Guys,
I'm setting 1.1.1.1 Resolver in dhcp & Dns - Forward also I'm checked ignore resolve file but still all the Queries goes through My ISP dns resolver which Google Dns.
Also changing dns in Wan or Lan doesn't worked.
I tried to configure stubby too but then i lost internet access than.
Please guide me to configure 1.1.1.1 Resolver.
My building management own a server and they are providing internet to All apartment with captive portal maybe they have set in there system google DNS.
Thanks,
Please post your config, were no mindreaders.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
There's also https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
This one https://openwrt.org/docs/guide-user/services/captive-portal/opennds ?
see Secure DNS problem - #19 by AndrewZ and below
BusyBox v1.36.1 (2024-09-23 12:34:46 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.5, r24106-10cc5fcd00
-----------------------------------------------------
root@macbook:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "macbook",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C6 v2 (EU/RU/JP)",
"board_name": "tplink,archer-c6-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ath79/generic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@macbook:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb6:a053:1d3c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
root@macbook:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@macbook:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
root@macbook:~#
root@macbook:~# curl -I http://openwrt.org
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 23 Feb 2025 12:54:22 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://openwrt.org/
As said on another thread, you need to get to the state where the redirect should happen.
There is no indication of a portal redirect in the result you posted.
how ?
really dont know how to get to this state.
You just need to prove your own words:
I can think of disconnecting the router WAN for some time or changing its MAC. Not sure what are their rules and policies.
you mean to logout from cative portal?
then do the curl?
Yes, you can try it if such option is available.
root@macbook:~# curl -I http://openwrt.org
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 775
Content-Type: text/html
Date: Sun, 23 Feb 2025 13:12:58 GMT
Expires: Mon, 23 Feb 2026 13:12:58 GMT
Last-Modified: Sun, 23 Feb 2025 13:12:58 GMT
Location: http://10.0.0.1/login?dst=http%3A%2F%2Fopenwrt.org%2F
X-Frame-Options: sameorigin
Check if the ISP is hijacking your DNS queries to Cloudflare. Run this from the router SSH session:
nslookup is-cf.help.every1dns.net 1.1.1.1
You should get a valid response. If not, then you need to look into encrypted DNS solutions.
Well, the portal uses just an IP address, not FQDN, so DNS is not required to access the portal.
I suppose you should first check if stubby or 1.1.1.1 will work alone (after the portal login) and then try to configure forwarding in dnsmasq.
thanks stubby is working now
but i think there is also some leaking also in the last you can see google which i didnot configure.
check your log with
logread | grep nameserver
i configured dns hijacking and now dnsleaktest showing google dns server only.
should i remove dns hijacking?
root@androidtv:~# logread | grep nameserver
Sun Feb 23 00:26:36 2025 daemon.info dnsmasq[1]: using nameserver 10.0.0.1#53
Sun Feb 23 00:26:36 2025 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Sun Feb 23 00:26:36 2025 daemon.info dnsmasq[1]: using nameserver 8.8.4.4#53
Sun Feb 23 00:26:38 2025 daemon.info dnsmasq[1]: using nameserver 10.0.0.1#53
Sun Feb 23 00:26:38 2025 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Sun Feb 23 00:26:38 2025 daemon.info dnsmasq[1]: using nameserver 8.8.4.4#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 1.0.0.1#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 1.0.0.1#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 10.0.0.1#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Sun Feb 23 13:30:58 2025 daemon.info dnsmasq[1]: using nameserver 8.8.4.4#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 1.0.0.1#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5453
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 1.0.0.1#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5453
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 10.0.0.1#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Sun Feb 23 13:32:19 2025 daemon.info dnsmasq[1]: using nameserver 8.8.4.4#53
root@androidtv:~#
This is the only entry that should be there, you need to figure out where all the other addresses came from.
Typically we just need to use option peerdns 0 on wan but we also need to make sure that ntp domain or server is still resolvable using insecure DNS. You can use the same approach as in Secure DNS problem - #41 by AndrewZ
i installed stubby and then add this in 127.0.0.1#5453 save and apply thats it.
is there anything im missing?
still getting google dns in 3rd or 4th server in dns leaktest.
What’s in /tmp/resolv.conf.d/resolv.conf.auto
