Https-dns-proxy local proxy not working

Hi,

hopefully someone can help me with this.
I just upgraded my router (archer c7 v5) to openwrt 23.05.5 made a basic setup and installed https-dns-proxy with the luci package. But there seems to be a problem somewhere with the default setup which I'm unable to locate.

Just a small rundown of my basic changes if they might be important.

I upgraded using the prebuild 23.05.5 sysupgrade for my router without transferring the previous config, so fresh start.
Removed wpad-basic and installed wpad-wolfssl & wpa-cli
As well as my own luci modul which has a dependency on openssl-util
This is needed since I'm running this in an eduroam network and authenticate with and easyroam certificate.
And I upgraded packages for which updates where available.

Also changed the IP range to 172.21.4.1/24 (via luci for the lan interface)
wpa_supplicant is running for authentication on eduroam with the certificate.

I followed the DoH with Dnsmasq and https-dns-proxy guide.
curl was also installed to have HTTP/2 support, though it didn't change anything. (Following results are with curl installed.)

Following is the output from the Troubleshooting part:

root@router:~# service log restart; service dnsmasq restart; service https-dns-proxy restart
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: no lease, failing
Starting https-dns-proxy 2023.12.26-1 instances ✓✓

root@router:~# dig @127.0.0.1 -p 5053 openwrt.org
;; communications error to 127.0.0.1#5053: timed out
;; communications error to 127.0.0.1#5053: timed out
;; communications error to 127.0.0.1#5053: timed out

; <<>> DiG 9.18.32 <<>> @127.0.0.1 -p 5053 openwrt.org
; (1 server found)
;; global options: +cmd
;; no servers could be reached

root@router:~# dig @127.0.0.1 -p 5054 openwrt.org
;; communications error to 127.0.0.1#5054: timed out
;; communications error to 127.0.0.1#5054: timed out
;; communications error to 127.0.0.1#5054: timed out

; <<>> DiG 9.18.32 <<>> @127.0.0.1 -p 5054 openwrt.org
; (1 server found)
;; global options: +cmd
;; no servers could be reached

root@router:~# logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 172.21.4.100 -- 172.21.4.249, lease time 12h
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5054
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for use-application-dns.net
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using only locally-known addresses for mask-h2.icloud.com
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: using 2 more local addresses
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 names
Sat Jan 18 22:15:20 2025 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      7902/dnsmasq
tcp        0      0 10.3.0.73:53            0.0.0.0:*               LISTEN      7902/dnsmasq
tcp        0      0 172.21.4.1:53           0.0.0.0:*               LISTEN      7902/dnsmasq
tcp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                    LISTEN      7902/dnsmasq
tcp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                    LISTEN      7902/dnsmasq
tcp        0      0 fe80::2aee:52ff:fe62:b282:53 :::*                    LISTEN      7902/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      7902/dnsmasq
tcp        0      0 fdaf:543c:3192::1:53    :::*                    LISTEN      7902/dnsmasq
udp        0      0 0.0.0.0:37387           0.0.0.0:*                           7902/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           7902/dnsmasq
udp        0      0 172.21.4.1:53           0.0.0.0:*                           7902/dnsmasq
udp        0      0 10.3.0.73:53            0.0.0.0:*                           7902/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7902/dnsmasq
udp        0      0 0.0.0.0:40049           0.0.0.0:*                           7902/dnsmasq
udp        0      0 ::1:53                  :::*                                7902/dnsmasq
udp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                                7902/dnsmasq
udp        0      0 fdaf:543c:3192::1:53    :::*                                7902/dnsmasq
udp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                                7902/dnsmasq
udp        0      0 fe80::2aee:52ff:fe62:b282:53 :::*                                7902/dnsmasq
root@router:~# logread -e https-dns; netstat -l -n -p | grep -e https-dns
Sat Jan 18 22:15:21 2025 user.notice https-dns-proxy: Starting service instances ✓✓
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           8031/https-dns-prox
udp        0      0 127.0.0.1:5054          0.0.0.0:*                           8032/https-dns-prox
root@router:~# pgrep -f -a dnsmasq; pgrep -f -a https-dns
7898 /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tmp/dnsmasq.d -r /tmp/hosts -r /usr/bin/jshn -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /usr/share/libubox/jshn.sh -r /var/etc/dnsmasq.conf.cfg01411c -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
7902 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
8031 /usr/sbin/https-dns-proxy -r https://cloudflare-dns.com/dns-query -a 127.0.0.1 -p 5053 -b 1.1.1.1,1.0.0.1 -4 -u nobody -g nogroup
8032 /usr/sbin/https-dns-proxy -r https://dns.google/dns-query -a 127.0.0.1 -p 5054 -b 8.8.8.8,8.8.4.4 -4 -u nobody -g nogroup

root@router:~# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
\# Interface wan
nameserver [**redacted** university ns]
nameserver  [**redacted** university ns2]
search [**redacted** university url]

root@router:~# uci show dhcp; uci show https-dns-proxy
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].filter_aaaa='0'
dhcp.@dnsmasq[0].filter_a='0'
dhcp.@dnsmasq[0].server='/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].doh_backup_noresolv='-1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].doh_backup_server='/mask.icloud.com/' '/mask-h2.icloud.com/' '/use-application-dns.net/' '127.0.0.1#5053' '127.0.0.1#5054'
dhcp.@dnsmasq[0].doh_server='127.0.0.1#5053' '127.0.0.1#5054'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
https-dns-proxy.config=main
https-dns-proxy.config.canary_domains_icloud='1'
https-dns-proxy.config.canary_domains_mozilla='1'
https-dns-proxy.config.dnsmasq_config_update='*'
https-dns-proxy.config.force_dns='1'
https-dns-proxy.config.force_dns_port='53' '853'
https-dns-proxy.config.procd_trigger_wan6='0'
https-dns-proxy.@https-dns-proxy[0]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[0].bootstrap_dns='1.1.1.1,1.0.0.1'
https-dns-proxy.@https-dns-proxy[0].resolver_url='https://cloudflare-dns.com/dns-query'
https-dns-proxy.@https-dns-proxy[0].listen_addr='127.0.0.1'
https-dns-proxy.@https-dns-proxy[0].listen_port='5053'
https-dns-proxy.@https-dns-proxy[0].user='nobody'
https-dns-proxy.@https-dns-proxy[0].group='nogroup'
https-dns-proxy.@https-dns-proxy[1]=https-dns-proxy
https-dns-proxy.@https-dns-proxy[1].bootstrap_dns='8.8.8.8,8.8.4.4'
https-dns-proxy.@https-dns-proxy[1].resolver_url='https://dns.google/dns-query'
https-dns-proxy.@https-dns-proxy[1].listen_addr='127.0.0.1'
https-dns-proxy.@https-dns-proxy[1].listen_port='5054'
https-dns-proxy.@https-dns-proxy[1].user='nobody'
https-dns-proxy.@https-dns-proxy[1].group='nogroup'

I also did a run with dig while having dns logging enabled, though I did remove entries of dns requests made by my pc, so only the ones made with dig are shown:

root@router:~# service log restart; service dnsmasq restart; service https-dns-proxy restart
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: no lease, failing
Command failed: Not found
Starting https-dns-proxy 2023.12.26-1 instances ✓✓
Updating dnsmasq config ✓
Restarting dnsmasq on_config_update ✓
root@router:~# dig @127.0.0.1 -p 5053 openwrt.org
;; communications error to 127.0.0.1#5053: timed out
;; communications error to 127.0.0.1#5053: timed out
;; communications error to 127.0.0.1#5053: timed out

; <<>> DiG 9.18.32 <<>> @127.0.0.1 -p 5053 openwrt.org
; (1 server found)
;; global options: +cmd
;; no servers could be reached
root@router:~# nslookup openwrt.org localhost
;; connection timed out; no servers could be reached

root@router:~# logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
Sat Jan 18 22:26:44 2025 daemon.info dnsmasq[1]: 11790 ::1/53944 query[A] openwrt.org from ::1
Sat Jan 18 22:26:44 2025 daemon.info dnsmasq[1]: 11790 ::1/53944 forwarded openwrt.org to 127.0.0.1#5053
Sat Jan 18 22:26:44 2025 daemon.info dnsmasq[1]: 11790 ::1/53944 forwarded openwrt.org to 127.0.0.1#5054
Sat Jan 18 22:26:44 2025 daemon.info dnsmasq[1]: 11791 ::1/53944 query[AAAA] openwrt.org from ::1
Sat Jan 18 22:26:44 2025 daemon.info dnsmasq[1]: 11791 ::1/53944 forwarded openwrt.org to 127.0.0.1#5053
Sat Jan 18 22:26:44 2025 daemon.info dnsmasq[1]: 11791 ::1/53944 forwarded openwrt.org to 127.0.0.1#5054
Sat Jan 18 22:26:46 2025 daemon.info dnsmasq[1]: 15406 ::1/53944 query[A] openwrt.org from ::1
Sat Jan 18 22:26:46 2025 daemon.info dnsmasq[1]: 15406 ::1/53944 forwarded openwrt.org to 127.0.0.1#5053
Sat Jan 18 22:26:46 2025 daemon.info dnsmasq[1]: 15406 ::1/53944 forwarded openwrt.org to 127.0.0.1#5054
Sat Jan 18 22:26:46 2025 daemon.info dnsmasq[1]: 15407 ::1/53944 query[AAAA] openwrt.org from ::1
Sat Jan 18 22:26:46 2025 daemon.info dnsmasq[1]: 15407 ::1/53944 forwarded openwrt.org to 127.0.0.1#5053
Sat Jan 18 22:26:46 2025 daemon.info dnsmasq[1]: 15407 ::1/53944 forwarded openwrt.org to 127.0.0.1#5054
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      9753/dnsmasq
tcp        0      0 10.3.0.73:53            0.0.0.0:*               LISTEN      9753/dnsmasq
tcp        0      0 172.21.4.1:53           0.0.0.0:*               LISTEN      9753/dnsmasq
tcp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                    LISTEN      9753/dnsmasq
tcp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                    LISTEN      9753/dnsmasq
tcp        0      0 fe80::2aee:52ff:fe62:b282:53 :::*                    LISTEN      9753/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      9753/dnsmasq
tcp        0      0 fdaf:543c:3192::1:53    :::*                    LISTEN      9753/dnsmasq
udp        0      0 0.0.0.0:50384           0.0.0.0:*                           9753/dnsmasq
udp        0      0 0.0.0.0:33033           0.0.0.0:*                           9753/dnsmasq
udp        0      0 0.0.0.0:38683           0.0.0.0:*                           9753/dnsmasq
udp        0      0 0.0.0.0:56373           0.0.0.0:*                           9753/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           9753/dnsmasq
udp        0      0 172.21.4.1:53           0.0.0.0:*                           9753/dnsmasq
udp        0      0 10.3.0.73:53            0.0.0.0:*                           9753/dnsmasq
udp        0      0 0.0.0.0:40506           0.0.0.0:*                           9753/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           9753/dnsmasq
udp        0      0 ::1:53                  :::*                                9753/dnsmasq
udp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                                9753/dnsmasq
udp        0      0 fdaf:543c:3192::1:53    :::*                                9753/dnsmasq
udp        0      0 fe80::2aee:52ff:fe62:b281:53 :::*                                9753/dnsmasq
udp        0      0 fe80::2aee:52ff:fe62:b282:53 :::*                                9753/dnsmasq
root@router:~# logread -e https-dns; netstat -l -n -p | grep -e https-dns
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           9791/https-dns-prox
udp        0      0 127.0.0.1:5054          0.0.0.0:*                           9792/https-dns-prox
root@router:~# pgrep -f -a dnsmasq; pgrep -f -a https-dns
9748 /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/ubus -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd -w /tmp/dhcp.leases -r /tmp/dnsmasq.d -r /tmp/hosts -r /usr/bin/jshn -r /usr/lib/dnsmasq/dhcp-script.sh -r /usr/share/dnsmasq/dhcpbogushostname.conf -r /usr/share/dnsmasq/rfc6761.conf -r /usr/share/dnsmasq/trust-anchors.conf -r /usr/share/libubox/jshn.sh -r /var/etc/dnsmasq.conf.cfg01411c -w /var/run/dnsmasq/ -- /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
9753 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
9791 /usr/sbin/https-dns-proxy -r https://cloudflare-dns.com/dns-query -a 127.0.0.1 -p 5053 -b 1.1.1.1,1.0.0.1 -4 -u nobody -g nogroup
9792 /usr/sbin/https-dns-proxy -r https://dns.google/dns-query -a 127.0.0.1 -p 5054 -b 8.8.8.8,8.8.4.4 -4 -u nobody -g nogroup

Sadly I don't have that much knowlage regarding networking and could not see anything wrong with the config and only figuring out that the local proxies seem to run but aren't reachable for some reason.

Any help pointing out errors or potential steps to figure out the problem would be much appreciated.

That package is not present in default downloads, flash again, now with unmodified real deal.

You're right, my bad. I think it actually was wpad-basic-mbedtls if I remember right. Or at least one of the wpas-basic-* packages.

But the sysupgrade image was the prebuild for the Archer C7 v5.

What is written on the label of the device?
Mine has:

Archer C7 (EU) .... Ver:5.0

Default ssl framework is mbedtls, so best is to replace wpad-basic-mbedtls for wpad-mbedtls.

luci http-dns-proxy has various checkboxes to integrate in default setup, no need to follow lengthy guides, just click through to see if it is enabled in dnsmasq/forward and status/firewll

Exactly the same.
Since it's a fresh install the firewall is at default settings.
I basically only did the needed setup to get internet via eduroam.
Though I did change the local Ip range (172.21.4.1/24 which wouldn't have been necessary but is my prefered setup.

Thanks for the note with wpad-mbedtls but sadly that isn't an option that supports what I need. I get an p12 cert package which gets unpacked with openssl and wpa_supplicant needs wpad-openssl or wolfssl to run. mbedtls doesn't work for that sadly.

Maybe with mbedtls and openssl packages installed it doesn't work, because forwarding under dnsmasq is showing the two proxies and the blocked canary domains.

Screenshot 2025-01-19 at 00-09-09 router - LuCI505×257 4.2 KB

Thats it, doh proxy is all set up.
Is your time correct?

Alright did a new test.
Flashed the router new and discarded all configs.
Used my pc as a bridge to enable internet access for the router on default config. Enabled wifi and installed curl and luci-app-https-dns-proxy (with that obv also https-dns-proxy automatically).

Same result as before. No answer from the proxy. Internet is available and time is correct.

Maybe I'm wrong in the assumption but when I flash the sysupgrade image and uncheck the checkbox for keeping configs I should have a completely clean setup right?