Https dns cloudfare not working

Installing and Using OpenWrt
1

I have set the https dns proxy with cloudfare but due to some reason it still shows me google dns servers on my dashboard


root@OpenWrt:~# service log restart; service dnsmasq restart; service https-dns-proxy restart
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: no lease, failing
Starting https-dns-proxy 2023.12.26-r2 instances ✓
Setting trigger for wan ✓✓
root@OpenWrt:~# logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: started, version 2.90 cachesize 150
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: DNS service limited to local subnets
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 6h
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5054
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for stbg.stanbicbank.co.zw
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using only locally-known addresses for secnet.co.zw
Wed Feb 12 07:48:54 2025 daemon.info dnsmasq[1]: using 486079 more local addresses
Wed Feb 12 07:48:55 2025 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Wed Feb 12 07:48:55 2025 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 names
Wed Feb 12 07:48:55 2025 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      28779/dnsmasq
tcp        0      0 172.31.12.34:53         0.0.0.0:*               LISTEN      28779/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      28779/dnsmasq
tcp        0      0 fe80::ec53:5588:d487:8ef7:53 :::*                    LISTEN      28779/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      28779/dnsmasq
tcp        0      0 2001:df5:b00:93f::1:53  :::*                    LISTEN      28779/dnsmasq
tcp        0      0 fe80::a4b7:caff:feab:7ab8:53 :::*                    LISTEN      28779/dnsmasq
tcp        0      0 fe80::a4b7:caff:feab:7ab9:53 :::*                    LISTEN      28779/dnsmasq
tcp        0      0 fe80::b43b:d6ff:fe0c:5dce:53 :::*                    LISTEN      28779/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           28779/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           28779/dnsmasq
udp        0      0 172.31.12.34:53         0.0.0.0:*                           28779/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           28779/dnsmasq
udp        0      0 ::1:53                  :::*                                28779/dnsmasq
udp        0      0 fe80::a4b7:caff:feab:7ab8:53 :::*                                28779/dnsmasq
udp        0      0 2001:df5:b00:93f::1:53  :::*                                28779/dnsmasq
udp        0      0 fe80::a4b7:caff:feab:7ab9:53 :::*                                28779/dnsmasq
udp        0      0 fe80::b43b:d6ff:fe0c:5dce:53 :::*                                28779/dnsmasq
udp        0      0 fe80::ec53:5588:d487:8ef7:53 :::*                                28779/dnsmasq
root@OpenWrt:~# logread -e https-dns; netstat -l -n -p | grep -e https-dns
Wed Feb 12 07:48:53 2025 user.notice https-dns-proxy [28700]: Starting https-dns-proxy 2023.12.26-r2 instances ✓
Wed Feb 12 07:48:53 2025 user.notice https-dns-proxy [28700]: Setting trigger for wan ✓✓
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           28815/https-dns-pro
root@OpenWrt:~# pgrep -f -a dnsmasq; pgrep -f -a https-dns
28697 /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tmp/dnsmasq.d -r /tmp/hosts -r /usr/bin/jshn -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /usr/share/libubox/jshn.sh -r /var/etc/dnsmasq.conf.cfg01411c -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
28779 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
28841 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
28815 /usr/sbin/https-dns-proxy -r https://cloudflare-dns.com/dns-query -a 127.0.0.1 -p 5053 -b 1.1.1.1,1.0.0.1 -4 -u nobody -g nogroup
root@OpenWrt:~# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 103.88.220.245
nameserver 103.88.221.245

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.1.1
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
# Interface wan_6
root@OpenWrt:~# uci show dhcp; uci show https-dns-proxy
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].sequential_ip='1'
dhcp.@dnsmasq[0].server='/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_server='/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].doh_server='127.0.0.1#5053'
dhcp.@dnsmasq[0].rebind_domain='plex.direct'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='6h'
dhcp.lan.dhcpv4='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].ip='192.168.1.104'
dhcp.@host[0].name='SonyTVX90L'
dhcp.@host[1]=host
dhcp.@host[1].name='Optiplex'
dhcp.@host[1].ip='192.168.1.111'
dhcp.@host[2]=host
dhcp.@host[2].name='ChromeCast-TV'
dhcp.@host[2].leasetime='3h'
https-dns-proxy.config=main
https-dns-proxy.config.canary_domains_icloud='1'
https-dns-proxy.config.canary_domains_mozilla='1'
https-dns-proxy.config.dnsmasq_config_update='*'
https-dns-proxy.config.force_dns='1'
https-dns-proxy.config.force_dns_port='53' '853'
https-dns-proxy.config.procd_trigger_wan6='0'
https-dns-proxy.@https-dns-proxy[0]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[0].bootstrap_dns='1.1.1.1,1.0.0.1'
https-dns-proxy.@https-dns-proxy[0].resolver_url='https://cloudflare-dns.com/dns-query'
https-dns-proxy.@https-dns-proxy[0].listen_addr='127.0.0.1'
https-dns-proxy.@https-dns-proxy[0].listen_port='5053'
https-dns-proxy.@https-dns-proxy[0].user='nobody'
https-dns-proxy.@https-dns-proxy[0].group='nogroup'
2

It looks like https-dns-proxy is correctly set to use Cloudflare, but your WAN interface is set to use Google DNS.
Your network clients DNS queries will go to router 5053( thus DNS Proxy to Cloudflare 1.1.1.1 and 1.0.0.1 ).
When you do something directly from the router though ( Software Update, or anything via LuCI) your router would use Google.
Try changing the DNS on your WAN interface to use alternate Cloudflare servers: 1.0.0.2, 1.1.1.2 and retest. (Using those alternates will allow you to differentiate, and see where they are set in your config files. )
Should look good then.

3

I have removed it from dhcp but router page does not shows any dns

13714 /usr/sbin/https-dns-proxy -r https://cloudflare-dns.com/dns-query -a 127.0.0.1 -p 5053 -b 1.1.1.1,1.0.0.1 -4 -u nobody -g nogroup
root@OpenWrt:~# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 103.88.220.245
nameserver 103.88.221.245


==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
4

Maybe because you have set google DNS servers on the WAN interface?
However they should not be used any more if https-dns-proxy is setup with default options i.e. ignoring the resolv file which contains these Google DNS servers.
You can check under DHCP and DNS > Resolv &^ Host Files> Ignore resolv file
or

	option noresolv '1'

The router itself should also use DNSMasq and DNSMasq only uses two upstream servers from https-dns-proxy:

Bottom line I do not know what "Dashboard" it is which shows your DNS servers but maybe your Dashboard is wrong?

5

image
image1129×238 15.4 KB

Its already ticked but not sure how my isp dns is coming up in
==> /tmp/resolv.conf.ppp <==
nameserver 103.88.220.245
nameserver 103.88.221.245

image
image942×567 20 KB

No DNS Set in wan

image
image594×317 6.67 KB

Lan configured to use self as DNS

image
image868×403 10.2 KB

Is there a way i can reset everything and start fresh im not that familiar with the commands hopefully there is some reset script ?

6

they come from your ISP, nothing strange, you can obviously override them, if you'd like, by unchecking the "Use DNS servers advertised by peer" box, and provide your own DNS IPs.

7

https-dns-proxy is very outdated. Try SmartDNS. I used to use https-dns-proxy myself, but after upgrading to 24.10 this ancient piece of code just falls apart.

8

first do not set any custom DNS servers, especially not the router itself.
Custom DNS servers are the upstream resolvers for DNS masq, what you are doing is point DNSMasq to itself to resolve DNS in essence creating a loop (luckily DNSMasq is smart enough not to use it)

The nameservers are probably due to your PPPoE interface, I do not use that but maybe there is also a setting on the PPPoE interface to ignore it?
afbeelding

But even then those nameserver are ignored by the settings as outlined in my earlier post

9

SmartDNS's also 5x bigger on flash, which is a lot if you've got a 8mb flash device.

1 Like
10

I disagree, there was even an update in the last two days.

11

Of course there were - I myself took part in it as a person reporting these errors and testing. But it doesn't make sense. It's sticking old code on glue and tape. Just another kernel/package change and there will be problems again (as was the case with 24.10). This is IT: if you don't go forward you go backward. It doesn't make sense to hold on to old solutions from a decade ago when there are new and working ones.

BTW: setting CF in SmartDNS is very simple:
obraz

12

Tbh im getting lost :joy:

dnsleaktest and other dnssec test passes anything i need to check ?

13

It's more complicated than that. In order for the testers to work, you must use the exact DNS provider tester you have set up in DNS. And if you have several, they probably switch (depending on the ping or the load) and then basically no tester will show you the correct result or it will show results completely randomly. It additionally matters whether you use DNSCrypt or DoH, DoT protocol (they are different, I don't know which one you uses).

14

I know SmartDNS, I implemented it for DDWRT as there was no https-dns-proxy for DDWRT but for my OpenWRT routers I use https-dns-proxy which is easy to setup works out of the box and is lightweight.

But if you prefer SmartDNS then no problem.

It does not seem that the OPs problems are with https-dns-proxy but with setup and interpreting his Status view

15

I have dnscrypt running along with https dns.

I'll need to read about smart dns

16

Here it doesn't matter what I prefer, here it matters what works flawlessly according to the standards of the year 2025. I repeat, for years I used https-dns-proxy and there were no problems, but time is passing and you can't pretend that nothing is changing.

17

CF support DNScrypt???

I am not sure, I see only DoH and DoT on their page...

18

It looks like you are overcomplicating things :frowning:

19

Please advise on how should i proceed ? if i use cloudfare dns then dns crypt is not required ? Also smartdns offers similar functionality ?

20

These are different protocols. Currently you can use DNSCrypt, DoH, DoT and QUIC. But not every provider and DNS server supports all of them. They all encrypt DNS traffic, but in different ways.