Lots of 'connection not found' when browsing - using DoT (Stubby + DNSMasq)

kramsac · September 4, 2021, 8:07am

Hi everyone.

Fibre internet - Hub is in router mode.
Hardware: Linksys MR8300
Build: Custom - NoTengoBattery v3.0.0-rc4 r16256-2
24/7 VPN running (Wireguard Mulvad)
VPN split tunnelling (all devices go through VPN except a NAS)

Ever since I set up DNS over TLS using stubby (I followed this guide: https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md), I often get a 'Connection not found' problem when browsing in firefox - the funny thing is, when I refresh, the site normally loads up fine. This is happening very often (probably 20% of all the websites I am visiting).

I am also running Adblock on the router.

This happens on multiple devices (both on my laptop (whether connected via LAN or wifi) and phone).

I had a look at the system log, and I noticed that I was getting a few 'possible DNS-rebind attack detected' whenever I got this issue (it seems it's because adblock was blocking an ad), so I turned DNS rebind protection off. This didn't help at all.

This is my stubby.yml:

# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
tls_connection_retries: 2
tls_backoff_time: 3600
dnssec_return_status: GETDNS_EXTENSION_TRUE
edns_client_subnet_private: 1
idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
  - address_data: 9.9.9.11
    tls_auth_name: "dns11.quad9.net"
  - address_data: 149.112.112.11
    tls_auth_name: "dns11.quad9.net"
  - address_data: 116.202.176.26
    tls_port: 854
    tls_auth_name: "dot.libredns.gr"
  - address_data: 45.91.92.121
    tls_auth_name: "dot-ch.blahdns.com"
  - address_data: 78.46.244.143 
    tls_auth_name: "dot-de.blahdns.com"

Here is the etc/config/dhcp file:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	list server '127.0.0.1#5453'
	option confdir '/tmp/dnsmasq.d'
	option sequential_ip '1'
	option dnsseccheckunsigned '0'
	option proxydnssec '1'
	option cachesize '1000'
	list addnhosts '/etc/dnsmasq.hosts'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option leasetime '6h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Just in case this is relevant, here is the adblock config:

config adblock 'global'
	option adb_enabled '1'
	option adb_debug '0'
	option adb_safesearch '0'
	option adb_dnsfilereset '0'
	option adb_mail '0'
	option adb_backup '1'
	option adb_maxqueue '4'
	option adb_fetchutil 'uclient-fetch'
	option adb_report '1'
	option adb_trigger 'wan'
	option adb_repiface 'br-lan'
	option adb_dns 'dnsmasq'
	option adb_forcedns '1'
	list adb_zonelist 'GuestWIFI'
	list adb_zonelist 'WireGuardM'
	list adb_zonelist 'lan'
	list adb_stb_sources 'hosts'
	list adb_sources 'notracking'
	list adb_sources 'smarttv_tracking'
	list adb_sources 'stevenblack'
	list adb_sources 'winspy'
	list adb_sources 'yoyo'

I've omitted some other text in the file, as they are just static leases for different devices on the network.

Any idea what may be going wrong?

Thanks in advance for your help!

kramsac · September 4, 2021, 3:07pm

Any ideas, as basic as they may be, would be much appreciated. Completely lost in trying to sort this out!

vgaetera · September 4, 2021, 3:20pm

Does the issue persist if you set up Stubby exclusively with UCI exactly as described in the wiki?
https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby

kramsac · September 4, 2021, 4:15pm

Do you mean without the VPN? It seems so - The problem was happening even when I deactivated the VPN.

Otherwise, I did exactly as the wiki says (just chose different DNS servers).

I also tried DNSSEC by stubby and by DNSMASQ - still had the same problem. Really can't figure it out!

vgaetera · September 4, 2021, 5:43pm

Note that enabling DNSSEC is a bad idea as it can result in even more issues.
If your problem is related to the lack of entropy, you can try to optimize RNG.

On the other hand, since you already use a VPN, there's not much sense in DoT.
It just adds latency that is possibly high enough to be the cause of your problem.

kramsac · September 5, 2021, 4:25pm

vgaetera,

Thanks for your suggestion - Your thought about using DoT whilst using a VPN makes sense - there is no point in using DoT when the DNS requests themselves are encrypted through the VPN tunnel.

On removing stubby and DoT, the issue went away, and DNS requests are blazing fast again.

Thanks for the help!

system · September 15, 2021, 4:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.