I followed the instructions from https://www.kuketz-blog.de/stubby-verschluesselte-dns-anfragen-openwrt-teil5/ (in German)
Setup is
- OpenWRT: 20.03.0
- Stubby: 0.4.0
- Dnsmasq: 2.86
openwrt -> dnsmasq (53) -> stubby (5453) -> internet / resolvers (853)
Configurations
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option boguspriv '1' # Changes this to on an off, without effect
option filterwin2k '0'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option local '/lan/'
option domain 'lan'
list rebind_domain 'plex.direct'
option confdir '/tmp/dnsmasq.d'
list server '127.0.0.1#5453'
option logqueries '1'
option dnsseccheckunsigned '1'
option noresolv '1'
option dnssec '1'
/etc/config/stubby
config stubby 'global'
option manual '0'
option trigger 'wan'
# option triggerdelay '2'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
# option tls_connection_retries '2'
# option tls_backoff_time '3600'
# option timeout '5000'
# option dnssec_return_status '0'
option appdata_dir '/var/lib/stubby'
# option trust_anchors_backoff_time 2500
# option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key'
option edns_client_subnet_private '1'
option idle_timeout '10000'
option round_robin_upstreams '1'
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
option log_level '7'
# option command_line_arguments ''
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
option tls_min_version '1.2'
# option tls_max_version '1.3'
# Upstream resolvers are specified using 'resolver' sections.
config resolver
option address '80.241.218.68'
option tls_auth_name 'fdns1.dismail.de'
list spki 'sha256/MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU='
config resolver
option address '159.69.114.157'
option tls_auth_name 'fdns2.dismail.de'
list spki 'sha256/yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w='
config resolver
option address '5.9.164.112'
option tls_auth_name 'dns3.digitalcourage.de'
list spki 'sha256/2WFzfO2/56HpeR+v/l25NPf5dacfxLrudH5yZbWCfdo='
config resolver
option address '185.95.218.42'
option tls_auth_name 'dns.digitale-gesellschaft.ch'
I used the following links to verify and troubleshoot, without much success so far
- https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby
- https://openwrt.org/docs/guide-user/services/dns/stubby
- https://github.com/pi-hole/pi-hole/issues/2664
And those links from the forum do not seem to be related to my issue, as my dns most of the times works fine.
- https://forum.openwrt.org/t/stubby-issues-out-of-nowhere/36814
- https://forum.openwrt.org/t/solved-dnssec-with-dnsmasq-full-dns-does-not-work-anymore/31877
Logread dnsmasq
When it is not working I found out that I get a lot of is BOGUS log entries.
Logread dnsmasq
Thu Oct 6 17:42:52 2022 daemon.info dnsmasq[1]: 123527 192.168.150.121/57910 validation forum.openwrt.org is BOGUS
Thu Oct 6 17:42:52 2022 daemon.info dnsmasq[1]: 123527 192.168.150.121/57910 reply error is SERVFAIL
Thu Oct 6 17:42:52 2022 daemon.info dnsmasq[1]: 123525 192.168.150.121/58554 reply query is duplicate
Thu Oct 6 17:42:52 2022 daemon.info dnsmasq[1]: 123523 192.168.150.121/46320 reply query is duplicate
Logread stubby
Logread stubby
Thu Oct 6 18:22:53 2022 daemon.err stubby[10493]: [16:22:53.666172] STUBBY: 5.9.164.112 : Upstream : !Backing off TLS on this upstream - Will retry again in 16s at Thu Oct 6 16:23:09 2022
Thu Oct 6 18:22:53 2022 daemon.err stubby[10493]:
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]: [16:22:54.465995] STUBBY: 185.95.218.42 : Conn closed: TLS - *Failure*
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]:
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]: [16:22:54.466027] STUBBY: 185.95.218.42 : Conn closed: TLS - *Failure*
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]:
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]: [16:22:54.466043] STUBBY: 185.95.218.42 : Conn closed: TLS - *Failure*
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]:
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]: [16:22:54.466057] STUBBY: 185.95.218.42 : Conn closed: TLS - *Failure*
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]:
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]: [16:22:54.466070] STUBBY: 185.95.218.42 : Conn closed: TLS - Resps= 0, Timeouts = 0, Curr_auth = None, Keepalive(ms)= 0
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]:
Thu Oct 6 18:22:54 2022 daemon.err stubby[10493]: [16:22:54.466085] STUBBY: 185.95.218.42
Test sites
Sometimes I get a lot of BOGUS requests and a SERVFAIL...I think few of them would be normal...
The DNS interruption happens about once a week, after 5min wait time or a Router reboot, all works fine again for a while. At the moment, it happens at about every 5 min...not sure what changed, update from 21.03 to 22.03 was about 1 week ago. But I experienced Issues since I would say 4 weeks at least.
Has anybody any idea what the cause might be or how to better troubleshoot this issue?
Hint: At the moment I disabled DoT, DNSSEC and Stubby and just use normal DNS over Port 53 with dnsmasq and it seems to work fine.