I wanted my router's upstream DNS connections to be encrypted, and after some googling concluded installing https-dns-proxy should be the simplest method of accomplishing encrypted DNS.
For this reason, I requested custom builds on the firmware selector with only luci-app-https-dns-proxy added and made sure that dependencies like the actual https-dns-proxy package is resolved and included in the image (as per STDERR logs). The problem is, whenever I sysupgrade to this custom build LuCi no longer works, Firefox says "Unable to connect," and Chrome gives ERR_CONNECTION_TIMED_OUT.
I first did this with 22.03.3 cycle and now with .5, both with same results. The only difference is, somehow, Android's built-in encrypted DNS thing (which I believe is DoT implementation) doesn't work on this network.
Internet is working, I can also SSH into it and sysupgrade to regular build to restore LuCi. But I want to use https-dns-proxy, I want to know why this is not working, and if my only option is to install it on a regular build.
Custom build with luci-ssl worked! But how did you know? LuCi is accessible regular HTTP to, so what's this package even for? And If it's a requirement, why isn't it a dependency for luci-app-https-dns-proxy?
Separately, does anyone know how to verify if DoH is working correctly? Cloudflare Browser Check gets me a question mark for Secure DNS: "We weren’t able to detect whether you were using a DNS resolver over secure transport." Should I be satisfied with this?
You're talking about Cloudflare's WireGuard VPN service... I'm asking how to check if the encrypted DNS setting I just applied to the OpenWrt router is working.
I do use WARP, but I don't see why it's relevant here. WARP sets DNS to 1.1.1.1 on its own, so it's not reflective of the OpenWrt's DNS forwarding settings at all.
Not sure what you mean by this.
... I couldn't find any connection to either Google or Cloudflare's DNS servers in the page. But as I write this, I realize it might be using IPv6 or I should've searched by DoH domain name.
Thank you for this! I knew about this, but I couldn't google and find this page again.
Oh, on my OpenWrt I have to configure DNS myself and therefore - I could use whatever server I wish. My bad, apologies if it's not relevant in your use case.
No worries, I hope it helps!
Some servers only do DoH only (and not normal DNS over 53/udp) - I was suggesting you find such a server and set your device for it, then you're guaranteed that it's working if you have success.
You may also want to Google yourself. I did some searching in order to assist you too - but my Google-fu says that it's not possible.
Windows
When looking how to tell a Windows client via DHCP - the OS has to already know in advance what servers do DoH, so as long as DHCP assigns servers on the list - it's OK:
You can only configure the Windows Server client to use DoH if the primary or secondary DNS server selected for the network interface is on the list of known DoH servers.
Oh, right. DNS from DHCP is just going to be regular IP address, and it's up to the client to check if it does DoT and take advantage of that. But I just don't know where on OpenWrt to configure what DNS is advertised on DHCP...
This one I know: Ubuntu's probably using systemd-resolved, you need to add DNSOverTLS=yes or DNSOverTLS=opportunistic in one of the relevant conf files.
