Https-dns-proxy canary domain persistance

I thought you were trolling me, that's why I said so. Didn't mean to offend you. In general, my problem is more global and the probability of a solution, as I understand it, will not be positive. There is no way to change the provider, so I set the https-dns service to restart every 15 minutes. Restart is long, about 10-15 seconds

OK...that's what I was trying to determine is what your definition of "long" is, in terms of absolutes.

Mine takes 13.5 seconds to fully restart, but I've never known it to be shorter.

What's your need to restart it? (And this may be better served in a different thread, as it's utterly unrelated to the canary topic.)

I don't need to restart it at all, I need it to work fine :slight_smile:
the openwrt router is connected to another router, and when the wan ip address changes on the first router, then https-dns stops working, that's the whole problem.
wan The IP address is provided by the ISP and may change at any time. For example, if you restart the first router, then the IP address will change which is issued by the provider.
and so on ad infinitum.
at the moment of changing the IP address that the provider issues, https-dns-proxy stops working at all, until you restart this service or restart the router.
in general, the Internet stops working, since https-dns-proxy does not work.
in theory, https-dns-proxy should be bound to the LAN gateway, but based on the fact that it stops working, I assumed that it is bound to the IP address that the provider issues on the first router. After changing the ip address on the first router that the provider issues, https-dns-proxy continues to use the old ip address that no longer exists. This is my guess, but this is how I see the picture.
and the joke is that in the network settings - br-lan, the lan gateway cannot be changed, it lives its own life :slight_smile:
I have been struggling with this problem for 2 years, as soon as I started to master openwrt I continue to struggle, but the result is zero. If the developers themselves do not know how to solve this problem, then I definitely will never solve it myself, this is called walking in a vicious circle.

If you remove https-dns-proxy, then everything works fine, but I like this program, I don’t want to remove it.
without https-dns-proxy the whole point of the openwrt firmware is lost for me

Well, you have a few choices, I guess.

https-dns-proxy is far from the only one out there, it just happens to be the easiest to set up and get working out of the box. If you're comfortable with CLI and config file editing, there's cloudflared and dnscrypt-proxy2, both of which are available in OpenWRT and both of which I've had working in the past. Things like forcing DNS requests through them and canary domains is also possible with clever firewall and dnsmasq rules, just like https-dns-proxy.

Second, you can run any DoH/DoT proxy you like on something other than OpenWRT and just point your clients at that, though being double-NATted, it's not likely to work any better than running directly on the router if that is indeed the reason things are failing.

Next, you might want to work with your ISP to understand why they are dropping your lease and changing your IP address so regularly. That is NOT normal under general operation, the lease should only fail to renew and provide a different IP if you are disconnected for a considerable period of time.

Finally, unless there's some obstacle preventing it, I'd strongly advise NOT doing double NAT, putting the upstream router in bridge mode and letting OpenWRT act as the primary/edge router. It prevents a LOT of issues (like double NAT, having to maintain two sets of firewalls for the same thing, broken connections like you're experiencing, reduced throughput and higher latency, etc.) and is generally the recommended way to go.

dnscrypt-proxy2 weighs too much.
luci-app-https-dns-proxy this is the only option.

I noticed that if log is disabled, then https-dns-proxy stops working.

Please do not post your issues/questions in the threads started to address other peoples' specific issue/question.

Also, in the future/other threads please be as detailed in your posts as possible. When I asked you to elaborate on your specific setup, you've replied with "yes". The earlier post also misses critical information for anyone who may want to help you. Generally speaking, you need to describe the steps you take, detailing what/how/and where you did at each step, what you expected to happen and what actually happened (as in -- output in the console, messages in the log, etc.).

I got it, sorry if it's wrong.

Please tell me how to change Optional polling interval of DNS servers ?
I would like to disable it altogether or set at least 3600,
But it would be better to disable it altogether,
it constantly keeps a connection on port 53, in fact, without breaking the connection at all.

Is it possible to add additional manual adjustment settings to the program? So that everyone can customize as he wants.

I'm not quite sure what you're referring to by 'polling interval'.

Standard DNS uses UDP packets for request and response, and the connection is (obviously) not persistent.

DoH uses a persistent TCP connection for speed of response, otherwise a new SSL connection would need to be established with handshake on every individual DNS request, which would be FAR too costly to be practical and result in EXTREMELY high DNS response latency.

I used to use Simple DNSCrypt on my computer and watched how the program works and all requests go through https,
there were no regular regular udp packets on port 53 and everything worked very quickly, I think you can probably configure it here too

That's not what I'm talking about - DNSCrypt persists its connection just like https-dns-proxy, and for the same reason - otherwise latency would make it practically unusable.

Perhaps I don’t fully understand how it works, but pull at least the doh servers out of it, there are at least twice as many of them

You can disable or change any of the services that you like via LuCI or /etc/config/https-dns-proxy. I'm truly lost now as to what exactly you want or are trying to achieve.


In /etc/config/https-dns-proxy under config https-dns-proxy put in:

option polling_interval '3600'

3600 is currently the hardcoded maximum allowed. I too think the default 2 min polling interval is too short. It re-establishes the connection every 2 minutes which is an unneeded latency and CPU cycle cost.

That's also the key refresh cycle. The longer you make it, the more likely your connection is to be able to be compromised, which rather negates the point of DoH in the first place.

Given one of the guy's problems is that he's double-NATted and https-dns-proxy is gloriously unawares when his upstream connection is broken by his ISP constantly switching public IPs on him, increasing the polling interval is only going to make (his) bad problem worse.

I'm pretty sure the polling_interval is needed to be set for each instance, not in the config section.

It does nothing in config main 'config'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.