Https-dns-proxy not working on latest snapshots/22.03.1

Installing and Using OpenWrt
10

As to help:
I downgraded to 22.03.1. Only extra packages installed are (luci-)https-DNS-proxy and luci-app-statistics.
https-DNS-proxy is in standard setup (Cloudfare and Google) and running.

  1. I don't know how to test this. But "auc" and "opkg update" fails.
root@RT3200_Router:~# auc
auc/0.3.1-1
Server:    https://sysupgrade.openwrt.org
Running:   22.03.1 r19777-2853b6d652 on mediatek/mt7622 (linksys,e8450-ubi)
No data available (61)
root@RT3200_Router:~# opkg update
Downloading https://downloads.openwrt.org/releases/22.03.1/targets/mediatek/mt7622/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.1/targets/mediatek/mt7622/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/packages/Packages.gz
^[[DFailed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.1/targets/mediatek/mt7622/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.1/packages/aarch64_cortex-a53/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.
  1. What and where to set this parameter?
  2. Yes, i can see 2 instances (i edited the output and left only dnsmasq and dns-proxy).
/etc/config$ ubus call service list
{
	"dnsmasq": {
		"instances": {
			"cfg01411c": {
				"running": true,
				"pid": 10312,
				"command": [
					"/usr/sbin/dnsmasq",
					"-C",
					"/var/etc/dnsmasq.conf.cfg01411c",
					"-k",
					"-x",
					"/var/run/dnsmasq/dnsmasq.cfg01411c.pid"
				],
				"term_timeout": 5,
				"respawn": {
					"threshold": 3600,
					"timeout": 5,
					"retry": 5
				},
				"jail": {
					"name": "dnsmasq",
					"procfs": false,
					"sysfs": false,
					"ubus": true,
					"log": true,
					"ronly": false,
					"netns": false,
					"userns": false,
					"cgroupsns": false,
					"console": false
				},
				"mount": {
					"/bin/ubus": "0",
					"/etc/TZ": "0",
					"/etc/dnsmasq.conf": "0",
					"/etc/ethers": "0",
					"/etc/group": "0",
					"/etc/hosts": "0",
					"/etc/passwd": "0",
					"/tmp/dhcp.leases": "1",
					"/tmp/dnsmasq.d": "0",
					"/tmp/hosts": "0",
					"/usr/bin/jshn": "0",
					"/usr/lib/dnsmasq/dhcp-script.sh": "0",
					"/usr/share/dnsmasq/dhcpbogushostname.conf": "0",
					"/usr/share/dnsmasq/rfc6761.conf": "0",
					"/usr/share/dnsmasq/trust-anchors.conf": "0",
					"/usr/share/libubox/jshn.sh": "0",
					"/var/etc/dnsmasq.conf.cfg01411c": "0",
					"/var/run/dnsmasq/": "1"
				}
			}
		}
	},
	"https-dns-proxy": {
		"instances": {
			"instance1": {
				"running": true,
				"pid": 10354,
				"command": [
					"/usr/sbin/https-dns-proxy",
					"-r",
					"https://cloudflare-dns.com/dns-query",
					"-a",
					"127.0.0.1",
					"-p",
					"5054",
					"-b",
					"1.1.1.1,1.0.0.1",
					"-4",
					"-u",
					"nobody",
					"-g",
					"nogroup"
				],
				"term_timeout": 5,
				"data": {
					"firewall": [
						{
							"type": "redirect",
							"target": "DNAT",
							"src": "lan",
							"proto": "tcp udp",
							"src_dport": "53",
							"dest_port": "53",
							"reflection": false
						},
						{
							"type": "rule",
							"src": "lan",
							"dest": "*",
							"proto": "tcp udp",
							"dest_port": "853",
							"target": "REJECT"
						}
					]
				},
				"respawn": {
					"threshold": 3600,
					"timeout": 5,
					"retry": 5
				}
			},
			"instance2": {
				"running": true,
				"pid": 10355,
				"command": [
					"/usr/sbin/https-dns-proxy",
					"-r",
					"https://dns.google/dns-query",
					"-a",
					"127.0.0.1",
					"-p",
					"5053",
					"-b",
					"8.8.8.8,8.8.4.4",
					"-4",
					"-u",
					"nobody",
					"-g",
					"nogroup"
				],
				"term_timeout": 5,
				"respawn": {
					"threshold": 3600,
					"timeout": 5,
					"retry": 5
				}
			}
		}
	},
}
  1. I only see these two lines in the log:
Sun Oct 16 11:00:34 2022 user.notice https-dns-proxy: Starting service ✓✓
Sun Oct 16 11:00:40 2022 user.notice https-dns-proxy: Stopping service ✓
  1. I don't know exactly what you're asking. I have 2 RT3200. One as router, the other as AP/switch. Both are connected via copper.My computer is connected to the AP/switch. This is the windows 11 (22H2) config of the network.
Link speed (Receive/Transmit):	1000/1000 (Mbps)
IPv6 address:	xxxx:xxxx:xxxx:xxxx::100
xxxx:xxxx:xxxx:xxxx:ddff:8547:8b01:2de0
xxxx:xxxx:xxxx::100
xxxx:xxxx:xxxx:0:5a15:32c9:612f:2c6c
Link-local IPv6 address:	xxx::xxxx:xxxx:120f:7e4e%11
IPv6 DNS servers:	xxxx:8e20:91a5::1 (Unencrypted)
IPv4 address:	192.168.1.100
IPv4 DNS servers:	192.168.1.1 (Unencrypted)
Primary DNS suffix:	lan
Manufacturer:	Intel
Description:	Intel(R) I211 Gigabit Network Connection
Driver version:	13.0.14.0
Physical address (MAC):	xx-xx-xx-xx-xx-xx

Please let me know if you need more tests.

11

My problem is on a Belkin RT3200 as well, maybe there's something specific to this device or a driver it uses that is tripping it up?

Not sure if there's anything in particular that's common between this and the other reported devices in this thread?

12

How exactly and what from?

One way is to run curl https://openwrt.org, but given the logs you have provided, it already looks like the installed libcurl doesn't support https requests. I don't know how you ended up with this issue.

It may be helpful if you have provided the output of opkg list-installed.

13
  1. Yes
  2. In debug, it fills up the log REALLY fast, but I do see this repeated over and over and over and over and over:

Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [W] 1665925206.811833 https_client.c:351 7A96: curl request failed with 0: No error
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [W] 1665925206.811839 https_client.c:353 7A96: curl error message: Error reading ca cert file F��� - mbedTLS: (- 0x3E00) PK - Read/write of file failed
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [W] 1665925206.811843 https_client.c:380 7A96: No response (probably connection has been closed or timed out)
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811847 https_client.c:435 7A96: CURLINFO_NUM_CONNECTS: 1
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811849 https_client.c:447 7A96: CURLINFO_EFFECTIVE_URL: https://dns.google/dns-query
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811852 https_client.c:482 7A96: Times: 0.000064, 0.002606, 0.000000, 0.000000, 0.000000, 0.002715
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [I] 1665925206.811862 https_client.c:504 7A96: Response was faulty, skipping DNS reply.
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811865 main.c:84 Received response for id: 7A96, len: 0
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811952 https_client.c:205 5E99: * Error reading ca cert file F��� - mbedTLS: (-0x3E00) PK - Read/ write of file failed
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811969 https_client.c:587 Released used io event: 0xffffcc08c0d0
Sun Oct 16 09:00:06 2022 daemon.info https-dns-proxy[5693]: [D] 1665925206.811991 https_client.c:112 curl closed socket: 9

which almost looks like a NULL pointer to the CA cert (which are installed).

  1. Yes (with the verbosity flag removed again):
   "https-dns-proxy": {
           "instances": {
                   "instance1": {
                           "running": true,
                           "pid": 6679,
                           "command": [
                                   "/usr/sbin/https-dns-proxy",
                                   "-r",
                                   "https://cloudflare-dns.com/dns-query",
                                   "-a",
                                   "127.0.0.1",
                                   "-p",
                                   "5054",
                                   "-b",
                                   "1.1.1.1,1.0.0.1",
                                   "-4",
                                   "-u",
                                   "nobody",
                                   "-g",
                                   "nogroup"
                           ],
                           "term_timeout": 5,
                           "data": {
                                   "firewall": [
                                           {
                                                   "type": "redirect",
                                                   "target": "DNAT",
                                                   "src": "lan",
                                                   "proto": "tcp udp",
                                                   "src_dport": "53",
                                                   "dest_port": "53",
                                                   "reflection": false
                                           },
                                           {
                                                   "type": "rule",
                                                   "src": "lan",
                                                   "dest": "*",
                                                   "proto": "tcp udp",
                                                   "dest_port": "853",
                                                   "target": "REJECT"
                                           }
                                   ]
                           },
                           "respawn": {
                                   "threshold": 3600,
                                   "timeout": 5,
                                   "retry": 5
                           }
                   },
                   "instance2": {
                           "running": true,
                           "pid": 6680,
                           "command": [
                                   "/usr/sbin/https-dns-proxy",
                                   "-r",
                                   "https://dns.google/dns-query",
                                   "-a",
                                   "127.0.0.1",
                                   "-p",
                                   "5053",
                                   "-b",
                                   "8.8.8.8,8.8.4.4",
                                   "-4",
                                   "-u",
                                   "nobody",
                                   "-g",
                                   "nogroup"
                           ],
                           "term_timeout": 5,
                           "respawn": {
                                   "threshold": 3600,
                                   "timeout": 5,
                                   "retry": 5
                           }
                   }
           }
   },
  1. Without verbose logging, it's pretty quiet:

Sun Oct 16 09:10:52 2022 user.notice https-dns-proxy: Starting service ✓✓
Sun Oct 16 09:11:04 2022 user.notice https-dns-proxy: Stopping service ✓

  1. Tried from both servers with static IPs and DHCP clients, both on the same subnet as the router.
14

This is a bug in upstream package which was fixed about 20 hours ago: CURL stopped working for https after latest woflssl patch (21.02) - #50 by stangri

15

Thanks much! Will install the fixed package as soon as it reaches main and retest.

16

A workaround for anyone having the problem:

  • Add the following to /etc/config/https-dns-proxy under each 'config https-dns-proxy' stanza (that's a tab in front, NOT spaces!):
   option ca_certs_file '/etc/ssl/certs/ca-certificates.crt'
  • Restart https-dns-proxy via LuCI or '/etc/init.d/https-dns-proxy restart' from the command line

EDIT: A previous version of this workaround suggested explicitly installing the ca-certificates package. This is NOT necessary. ca-bundle, as required by https-dns-proxy, is sufficient.

3 Likes
17

That's done the trick for me, thank you!

18

This worked. Thank you!

19

Check, works.
Thanks.

20

Please note the workaround is still required for 22.03.2 at this time pending an updated https-dns-proxy package.

3 Likes
21

Thanks for posting the fix, it does seem to be very platform-dependent, I've never had a problem on x86_64.

22

There still seems to be something not right.

This morning I installed a fresh snapshot and https-dns-proxy. I noticed that opening some websites seemed stuck. In the log of the router these "nests" appear of stopping and starting http-dns-proxy/dnsmasq.

Wed Oct 19 11:59:01 2022 user.notice https-dns-proxy: Starting service ✓✓
Wed Oct 19 11:59:05 2022 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: DNS service limited to local subnets
Wed Oct 19 11:59:09 2022 user.notice https-dns-proxy: Stopping service ✓
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for test
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for local
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for mask-h2.icloud.com
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for mask.icloud.com
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using 2 more local addresses
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using nameserver xx.xxx.46.22#53
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using nameserver xx.xxx.46.23#53
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using nameserver xxxx:xxx:1002::10#53
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using nameserver xxxx:xxx:1202::10#53
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using nameserver xxxx:xxx:3e42:1000::53#53
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for test
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for local
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for mask-h2.icloud.com
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using only locally-known addresses for mask.icloud.com
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: using 2 more local addresses
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 17 addresses
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Wed Oct 19 11:59:09 2022 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: started, version 2.86 cachesize 150
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: DNS service limited to local subnets
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5054
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for test
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for local
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for mask-h2.icloud.com
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using only locally-known addresses for mask.icloud.com
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: using 2 more local addresses
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 17 addresses
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 addresses
Wed Oct 19 11:59:13 2022 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Wed Oct 19 11:59:13 2022 user.notice https-dns-proxy: Starting service ✓✓
23

Agreed, I've done the fix suggested and although most stuff now works, some websites appear stuck and content embedded in emails won't load. I'm also getting this banner on MacOS and iOS mail apps "Your network preferences prevent content from loading privately":

Screenshot 2022-10-19 at 11.54.19 am
Screenshot 2022-10-19 at 11.54.19 am2238×114 14.6 KB

24

PRs: https://github.com/openwrt/packages/pull/19633 https://github.com/openwrt/packages/pull/19634

2 Likes
25

So a WAN6 issue.
I temporarily disabled the WAN6 interface. Seems to help.

1 Like
26

The workaround I referenced is no longer needed with https-dns-proxy 2022-10-15-2 or newer (but won't hurt anything either).

27

If you use/want to use iCloud Private Relay (or whatever apple's built-in encrypted DNS is called) you may want to disable icloud canary domain setting.

28

None of the fixes worked on my 22.03.2 RT3200 until a clean install of https-dns-proxy - 2022-10-15-3 - this seems to be working well, thanks!

29

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.