LuCi inaccessible after fimware selector cusotm build with `luci-app-https-dns-proxy`

I wanted my router's upstream DNS connections to be encrypted, and after some googling concluded installing https-dns-proxy should be the simplest method of accomplishing encrypted DNS.

For this reason, I requested custom builds on the firmware selector with only luci-app-https-dns-proxy added and made sure that dependencies like the actual https-dns-proxy package is resolved and included in the image (as per STDERR logs). The problem is, whenever I sysupgrade to this custom build LuCi no longer works, Firefox says "Unable to connect," and Chrome gives ERR_CONNECTION_TIMED_OUT.

I first did this with 22.03.3 cycle and now with .5, both with same results. The only difference is, somehow, Android's built-in encrypted DNS thing (which I believe is DoT implementation) doesn't work on this network.

Internet is working, I can also SSH into it and sysupgrade to regular build to restore LuCi. But I want to use https-dns-proxy, I want to know why this is not working, and if my only option is to install it on a regular build.

Add luci-ssl to the list of custom packages.


Check first if uhttpd is running and listening.
ps wwww | grep uhttp; netstat -lnp | grep uhttp

Custom build with luci-ssl worked! But how did you know? LuCi is accessible regular HTTP to, so what's this package even for? And If it's a requirement, why isn't it a dependency for luci-app-https-dns-proxy?

Separately, does anyone know how to verify if DoH is working correctly? Cloudflare Browser Check gets me a question mark for Secure DNS: "We weren’t able to detect whether you were using a DNS resolver over secure transport." Should I be satisfied with this?


If using Cloudflare [over Wireguard], use this and look for warp=on

You're talking about Cloudflare's WireGuard VPN service... I'm asking how to check if the encrypted DNS setting I just applied to the OpenWrt router is working.

I was referring to the DNS, but I guess you are not using WARP (which is required).

  • If you're not, then you can set the IP of a server that does DoH only and test
  • You can look at tcpdump to verify the connections
  • You can look at the Connections page to verify too
  • should show the DNS servers in use
1 Like

I do use WARP, but I don't see why it's relevant here. WARP sets DNS to on its own, so it's not reflective of the OpenWrt's DNS forwarding settings at all.

Not sure what you mean by this.

... I couldn't find any connection to either Google or Cloudflare's DNS servers in the page. But as I write this, I realize it might be using IPv6 or I should've searched by DoH domain name.

Thank you for this! I knew about this, but I couldn't google and find this page again.

Oh, on my OpenWrt I have to configure DNS myself and therefore - I could use whatever server I wish. My bad, apologies if it's not relevant in your use case.

No worries, I hope it helps!

Some servers only do DoH only (and not normal DNS over 53/udp) - I was suggesting you find such a server and set your device for it, then you're guaranteed that it's working if you have success.

Do you know where in OpenWrt I can configure DHCP to tell clients to use encrypted DNS? I can't find it for some reason... I should google this.

Ah. Is there any reference of websites that does this? I've heard of IPv6 only websites, but never DoH (and I assume DoT) only websites.

You may also want to Google yourself. I did some searching in order to assist you too - but my Google-fu says that it's not possible.


When looking how to tell a Windows client via DHCP - the OS has to already know in advance what servers do DoH, so as long as DHCP assigns servers on the list - it's OK:

You can only configure the Windows Server client to use DoH if the primary or secondary DNS server selected for the network interface is on the list of known DoH servers.

Then there's a section that explains how to ensure that the servers are on the list of known servers. Reference, see:


Personally using Ubuntu - I see no method to do this on a default installation.

1 Like

Oh, right. DNS from DHCP is just going to be regular IP address, and it's up to the client to check if it does DoT and take advantage of that. But I just don't know where on OpenWrt to configure what DNS is advertised on DHCP...

This one I know: Ubuntu's probably using systemd-resolved, you need to add DNSOverTLS=yes or DNSOverTLS=opportunistic in one of the relevant conf files.

Okay, I found where to set custom DNS for DHCP. Shame there's no global setting, and it's interface-specific.

1 Like

Oh, yes adding DHCP (v4) Option No. 6 - added to LAN DHCP config. Glad you found it and got it working!

I've worked with a few DHCP servers, I never recall that being a global setting, it applies to a Scope.

Option 3 is the gateway, option 6 is the dns.

1 Like

Thanks, corrected. Haven't had my morning coffee yet.

:sleeping: :coffee:

Lemme just post the official document for refrence.

1 Like

Now that's what I call devotion to OpenWrt!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.