Skip to content

Internet connectivity loss when Secure DNS (DoQ) is enabled in OpenWrt DS-Lite setup #478

New issue
New issue
Open
Open
Internet connectivity loss when Secure DNS (DoQ) is enabled in OpenWrt DS-Lite setup#478
@vika-kr

Description

@vika-kr
vika-kr
opened on Dec 24, 2025

Issue:
Internet connectivity is lost when Secure DNS is enabled with DNS-over-QUIC (DoQ) in a DS-Lite environment using IPv6 or dual-stack mode (NextDNS / AdGuard).

Scenario:

  • DS-Lite WAN (IPv6-only underlay)
  • Secure DNS enabled
  • DoQ enabled
  • ipv6_disabled=0
  • dnsproxy listening only on IPv6 loopback (::1)
  • Upstream DNS configured over QUIC

Configuration:

/etc/config/dnsproxy

option ipv6_disabled '0'
list listen_addr '::1'
option enabled '1'

config dnsproxy 'tls'

    option enabled '1'
    option quic_port '853'

config dnsproxy 'servers'

    list bootstrap '2a07:a8c0::'
    list bootstrap '2a07:a8c1::'
    list upstream 'quic://dns.nextdns.io'

Observed Behavior:

  • Internet access is lost after enabling Secure DNS with DoQ.
  • DNS resolution fails, resulting in no connectivity for LAN clients.

Impact:

  • Complete internet outage for LAN clients when Secure DNS + DoQ is enabled.

Notes:

  • Issue occurs only with DoQ in DS-Lite.
  • IPv6 connectivity is present, but DNS resolution fails.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions