Https-dns-proxy with multiple providers


Apologies for such a basic question but, I can't seem to find any answer anywhere.

If I have https-dns-proxy configured with multiple providers, how are they used?

Are they prioritised in the order specified in dnsmasq, are they used in a round robin method, etc.?

Also, in the dnsmasq config, what's the difference between "list server" and "list doh_backup_server" entries? Configuring via LuCI seems to have added both for each provider.

Many thanks.

Depends on your dnsmasq config, it can be set to respect the listed order or it can be set to query all resolvers simultaneously.

When you start https-dns-proxy, the necessary changes are made to dnsmasq config so that dnsmasq uses https-dns-proxy to look up domains. Your previous settings are saved as doh_backup_server entries and are restored if/when you stop https-dns-proxy service.

1 Like

Thanks for the response / explanation.

Could you please confirm which parameters you are referring to.

The two parameters I can see are:

strictorder boolean 0 -o Obey order of DNS servers in /etc/resolv.conf

but the DOH providers are not in /etc/resolv.conf.

allservers boolean 0 --all-servers By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this parameter forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requeser.

but it doesn't say which server will be used by default.

I have the noresolv option set to 1 anyway but, I tried setting strictorder to 1. I can still see DNS requests going to random DOH providers (using tcpdump).

In short, I would like to configure my system so that the DOH providers are used in a strict order. i.e. always use X for all requests, if X is unavailable use Y.

Thanks again.

I've just found this issue that would seem to suggest that what I'm trying to do isn't possible.

Even if there's no bug, strict order makes the second resolver work with significant delays, because each DNS query needs to timeout on the first resolver before being sent to the second one.

I was under impression (maybe from the previous wiki) that this works and uses the first upstream resolver, given the issue you've linked I was clearly wrong.

If this is a must-have requirement, and you don't mind some leg work, I'd look into unbound instead of dnsmasq+https-dns-proxy, maybe it can do what you want.

After doing a bit more reading, and based on the responses here, I've changed my mind. I've gone with three similar providers and I'm using the "allservers" option.

Thanks to everyone who responded.