kept. Right?

Is this approach riskier? The router is a Cudy WR3000S v1 that needed an intermediate image from Cudy when first set up. I do not need that again, do I?

I don't know where "nine_o_clock" came from. "2620:fe::9" appears in the wan6 interface configuration. It is an IP6 address at Quad9.

I like the Mullvad DNS service because of the block lists. Blocking must take some time. I wonder if someone else's blocking is faster than Mullvad's. Adguard's?

I guess it came from typing the address manually? No matter.

image775×496 27.6 KB

Don’t do this yet. Just remove the extra entry and see where you stand.

uci del_list dhcp.@dnsmasq[0].server='127.0.0.1#5054'
uci commit dhcp
service dnsmasq restart

You're right, "no matter", but it is odd. Your screen image suggests that the text was changed when I pasted the configuration settings into the text box on the forum, but, of course, that should not happen. The only place that I have typed that address was in luCI, and it is still correct there. Mystery.

Is it a problem that the response to this command includes this statement? —

udhcpc: no lease, failing

No, it’s checking to make sure there isn’t another dhcp server on the LAN before it starts dnsmasq. Very normal.

I have removed the port 5054 reference, assigned the Mullvad instance to port 5053, saved, applied, and re-started.

The router is still using my ISP's DNS server instead of Mullvad's and instead of the custom DNS at Quad9 that I have set.

Current configuration and logs

service log restart; service dnsmasq restart; service https-dns

udhcpc: started, v1.37.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
Service "https-dns" not found:

logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq

Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: started, version 2.91 cachesize 1000
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfile
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Sat May 23 18:30:08 2026 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzzzzkplpllllpppllpppl.com
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzfzgzbz.com
Sat May 23 18:30:08 2026 daemon.info dnsmasq[1]: using 341846 more local addresses
Sat May 23 18:30:10 2026 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Sat May 23 18:30:10 2026 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Sat May 23 18:30:10 2026 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      6277/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6277/dnsmasq
tcp        0      0 104.166.245.132:53      0.0.0.0:*               LISTEN      6277/dnsmasq
tcp        0      0 2604:2d80:d585:e100::1:53 :::*                    LISTEN      6277/dnsmasq
tcp        0      0 fe80::82af:caff:fe55:5d67:53 :::*                    LISTEN      6277/dnsmasq
tcp        0      0 fd55:4a9b:b532::1:53    :::*                    LISTEN      6277/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      6277/dnsmasq
tcp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                    LISTEN      6277/dnsmasq
tcp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                    LISTEN      6277/dnsmasq
tcp        0      0 2604:2d80:c004:0:5582:d679:1a99:b36c:53 :::*                    LISTEN      6277/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           6277/dnsmasq
udp        0      0 104.166.245.132:53      0.0.0.0:*                           6277/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           6277/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           6277/dnsmasq
udp        0      0 ::1:53                  :::*                                6277/dnsmasq
udp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                                6277/dnsmasq
udp        0      0 2604:2d80:c004:0:5582:d679:1a99:b36c:53 :::*                                6277/dnsmasq
udp        0      0 fe80::82af:caff:fe55:5d67:53 :::*                                6277/dnsmasq
udp        0      0 2604:2d80:d585:e100::1:53 :::*                                6277/dnsmasq
udp        0      0 fd55:4a9b:b532::1:53    :::*                                6277/dnsmasq
udp        0      0 fe80::82af:caff:fe55:5d66:53 :::*                                6277/dnsmasq

logread -e https-dns; netstat -l -n -p | grep -e https-dns

tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      3295/https-dns-prox
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           3295/https-dns-prox

pgrep -f -a dnsmasq; pgrep -f -a https-dns

6259 /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/busybox -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tmp/dnsmasq.cfg01411c.d -r /tmp/hosts -r /usr/bin/env -r /usr/bin/jshn -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /usr/share/libubox/jshn.sh -r /var/etc/dnsmasq.conf.cfg01411c -r /var/run/adblock-lean/abl-blocklist.gz -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
6277 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
3295 /usr/sbin/https-dns-proxy -r https://all.dns.mullvad.net/dns-query -p 5053 -b 9.9.9.9,149.112.112.112 -4 -u nobody -g nogroup

head -v -n -0 /etc/resolv. /tmp/resolv.* /tmp/resolv.*/**

head: /etc/resolv.: No such file or directory

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 9.9.9.9
nameserver 149.112.112.112
# Interface wan6
nameserver 2620:fe::fe
nameserver 2620:fe::9

uci show dhcp; uci show https-dns-proxy

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].addnmount='/bin/busybox' '/var/run/adblock-lean/abl-blocklist.gz'
dhcp.@dnsmasq[0].server='/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_server='/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053'
dhcp.@dnsmasq[0].doh_server='127.0.0.1#5053'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/odhcpd.leases'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.odhcpd.piodir='/tmp/odhcpd-piodir'
dhcp.odhcpd.hostsdir='/tmp/hosts'
https-dns-proxy.config=main
https-dns-proxy.config.canary_domains_icloud='1'
https-dns-proxy.config.canary_domains_mozilla='1'
https-dns-proxy.config.dnsmasq_config_update='*'
https-dns-proxy.config.force_dns='1'
https-dns-proxy.config.notrack_dns='1'
https-dns-proxy.config.force_dns_port='53' '853'
https-dns-proxy.config.force_dns_src_interface='lan'
https-dns-proxy.config.procd_trigger_wan6='0'
https-dns-proxy.config.heartbeat_domain='heartbeat.melmac.ca'
https-dns-proxy.config.heartbeat_sleep_timeout='10'
https-dns-proxy.config.heartbeat_wait_timeout='10'
https-dns-proxy.config.user='nobody'
https-dns-proxy.config.group='nogroup'
https-dns-proxy.config.listen_addr='127.0.0.1'
https-dns-proxy.@https-dns-proxy[0]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[0].resolver_url='https://all.dns.mullvad.net/dns-query'
https-dns-proxy.@https-dns-proxy[0].bootstrap_dns='9.9.9.9,149.112.112.112'
https-dns-proxy.@https-dns-proxy[0].listen_port='5053'

Dave, yeah, that Quad9 IP6 address was at the end of a pasted block, so when I pressed return to add a line, auto-correct intervened and changed the "9" to "nine o-clock".

What does not look right now?

Is this important? —

head: /tmp/resolv.conf.d: I/O error

Should I start from scratch?

Even when I stop and disable https-dns-proxy, the router uses my ISP's DNS server instead of Quad9's. I've gone backwards.

I don’t see why it wouldn’t be working. Try these commands from the router over ssh:

nslookup openwrt.org 127.0.0.1:5053
nslookup openwrt.org 127.0.0.1:53
nslookup openwrt.org

What test are you using to determine “ISP DNS”?

I don't want my ISP's DNS server being used, so I decided to simplify and fix that problem. I removed https-dns-proxy, re-started the router, and followed the directions here for adding a custom DNS server (even though the directions would only delete my custom DNS settings and set them again):

So I cannot run your nslookup commands.

And my custom DNS server at Quad9 is still not being used.

Dave, I appreciate all your effort to help. Could you help me with the custom DNS server too?

Let’s see the relevant config files after the changes.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you!

ubus call system board

	"kernel": "6.12.85",
	"hostname": "Kindness",
	"system": "ARMv8 Processor rev 4",
	"model": "Cudy WR3000S v1",
	"board_name": "cudy,wr3000s-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.3",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32912-6639b15f62",
		"target": "mediatek/filogic",
		"description": "OpenWrt 25.12.3 r32912-6639b15f62",
		"builddate": "1777933845"

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix [redacted]
	option packet_steering '0'
	option dhcp_default_duid '00047c24256b052a46918529f6c125b1f647'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option multipath 'off'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option peerdns '0'
	list dns '2620:fe::fe'
	list dns '2620:fe::9'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list addnmount '/bin/busybox'
	list addnmount '/var/run/adblock-lean/abl-blocklist.gz'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Check from the router ssh session if Quad9 is being used. This should return do53-udp.

nslookup -type=TXT proto.on.quad9.net.

It does return do53-udp.

And the leak test on my client still says that the ISP is being used.

So the router knows about Quad9, but the clients are not using it? Does a setting have to be changed in the lan interface?