Hi everyone.
Fibre internet - Hub is in router mode.
Hardware: Linksys MR8300
Build: Custom - NoTengoBattery v3.0.0-rc4 r16256-2
24/7 VPN running (Wireguard Mulvad)
VPN split tunnelling (all devices go through VPN except a NAS)
Ever since I set up DNS over TLS using stubby (I followed this guide: https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md), I often get a 'Connection not found' problem when browsing in firefox - the funny thing is, when I refresh, the site normally loads up fine. This is happening very often (probably 20% of all the websites I am visiting).
I am also running Adblock on the router.
This happens on multiple devices (both on my laptop (whether connected via LAN or wifi) and phone).
I had a look at the system log, and I noticed that I was getting a few 'possible DNS-rebind attack detected' whenever I got this issue (it seems it's because adblock was blocking an ad), so I turned DNS rebind protection off. This didn't help at all.
This is my stubby.yml:
# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_connection_retries: 2
tls_backoff_time: 3600
dnssec_return_status: GETDNS_EXTENSION_TRUE
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 9.9.9.11
tls_auth_name: "dns11.quad9.net"
- address_data: 149.112.112.11
tls_auth_name: "dns11.quad9.net"
- address_data: 116.202.176.26
tls_port: 854
tls_auth_name: "dot.libredns.gr"
- address_data: 45.91.92.121
tls_auth_name: "dot-ch.blahdns.com"
- address_data: 78.46.244.143
tls_auth_name: "dot-de.blahdns.com"
Here is the etc/config/dhcp file:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
list server '127.0.0.1#5453'
option confdir '/tmp/dnsmasq.d'
option sequential_ip '1'
option dnsseccheckunsigned '0'
option proxydnssec '1'
option cachesize '1000'
list addnhosts '/etc/dnsmasq.hosts'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option leasetime '6h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
Just in case this is relevant, here is the adblock config:
config adblock 'global'
option adb_enabled '1'
option adb_debug '0'
option adb_safesearch '0'
option adb_dnsfilereset '0'
option adb_mail '0'
option adb_backup '1'
option adb_maxqueue '4'
option adb_fetchutil 'uclient-fetch'
option adb_report '1'
option adb_trigger 'wan'
option adb_repiface 'br-lan'
option adb_dns 'dnsmasq'
option adb_forcedns '1'
list adb_zonelist 'GuestWIFI'
list adb_zonelist 'WireGuardM'
list adb_zonelist 'lan'
list adb_stb_sources 'hosts'
list adb_sources 'notracking'
list adb_sources 'smarttv_tracking'
list adb_sources 'stevenblack'
list adb_sources 'winspy'
list adb_sources 'yoyo'
I've omitted some other text in the file, as they are just static leases for different devices on the network.
Any idea what may be going wrong?
Thanks in advance for your help!