During my research regarding my Chrome/DNS-TCP issue, I modified certain openwrt pars, to speed up ops. Which might be of interest to other parties, as well, especially, when using not-so-beefy devices.
- Edit /etc/sysctl.d/11-nf-conntrack.conf
net.netfilter.nf_conntrack_acct=0 # I guess, accounting here only required for special accounting packages.
- Eliminate some DNS-related conntrack items, to save CPU/RAM. Especially, when https-dns-proxy is used, as it causes quite a few local conns to dnsmasq. Which might be even both DNS-UDP or DNS-TCP conns. Ref. Dnsmasq, adblocking and Chrome - #2 by reinerotto
Set up following mods to fw4:
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
meta l4proto { tcp, udp } th dport 53 counter packets 6049 bytes 305496 notrack
}
chain raw_output {
type filter hook output priority raw; policy accept;
meta l4proto { tcp, udp } th dport 5053 ip daddr 127.0.0.0/8 counter packets 1125 bytes 76469 notrack
meta l4proto { tcp, udp } th sport 5053 ip daddr 127.0.0.0/8 counter packets 1098 bytes 112953 notrack
meta l4proto { tcp, udp } th sport 53 ip daddr 192.168.1.0/24 counter packets 5254 bytes 309893 notrack
In case of not using https-dns-proxy, same can be done, without rules for βs/dport 5053β .
@reinerotto are you using this with force_dns enabled or disabled in https-dns-proxy?
My config:
config main 'config'
option canary_domains_icloud '1'
option canary_domains_mozilla '1'
option dnsmasq_config_update '-'
option force_dns '1'
list force_dns_port '53'
list force_dns_port '853'
list force_dns_src_interface 'lan'
option procd_trigger_wan6 '0'
option heartbeat_domain 'heartbeat.melmac.ca'
option heartbeat_sleep_timeout '10'
option heartbeat_wait_timeout '10'
option user 'nobody'
option group 'nogroup'
option listen_addr '127.0.0.1'
option statistic_interval '3600'
option logfile '/tmp/https-dns-proxy.log'
option verbosity '3'
config https-dns-proxy
option bootstrap_dns '9.9.9.10,9.9.9.9'
option resolver_url 'https://dns10.quad9.net/dns-query'
option listen_port '5053'
BTW, I filed an official issue for https-dns-proxy, on aarond10, on git. May be, you have the opportunity to confirm/reject it.
@reinerotto as far as I understand, the below:
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
meta l4proto { tcp, udp } th dport 53 counter packets 6049 bytes 305496 notrack
}
breaks the force_dns, so clients with hardcoded DNS will still use hardcoded servers instead.
BTW, @aarond10βs repo is the wrong place to create an issue for the OpenWrt package. Itβs maintained at mossdef-org repo.
breaks the force_dns β¦ Good find. Sh.., you are correct. For force_dns=0 alone it is not so exciting.
Regarding where to create an issue, my idea was, that it MIGHT be a general problem of https-dns-proxy. OK, I will create a ref in mossdef-org repo. Thank you.