Router blocks DNS requests for torproject.org

I'm currently using OpenWrt 21.02.1 r16325-88151b8303 on a TP-Link Archer A7. I noticed that I can't visit torproject.org (including any subdomains) via Wifi anymore, regardless of the device. It just says ERR_NAME_NOT_RESOLVED. According to dnsleaktest.com OpenWrt uses Dismail's and Digitalcourage's DNS services which don't cause problems when set up directly on a device.

How to fix this?

Thank you!

openwrt doesn't "use" anything, doesn't even need a DNS, it uses what the ISP serves, or what you've manually configured.

3 Likes

Well, yes, obviously. Unfortunately, I don't remember how I configured OpenWrt to use Dismail and Digitalcourage – do you know how I might have done this or how I can change the respective settings?

Oh, and FYI: I'm using the adblock package. In OpenWrt's settings 127.0.0.1#5453 is set as DNS forwarding. Is this of relevance? I have added torproject.org to adblock's whitelist though.

Depends on how you've configured it.

Are your clients are using your router as DNS, or does the DHCP point to the Digitalcourage (?) DNS directly, or perhaps by rerouting the traffic in the router's firewall ...

pick your poison.

1 Like

Well, those devices/apps (e.g. my phone) that just use the network's default DNS server don't have access to torproject.org, whereas devices/apps with custom DNS settings do have access (e.g. Firefox with DoH).

How do I check where the DHCP points to?

if the clients use the DNS provided by your phone, then I'd say your ISP is blocking the access.
you have no control over what the ISP is doing with the DNS traffic, they might forward it someplace,
or have their own DNS set up. it's out of your control.

does torproject.org work from the phone ?

ipconfig /all in a cmd window, if using Windows.

Use the Adblock web app in LuCI to test the domain. It will likely be blocked. If it is, whitelist it, save and reload.

1 Like

@frollic Oh, I think my initial wording was a bit confusing. I meant: Devices like my phone or my tablet just use the network's DNS, so by default that would be the WiFi router's DNS. Those devices display ERR_NAME_NOT_RESOLVED when contacting torproject.org. Since dnsleaktest.com shows that the DNS is provided by Dismail and Digitalcourage, the problem is definitely not with the ISP.

On my laptop, on the other hand, Firefox uses Digitale Gesellschaft's DNS-over-HTTPS and is able to reach torproject.org.

I'm using Ubuntu. In the Wifi settings, for “IPv4 method” it only says “Automatic (DHCP)”.

@lleachii I just removed the entire adblock package to test whether it causes the problem but torproject.org is still not being resolved.

who uses your adblock DNS then ? no-one ?

Right now, the adblock package is not installed if that's what you mean.

it was, in your post from one hr ago ... :wink:

anyway, look at https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#providing_custom_dns_with_dhcp , 6, is the DNS option to change/add, if you want to provide your clients with a non-default DNS.

the ISP might still intercept DNS calls, going to any DNS outside their own network, if that happens, you'll have to switch to DoH.

1 Like

Well, yes, I uninstalled adblock in order to test whether it causes the problem (it doesn't).

Thanks!

I just figured out how I configured OpenWrt to use Digitalcourage and Dismail DNS: I followed Mike Kuketz' tutorial on how to set up Stubby. These are the resolvers that I set in etc/config/stubby:

config resolver
        option address '5.9.164.112'
        option tls_auth_name 'dns3.digitalcourage.de'
        list spki 'sha256/2WFzfO2/56HpeR+v/l25NPf5dacfxLrudH5yZbWCfdo='

config resolver
        option address '159.69.114.157'
        option tls_auth_name 'fdns2.dismail.de'
        list spki 'sha256/yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w='

config resolver
        option address '80.241.218.68'
        option tls_auth_name 'fdns1.dismail.de'
        list spki 'sha256/yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w='

I set fdns2.dismail.de as "Private DNS" on my Android phone and tried to open torproject.org – it worked. I also checked via dnsleaktest.com that my phone actually uses Dismail DNS. So the problem is not about the DNS providers.

Here you can check whether the configuration is correct:
Digitalcourage: https://digitalcourage.de/support/zensurfreier-dns-server
Dismail: https://dismail.de/info.html#dns

And you were asked why was it installed?

You then went on to say it wasn't (you uninstalled it, duh)...but it really would help to know why it was there to begin with (as it seems you wern't using it).

Well – in order to block ads wherever possible :sweat_smile: :sweat_smile:

Why does it seem so? :thinking:

Because you said your devices were using the DNS of Dismal and Digitalcourage.

1 Like

My phone and tablet use the network's default DNS a.k.a. the router.
:arrow_right: OpenWrt uses the Adblock package as DNS. (Adblock is currently disabled though.)
:arrow_right: Adblock uses dnsmasq.
:arrow_right: Dnsmasq sends all DNS requests to Stubby.
:arrow_right: Stubby uses Digitalcourage and Dismail.

That's at least how I think it works :sweat_smile:

Apparently, torproject.org is being resolved normally since today, without me having changed anything about the configuration. However, snowflake.torproject.org is not resolved.

Since today, snowflake.torproject.org is also being resolved normally again (I haven't touched OpenWrt's configuration).