Hello,
i've just setup https-dns-proxy that automatically changes dnsmasq config file at each start, to use the local "fake" dns server and yes, this is working
Basically it adds - and removes - this config:
option noresolv '1'
option doh_backup_noresolv '-1'
list doh_backup_server ''
list server '127.0.0.1#5054'
list server '127.0.0.1#5053'
i can't understand the need for the noresolv option that seems also to create problems with local lookup of hostnames: i can't resolve any local name on the router itself
Can you help me understanding why it is needed? afaik this option should avoid reading resolvers from /Etc/resolv.conf, that is:
DNS encryption services including https-dns-proxy rely on split-DNS.
So, you'd best specify public resolvers as an upstream DNS provider for the local system.
hello,
sorry, i don't think i understood
my network already has upstream dns:
config interface 'wan'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'pppoe'
option ipv6 'auto'
option peerdns '0'
option device 'eth0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option keepalive '3 5'
but i can't see how this should help in resolving local hostnames, so i assume i did not understood your suggestion
now my system is up and running without the noresolv option, am i at risk of a race condition?
Thanks
Restarting a router can make system time out of sync since there's typically no RTC.
This results in a deadlock for https-dns-proxy and sysntpd:
sysntpd cannot sync time because it needs to resolve the NTP domain.
https-dns-proxy cannot resolve the NTP domain because the system time is out of sync.
So, enabling split-DNS is the most efficient method to solve the race condition.
OpenWrt not using dnsmasq for the local system is a downside of this method.
Ok, so basically the idea is forcing the NTP lookup to go in any case on "plain" dns and the "localuse" should allow me to lookup local hostnames also with the noresolv option. Ok, i'll give a try.
I see the disclaimer "Beware of race condition with Adblock service when using DNS encryption" and obviously i have adblock, also in this case i can't see the race condition. Adblock is using dnsmasq to work, why should it have problems? i assume the download of lists (that need a name lookup) can easily happen after dnsmasq is up and running through https.. right?
thanks
If you enforce dnsmasq for the local system, all DNS queries are forwarded to https-dns-proxy.
However, it takes some time for https-dns-proxy to initialize at startup.
At the same time, Adblock fails to download the blocklists since https-dns-proxy is not ready yet.
I don't use Adblock at the moment, so I'm unsure if this has been fixed or not.
oh well, i already had the local backup of lists on my external HDD so this is not even a topic.. now i'm trying to understand the ntp point because:
it seems it works even if i do not specify the "exclusion" for the NTP server, but this seems strange because afaik a time is needed to check a SSL certificate..
if i add the exclusion, in any case https-dns-proxy is changing it to a "doh_backup_server" so, back again, i assume it is not used to resolve the ntp server name
Btw i'm still not sure i want to keep dns over https, but i wanted to make this work, and it seems it does!
thanks