Issue:
Internet connectivity is lost when Secure DNS is enabled with DNS-over-QUIC (DoQ) in a DS-Lite environment using IPv6 or dual-stack mode (NextDNS / AdGuard).
Scenario:
- DS-Lite WAN (IPv6-only underlay)
- Secure DNS enabled
- DoQ enabled
- ipv6_disabled=0
- dnsproxy listening only on IPv6 loopback (::1)
- Upstream DNS configured over QUIC
Configuration:
/etc/config/dnsproxy
option ipv6_disabled '0'
list listen_addr '::1'
option enabled '1'
config dnsproxy 'tls'
option enabled '1'
option quic_port '853'
config dnsproxy 'servers'
list bootstrap '2a07:a8c0::'
list bootstrap '2a07:a8c1::'
list upstream 'quic://dns.nextdns.io'
Observed Behavior:
- Internet access is lost after enabling Secure DNS with DoQ.
- DNS resolution fails, resulting in no connectivity for LAN clients.
Impact:
- Complete internet outage for LAN clients when Secure DNS + DoQ is enabled.
Notes:
- Issue occurs only with DoQ in DS-Lite.
- IPv6 connectivity is present, but DNS resolution fails.
Issue:
Internet connectivity is lost when Secure DNS is enabled with DNS-over-QUIC (DoQ) in a DS-Lite environment using IPv6 or dual-stack mode (NextDNS / AdGuard).
Scenario:
Configuration:
Observed Behavior:
Impact:
Notes: