DNS Director - question

[Xboxsx4life]

Hi guys. I have Quad9 set in my AX86U Pro WAN tab. I then enabled DNS Director in the LAN tab and set Global Redirection to “Router” (LAN DNS fields are blank) to force all LAN devices to use the router’s DNS settings, and thus, the upstream resolver (Quad9). However, the Director setting doesn’t seem to be working…or maybe I’m not fully understanding its function. For example, I installed the DNS Override app on my iPhone, and as a test, set it to use Cloudflare DNS. In this scenario, the iPhone’s DNS queries are being resolved by Cloudflare instead of Quad9. DNS leak test also confirms Cloudflare. Shouldn’t DNS Director force it to use Quad9?

 

[dave14305]

The app might be using DNS-over-HTTPS (DoH) which DNS Director cannot intercept. It can only intercept regular DNS, and block DoT.

 

[Xboxsx4life]

DoH is one of the options within the app when selecting a DNS resolver but I didn’t enable it. I tested with unencrypted Cloudflare and DoT Cloudflare. In both cases, the results were the same…it’s using Cloudflare and not Quad9.

 

[Caesar the Dictator]

Set the Netstat-NAT on your router to only show the IP address of your device. Then set it to use the DNS-over-TLS protocol address of a non-Quad9 provider in the app you mentioned and browse various sites with your browser. Without waiting too long, click on Diagnose and search for ":853". If you see any result and it is not one of Quad9's URLs or IPs, then either there is a problem with your DNS Director configuration or there is a bug in the DNS Director.

 

[Xboxsx4life]

Thanks. All good now. When I tested, it appears that I didn’t properly set the unencrypted version properly in the Override app. I re-tested and it appears Director is working as expected now.

Another question. If I want to redirect one of my devices (e.g. an iPad that my 7 year old son uses) to Cleanbrowsing’s family filter, is there a way of ensuring it’s also using DoT? I don’t see how I can do that with DNS Director. It looks like I can only choose the resolver itself without enabling DoT.

 

[dave14305]

is there a way of ensuring it’s also using DoT? I don’t see how I can do that with DNS Director. It looks like I can only choose the resolver itself without enabling DoT.

No, DNS Director will redirect to plain DNS only. However, if the chosen resolver also supports DoT, DNS Director will allow DoT traffic to pass through if the client is using DoT to the allowed IP. In the case of Cleanbrowsing, it would need to be 185.228.168.168 over port 853.

But you would need to configure DoT on the kid’s device, which is generally too much trouble, and kids can disable it themselves.

 

[Xboxsx4life]

Got it. Thanks.