Okay - something else occurred to me. These are not changes you apply to /etc/config/firewall. These rules go in /etc/firewall.user.
They are effectively a set of standalone commands to iptables - applied after the /etc/config/firewall script has been interpreted and used to set up the openwrt firewall.
Maybe they're should be one more better luci client
Step five breaks Dynamic DNS because the router can't resolve addresses. Drill in the router can't resolve anything. Also, I don't know why that step is necessary because after step 4 /etc/resolv.conf simply points to the router's loopback address.
The problem may be that step four is missing some information. From ReadMe:
If I do the above I can check "Ignore resolve file" and DDNS still works.
Thanks for finding this and digging into an answer! I will update the original post when I am home later tonight or tomorrow.
Where is it specified that it should use Cloudflare's nameservers?
And later, is there a way I can verify it uses 1.1.1.1 for lookups, preferably without tcpdump?
/etc/config/stubby is setup out of the box to use the Cloudflare nameservers.
the wiki it's pretty comprehensive and clean now
https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby
This makes the internet connection broken after an OpenWRT firmware update. It seems that I need to restore the DNS setting to download "Stubby" (because of broken connection I could not download it), and then go through the whole procedure again.
Since DNS over HTTPS seems to be a popular feature now, I hope OpenWRT would come with this feature out-of-the-box without the need of all these procedure.
Hello,
I thought the same thing and was fully reconfiguring after every update. All you have to do to is reset the interfaces by checking Use DNS servers advertised by peers for each to be able to resolve.. then opkg update, install stubby, and redo the interface settings (uncheck Use DNS servers advertised by peers for wan and wan6, and input the respective custom dns servers 192.168.1.1 and 0::1)
You don't have to go through all the steps.. hope that helps
Thanks for tutorial ) one question, I'm getting this on cloudflare test page: "We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS."
Only once it worked, even 1.1.1.1/help worked, but after router reboot 1.1.1.1/help says "no" everywhere
excellent tutorial. it worked on my first try. i just tweak
tls_min_version: GETDNS_TLS1_3
and delete
tls_max_version
Thanks, it's working!!
Btw i still get orange status on DNSSEC at https://www.cloudflare.com/ssl/encrypted-sni/
I actually tried the wiki instructions and it actually caused my DNS to not work anymore, however when I tried the ones listed here it worked perfectly
Strange issue here, my Roomba will not connect to the cloud when using DNS over TLS with Stubby and dnsmasq. It works fine when I set my dns back from stubby to 8.8.8.8 or 1.1.1.1
I've tried with Adblock completely disabled as well.
It also works fine with DNS over TLS when I'm using unbind instead of following this tutorial. I have other issues with that configuration that seem more daunting to resolve at the moment, hence wanting to stick with dnsmasq and stubby.
Has anyone else seen this issue or have any idea how to fix it?
had a similar issue with an iot device, use tcpdump against your roomba to find what domain is trying to resolve/connect to and add it to /etc/config/dhcp at the end of
config dnsmasq
...
...
list server /roombadoamin.com/1.1.1.1
or 8.8.8.8 as you prefer. after some time it started working again without this, provider o manufacturer fault? just guessing. maybe this should be splitted in a new topic.
Thank you! That solved my problem right away.
For anyone else having this issue, the offending domain entry wound up being:
/a2uowfjvhio0fa.iot.us-east-1.amazonaws.com/1.1.1.1
And since we're in a [No CLI] thread, you can add this entry from LuCI at the end of Step 6:
Under Network -> DHCP and DNS, click the "General Settings" tab, add to the end of "DNS forwardings" list.
- Go to Network -> Interfaces. Click the edit button for WAN, go to advanced settings, and uncheck "Use DNS servers advertised by peer" and in "Use custom DNS servers" set it to 127.0.0.1. Then press Save & Apply. Repeat this same step for the WAN6 interface, using 0::1 instead of 127.0.0.1.
Is this step needed? I setup my custom DNS servers to Cloudflare and Google, and then followed this guide, which doesn't change the custom DNS servers on the Network -> Interfaces tab, yet I still show as using secure DNS and DNSSEC.
That step is in reality a really bad idea. OpenWrt needs access to DNS while booting up, and setting it to use Stubby, which may not be up and running yet, will result in random weird issues when booting.
I had terrible weird issues (no Internet access, no DNS, etc.) until I changed the custom DNS servers back to Quad9, at which point the router booted up perfectly every time. The ONLY downside is the DNS traffic from the router itself is not DNS over TLS, and I couldn't care less. I'm happy that my network clients are using DNS over TLS.
What if, instead of 127.0.0.1, we put Cloudflare and Google's DNS services after unchecking "Use DNS servers advertised by peer"?