PRs with the fix for tracking: https://github.com/openwrt/packages/pull/25941 https://github.com/openwrt/packages/pull/25942
Hey stangri. Is the following an issue you know about on 24.10.0?
I'm getting nowhere at the moment figuring out what's wrong. I keep reverting back to 23.x
I think you already gave the answer yourself?
I'm no closer to the answer though. DNS is still an issue. Someone mentioned new commits to the package. So wondered if those would help.
I'm open to ideas
Update to https-dns-proxy 2023.12.26-r4 and luci-app-https-dns-proxy 2023.12.26-r4.
in version 24.10.0-r28427 https-dns-proxy works now normally.
the problem was in version 24.10.0, as I thought, but now it was fixed
So the issue will be fixed in the next openwrt update? It isn't a https-dns-proxy issue?
The problem has already been fixed, you can update
https://firmware-selector.openwrt.org/
yes, it was not a problem with https-dns-proxy
I think I have the same problem.
As soon As I enable Https-dns-proxy DNS are not working, I can ping from the router 1.1.1.1, but when i try to ping names like youtube.com - nothing.
Before I had latest stable 23 version of OpenWRT and everything was working fine, now I upgraded to latest stable version 24 version(24.10.0 (r28427-6df0e3d02a) and I have this problem.
Already re-flashed from Luci the same image(without backup settings, clean install).
Don't understand whats wrong.. Https-DNS-proxy the latest from the LUCI.
Device: Xiaomi AX3000T.
I tried stubby, Smart-DNS this things are not working, the only thing is working is NextDNS package installed from Luci. 
Tried to downgrade to 24.10.0-rc7, nothing changes. 
Output:
root@REDACTED:~# service https-dns-proxy info
{
"https-dns-proxy": {
"instances": {
"instance1": {
"running": true,
"pid": 3290,
"command": [
"/usr/sbin/https-dns-proxy",
"-r",
"https://cloudflare-dns.com/dns-query",
"-a",
"127.0.0.1",
"-p",
"5053",
"-b",
"1.1.1.1,1.0.0.1",
"-4",
"-u",
"nobody",
"-g",
"nogroup"
],
"term_timeout": 5,
"data": {
"firewall": [
{
"type": "redirect",
"target": "DNAT",
"src": "lan",
"proto": "tcp udp",
"src_dport": "53",
"dest_port": "53",
"family": "any",
"reflection": false
},
{
"type": "rule",
"src": "lan",
"dest": "*",
"proto": "tcp udp",
"dest_port": "853",
"target": "REJECT"
}
],
"mdns": {
"https-dns-proxy_5053": {
"service": "_https-dns-p roxy._udp.local",
"port": 5053,
"txt": [
"DNS over HTTPS proxy"
]
}
}
},
"respawn": {
"threshold": 3600,
"timeout": 5,
"retry": 5
}
},
"instance2": {
"running": true,
"pid": 3291,
"command": [
"/usr/sbin/https-dns-proxy",
"-r",
"https://dns.google/dns-query",
"-a",
"127.0.0.1",
"-p",
"5054",
"-b",
"8.8.8.8,8.8.4.4",
"-4",
"-u",
"nobody",
"-g",
"nogroup"
],
"term_timeout": 5,
"data": {
"mdns": {
"https-dns-proxy_5054": {
"service": "_https-dns-p roxy._udp.local",
"port": 5054,
"txt": [
"DNS over HTTPS proxy"
]
}
}
},
"respawn": {
"threshold": 3600,
"timeout": 5,
"retry": 5
}
}
},
"triggers": [
[
"interface.*.up",
[
[
"run_script",
"/etc/init.d/https-dns-proxy",
"restart",
"on_interface_up"
]
],
5000
]
]
}
}
root@REDACTED:~# service https-dns-proxy info
{
"https-dns-proxy": {
"instances": {
"instance1": {
"running": true,
"pid": 3290,
"command": [
"/usr/sbin/https-dns-proxy",
"-r",
"https://cloudflare-dns.com/dns-query",
"-a",
"127.0.0.1",
"-p",
"5053",
"-b",
"1.1.1.1,1.0.0.1",
"-4",
"-u",
"nobody",
"-g",
"nogroup"
],
"term_timeout": 5,
"data": {
"firewall": [
{
"type": "redirect",
"target": "DNAT",
"src": "lan",
"proto": "tcp udp",
"src_dport": "53",
"dest_port": "53",
"family": "any",
"reflection": false
},
{
"type": "rule",
"src": "lan",
"dest": "*",
"proto": "tcp udp",
"dest_port": "853",
"target": "REJECT"
}
],
"mdns": {
"https-dns-proxy_5053": {
"service": "_https-dns-proxy._udp.local",
"port": 5053,
"txt": [
"DNS over HTTPS proxy"
]
}
}
},
"respawn": {
"threshold": 3600,
"timeout": 5,
"retry": 5
}
},
"instance2": {
"running": true,
"pid": 3291,
"command": [
"/usr/sbin/https-dns-proxy",
"-r",
"https://dns.google/dns-query",
"-a",
"127.0.0.1",
"-p",
"5054",
"-b",
"8.8.8.8,8.8.4.4",
"-4",
"-u",
"nobody",
"-g",
"nogroup"
],
"term_timeout": 5,
"data": {
"mdns": {
"https-dns-proxy_5054": {
"service": "_https-dns-proxy._udp.local",
"port": 5054,
"txt": [
"DNS over HTTPS proxy"
]
}
}
},
"respawn": {
"threshold": 3600,
"timeout": 5,
"retry": 5
}
}
},
"triggers": [
[
"interface.*.up",
[
[
"run_script",
"/etc/init.d/https-dns-proxy",
"restart",
"on_interface_up"
]
],
5000
]
]
}
}
root@REDACTED:~# nslookup google.com 127.0.0.1:5053
;; connection timed out; no servers could be reached
root@REDACTEDL:~# uci export https-dns-proxy
package https-dns-proxy
config main 'config'
option canary_domains_icloud '1'
option canary_domains_mozilla '1'
option dnsmasq_config_update '*'
option force_dns '1'
list force_dns_port '53'
list force_dns_port '853'
option procd_trigger_wan6 '0'
config https-dns-proxy
option bootstrap_dns '1.1.1.1,1.0.0.1'
option resolver_url 'https://cloudflare-dns.com/dns-query'
option listen_addr '127.0.0.1'
option listen_port '5053'
option user 'nobody'
option group 'nogroup'
config https-dns-proxy
option bootstrap_dns '8.8.8.8,8.8.4.4'
option resolver_url 'https://dns.google/dns-query'
option listen_addr '127.0.0.1'
option listen_port '5054'
option user 'nobody'
option group 'nogroup'
root@REDACTED:~# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'REDACTED'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '45.90.30.121'
option delegate '0'
option hostname '*'
root@REDACTED:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@REDACTED:~# https-dns-proxy -V
2023.12.26-r4
root@REDACTED:~# dnsmasq --version
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
root@REDACTED:~# curl -V
curl 8.10.1 (aarch64-openwrt-linux-gnu) libcurl/8.10.1 mbedTLS/3.6.2 nghttp2/1.63.0
Release-Date: 2024-09-18
Protocols: file ftp ftps http https ipfs ipns mqtt
Features: alt-svc HSTS HTTP2 HTTPS-proxy IPv6 Largefile SSL threadsafe UnixSockets
Interesting. The nslookup using 127.0.0.1:5053 command being refused is a good clue!
23.05.5 has the following output. When I try to upgrade again. I'll check the nslookup against port 5053.
root@rpi4:~# https-dns-proxy -V
2023.12.26-1
root@rpi4:~# dnsmasq --version
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
root@rpi4:~# nslookup google.com 127.0.0.1:5053
Server: 127.0.0.1:5053
Address: 127.0.0.1:5053
Non-authoritative answer:
Name: google.com
Address: 216.58.204.78
Non-authoritative answer:
Name: google.com
Address: 2a00:1450:4009:81e::200e
root@rpi4:~# netstat -tnlpu | grep https
udp 0 0 127.0.0.1:5053 0.0.0.0:* 5854/https-dns-prox
Does the netstat command produce any output for you?
I installed 23.05.5 with Luci, and It's behaving the same as 24.0.10
If I remember correctly, this all happened when I tried to use encrypted DNS in the Windows 11 machine, the integrated one, it's like that things broke down everything.
The First I thought my Windows machine was broken down, And I did clean the Windows 11 install(and didn't touch anything related to Internet there), but only after I checked my other devices and saw that behaviorâeverywhere included the Router.
I will check commands, I Need to reinstall packages(HTTPS-dns-proxy), right now its naked OpenWRT .
via Luci, stop and turn off https-dns-proxy.
Go to the dnsmasq in the forwarding section Add these lines and preserve
/mask.icloud.com/
/mask-h2.icloud.com/
/use-application-dns.net/
127.0.0.1#5053
127.0.0.1#5054
Then turn on and run https-dns-proxy
I see that you have not learned to use this program.
I discovered much more the potential of this program 
I agree, but if you turn off https-dns-proxy, then from dnsmasq these lines will disappear and may not appear
for example due to a failure or incorrect configuration.
And if you do as I said, this guarantees the uninterrupted operation of this program
netstat very slow when I turn on https-dns-proxy.
When Its turned off this command execute very quick.
root@OpenWRT:~# netstat command
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 1 276 8.129.50.230:38050 8.8.4.4:https CLOSING
tcp 1 276 8.129.50.230:42120 8.8.4.4:https CLOSING
tcp 1 276 8.129.50.230:48558 8.8.4.4:https CLOSING
tcp 0 0 OpenWRT.lan:www DESKTOP-XSFGVBZ.lan:64344 TIME_WAIT
tcp 1 276 8.129.50.230:48590 8.8.4.4:https CLOSING
tcp 1 284 8.129.50.230:52882 104.16.249.249:https LAST_ACK
tcp 0 275 8.129.50.230:33242 8.8.4.4:https ESTABLISHED
tcp 1 276 8.129.50.230:33220 8.8.4.4:https CLOSING
tcp 1 276 8.129.50.230:36352 8.8.4.4:https CLOSING
tcp 1 276 8.129.50.230:36300 8.8.4.4:https CLOSING
tcp 1 276 8.129.50.230:59130 8.8.4.4:https CLOSING
tcp 1 276 8.129.50.230:50922 8.8.4.4:https LAST_ACK
tcp 1 276 8.129.50.230:50912 8.8.4.4:https LAST_ACK
tcp 1 276 8.129.50.230:59140 8.8.4.4:https CLOSING
tcp 1 284 8.129.50.230:32956 104.16.249.249:https CLOSING
tcp 0 275 8.129.50.230:49316 8.8.4.4:https ESTABLISHED
I tried your suggestion with forwarding section but it didn't resolved issue
I blocked the UDP 53 port on the WAN interface
addressed in the hosts file
option bootstrap_dns '127.0.0.1'
option listen_addr '127.0.0.1'
Now is the time when the Internet provider can block
I would not use google , it log all requests
Always choose DNS servers without logging
unless you are a saint
How I can block UDP port 53 on WAN interface? It will help with my issue?
I don't use google servers, its default configuration for testing to make sure I didn't mess up with anything, but its still not working
Before I used NextDNS when everything was working.
Test on another DNS server
I donât know where you are and what are your rules there, but I know that there are countries where they turned on hard censorship
They block and google services, it all depends on the country
I have the same error in the system log:
user.notice https-dns-proxy [2158]: Stopping https-dns-proxy 2023.12.26-r4 on_failed_health_check â
user.notice https-dns-proxy [2158]: Setting trigger (on_boot) â
I tried to add this command to SSH:
echo "(sleep 10 && /etc/init.d/https-dns-proxy restart)" >> /etc/rc.local
But I'm not sure its worked because I still see this error, If I understand correctly I need to write this command to some file.
I checked AdGuard,Quad9 and everything still the same, not working.
Also I ping these domain names "dns.nextdns.io"; "dns.adguard-dns.com" from the router SSH and their IP without HTTP-DNS-Proxy and got response back, so from my understand its mean my ISP not blocking them.
Anything else from https-dns-proxy in the log after these lines? The https-dns-proxy should be then automatically restarted when any interfaces come up.
@ToddHoward if you can edit the init file on the router, can you try commenting out the first line inside the boot() function in the /etc/init.d/https-dns-proxy so it looks like this:
boot() {
# ubus -t 30 wait_for network.interface 2>/dev/null
rc_procd start_service 'on_boot' && service_started 'on_boot'
if ! is_resolver_working; then
hdp_boot_flag=1
rc_procd stop_service 'on_failed_health_check' && service_stopped 'on_failed_health_check'
fi
}