Https-dns-proxy with differnet Instances

octopus · May 3, 2026, 5:16pm

I'm using https-dns-proxy with three (3) different intstances and one of them seem not resolvs.

Cloudflare (Security Filter)
Google
CleanBrowsing (Security Filter)

CleanBrowsing not resolv any dns and seems there ipv6 not working either get error.

option bootstrap_dns '185.228.168.9,185.228.169.9,2a0d:2a00:1::2,2a0d:2a00:2::2'

The other two seems working as is should.

Someone have same problem and have any clue?

F.Y.I When in https-dns-proxy use Heartbeat Domain get Curl error 35 as other prgograms.

Ohfalderal · May 4, 2026, 9:40am

The IP address(es) in the HDP bootstrap_dns directive is a non-DoH DNS (and those addresses are in the range controlled by CleanBrowsing).

What is the value of HDP instance resolver_url directive (which must be the URI of a DoH server)?

reinerotto · May 4, 2026, 10:48am

Pls, provide /etc/config/https-dns-proxy from your openwrt device

octopus · May 4, 2026, 1:46pm

config main 'config'
	option dnsmasq_config_update '*'
	option force_dns '0'
	option notrack_dns '0'
	list force_dns_port '53'
	list force_dns_port '853'
	option procd_trigger_wan6 '0'
	option verbosity '1'
	option force_ipv6_resolvers '1'

config https-dns-proxy
	option resolver_url 'https://doh.cleanbrowsing.org/doh/security-filter/'
	option listen_addr '127.0.0.1'
	option listen_port '5053'
	option user 'nobody'
	option group 'nogroup'
	option bootstrap_dns '185.228.168.9,185.228.169.9'

config https-dns-proxy
	option bootstrap_dns '1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001'
	option resolver_url 'https://security.cloudflare-dns.com/dns-query'
	option listen_addr '127.0.0.1'
	option listen_port '5054'
	option user 'nobody'
	option group 'nogroup'

config https-dns-proxy
	option bootstrap_dns '8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844'
	option resolver_url 'https://dns.google/dns-query'
	option listen_addr '127.0.0.1'
	option listen_port '5055'
	option user 'nobody'
	option group 'nogroup'

(Blocks all adult content):IPv4: 185.228.168.168 and 185.228.169.168IPv6: 2a0d:2a00:1:: and 2a0d:2a00:2::Adult Filter 
(Blocks adult content, safe search):IPv4: 185.228.168.10 and 185.228.169.11IPv6: 2a0d:2a00:1::10 and 2a0d:2a00:2::11Security Filter 
(Blocks phishing, malware, scams):IPv4: 185.228.168.9 and 185.228.169.9IPv6: 2a0d:2a00:1::9 and 2a0d:2a00:2::9

reinerotto · May 4, 2026, 2:02pm

I suspect, you should use “option force_dns ‘1’”. Otherwise, clients can bypass usage of dnsmasq+proxy, which might look like “not resolving”.

Otherwise, config looks to me.

Anyway,

what does 'nslookup doh.cleanbrowsing.org 185.228.168.9' (on your openwrt) say ?
what does 'ps | grep cleanbrowsing' say ?
what does 'netstat -tulpn | grep 5053' say ?

octopus · May 4, 2026, 2:05pm

root@Defcon:~# nslookup doh.cleanbrowsing.org 185.228.168.9
Server:         185.228.168.9
Address:        185.228.168.9:53

Non-authoritative answer:
Name:   doh.cleanbrowsing.org
Address: 185.228.168.10
Name:   doh.cleanbrowsing.org
Address: 185.228.168.168

Non-authoritative answer:

root@Defcon:~# ps | grep cleanbrowsing
 8767 root      1328 S    grep cleanbrowsing
21501 nobody    3468 S    /usr/sbin/https-dns-proxy -r https://doh.cleanbrowsing.org/doh/security-filter/ -p 5053 -u nobody -g nogroup -v

root@Defcon:~# netstat -tulpn | grep 5053
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      21501/https-dns-pro
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           21501/https-dns-pro

reinerotto · May 4, 2026, 2:24pm

And what does ‘nslookup bild.de 127.0.0.1:5053’ say ?

octopus · May 4, 2026, 2:30pm

Other two get answere.

root@Defcon:~# nslookup bild.de 127.0.0.1:5053
;; connection timed out; no servers could be reached

root@Defcon:~# nslookup bild.de 127.0.0.1:5054
Server:         127.0.0.1:5054
Address:        127.0.0.1:5054

Non-authoritative answer:

Non-authoritative answer:
Name:   bild.de
Address: 2.22.145.6
Name:   bild.de
Address: 2.22.145.9

root@Defcon:~# nslookup bild.de 127.0.0.1:5055
Server:         127.0.0.1:5055
Address:        127.0.0.1:5055

Non-authoritative answer:
Name:   bild.de
Address: 184.86.103.204
Name:   bild.de
Address: 184.86.103.222
Name:   bild.de
Address: 184.86.103.210

reinerotto · May 4, 2026, 2:33pm

Then it looks like, https-dns-proxy has problems with this resolver. Actually, easy for me to give it a try myself. Will be back in 10min.

reinerotto · May 4, 2026, 2:58pm

Works for me. However, I have a slightly different environment as yours. Before going any further: Can you ‘ping 185.228.168.9’ ? Are you using any filtering software, i.e. adblocker or similar ? If not, pls provide ‘nft list ruleset’

egc · May 4, 2026, 3:01pm

not sure if that is the problem but there is no bootstrap

You have set option force_ipv6_resolvers '1' but there is no IPv6 bootstrap DNS server set.
(Better not stray from the default settings if you are unsure what it means)

I just tested and it works fine for me but I am on the latest dns-https-proxy that could also play a role

reinerotto · May 4, 2026, 3:03pm

Yep. You got it, I bet.

octopus · May 4, 2026, 3:18pm

`root@Defcon:~# ping 185.228.168.9
PING 185.228.168.9 (185.228.168.9): 56 data bytes
64 bytes from 185.228.168.9: seq=0 ttl=52 time=24.728 ms
64 bytes from 185.228.168.9: seq=1 ttl=52 time=24.590 ms
64 bytes from 185.228.168.9: seq=2 ttl=52 time=24.543 ms
64 bytes from 185.228.168.9: seq=3 ttl=52 time=24.634 ms
64 bytes from 185.228.168.9: seq=4 ttl=52 time=24.587 ms
64 bytes from 185.228.168.9: seq=5 ttl=52 time=24.609 ms
64 bytes from 185.228.168.9: seq=6 ttl=52 time=24.567 ms
64 bytes from 185.228.168.9: seq=7 ttl=52 time=24.551 ms
64 bytes from 185.228.168.9: seq=8 ttl=52 time=24.641 ms
64 bytes from 185.228.168.9: seq=9 ttl=52 time=24.560 ms
64 bytes from 185.228.168.9: seq=10 ttl=52 time=24.475 ms
64 bytes from 185.228.168.9: seq=11 ttl=52 time=24.597 ms
64 bytes from 185.228.168.9: seq=12 ttl=52 time=24.641 ms
64 bytes from 185.228.168.9: seq=13 ttl=52 time=24.609 ms
64 bytes from 185.228.168.9: seq=14 ttl=52 time=24.597 ms
64 bytes from 185.228.168.9: seq=15 ttl=52 time=24.528 ms
64 bytes from 185.228.168.9: seq=16 ttl=52 time=24.572 ms
64 bytes from 185.228.168.9: seq=17 ttl=52 time=24.538 ms
64 bytes from 185.228.168.9: seq=18 ttl=52 time=24.566 ms
64 bytes from 185.228.168.9: seq=19 ttl=52 time=24.582 ms
64 bytes from 185.228.168.9: seq=20 ttl=52 time=24.536 ms
64 bytes from 185.228.168.9: seq=21 ttl=52 time=24.609 ms
64 bytes from 185.228.168.9: seq=22 ttl=52 time=24.576 ms
64 bytes from 185.228.168.9: seq=23 ttl=52 time=24.590 ms`

Ohfalderal · May 4, 2026, 3:21pm

Replace the bootstrap_dns value of the instance that is configured for doh.cleanbrowsing.org with -
'2a0d:2a00:1::9,2a0d:2a00:2::9,185.228.168.9,185.228.169.9'

egc · May 4, 2026, 3:23pm

Or disable force_ipv6_resolvers '1' and restart

octopus · May 4, 2026, 3:50pm

I have disable force_ipv6_resolvers '1' don't know why it was enabled.
I have restartted https-dns-proxy but still not resolve CleanBroesing.

Just have to mension I have PBR running with a second dnsmasq running on port 54.

Repalced with this:

option bootstrap_dns '185.228.168.9,185.228.169.9,2a0d:2a00:1::9,2a0d:2a00:2::9'

Have a lot of this in log.

[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.577923 https_client.c:366 8597: curl request failed with 35: Error
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.577956 https_client.c:368 8597: curl error message: ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.577965 https_client.c:395 8597: No response (probably connection has been closed or timed out)
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.655965 https_client.c:366 A28A: curl request failed with 35: Error
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.655999 https_client.c:368 A28A: curl error message: ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656008 https_client.c:395 A28A: No response (probably connection has been closed or timed out)
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656041 https_client.c:366 5D97: curl request failed with 28: Error
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656047 https_client.c:368 5D97: curl error message: remaining timeout of 974 too small to resolve via SIGALRM method
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656053 https_client.c:395 5D97: No response (probably connection has been closed or timed out)
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656069 https_client.c:366 DF14: curl request failed with 28: Error
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656075 https_client.c:368 DF14: curl error message: remaining timeout of 988 too small to resolve via SIGALRM method
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656080 https_client.c:395 DF14: No response (probably connection has been closed or timed out)
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656122 https_client.c:520 0693: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656202 https_client.c:520 CCF3: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656241 https_client.c:520 71D9: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656261 https_client.c:520 2D62: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656297 https_client.c:520 BB8B: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656316 https_client.c:520 BFE5: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656334 https_client.c:520 3B54: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656352 https_client.c:520 6FC0: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656389 https_client.c:520 97C2: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656408 https_client.c:520 99CD: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656425 https_client.c:520 0E06: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656442 https_client.c:520 C2E5: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656458 https_client.c:520 D074: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656484 https_client.c:520 3D48: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656527 https_client.c:520 886C: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656544 https_client.c:520 FEC2: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656605 https_client.c:520 EE52: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656626 https_client.c:520 2171: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656644 https_client.c:520 FB5F: Request was aborted
[4 maj 2026 17:45:20 CEST] daemon.info: https-dns-proxy[11321]: [W] 1777909520.656823 https_client.c:520 02CE: Request was aborted

@Ohfalderal @reinerotto

reinerotto · May 4, 2026, 3:59pm

There is another thread with you, having issues with DDNS, Curl, embedtls and TLS 1.2/3 . May be, you are hit here, again. I am using OpenSSL, actually, for testing another issue. I can build my actual image, using mbedtls for https-dns-proxy, and test again. Needs couple of hours, though. Just to confirm: What says ‘https-dns-proxy -V’ ?

octopus · May 4, 2026, 4:11pm

https-dns-proxy -V
2025.12.29-r5
Using: ev/4.33 c-ares/1.34.6 libcurl/8.19.0 mbedTLS/3.6.6 nghttp2/1.66.0
Features: HTTP2 HTTPS-proxy IPv6`

reinerotto · May 4, 2026, 4:26pm

2025.12.29-r5 … So you are NOT using most recent version of https-dns-proxy, which officially is only available in SNAPSHOT. My working version:

root@Cudy:~# https-dns-proxy -V
2026.03.18-r1
Using: ev/4.33 c-ares/1.34.6 libcurl/8.19.0 OpenSSL/3.5.5 nghttp2/1.66.0
Features: HTTP2 HTTPS-proxy IPv6

2 differences. Will see …

octopus · May 4, 2026, 5:26pm

I'm on snapshot and just updated with owut.
But still not resolve cleanbrowsing.
There must be a updated mbedTLS/3.6.6 with fixed tlsv3.

2026.03.18-r1
Using: ev/4.33 c-ares/1.34.6 libcurl/8.19.0 **mbedTLS/3.6.6** nghttp2/1.66.0
Features: HTTP2 HTTPS-proxy IPv6