Menu
What's new
By:
Filters Better Search

Using DOT DNS breaks ECS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

tnpapa

Regular Contributor
I noticed that if I use the DOT version of Google DNS servers in the WAN settings, that ECS data is not being passed to Google. If I turn off DOT and just use unencrypted 8.8.8.8 then ECS data is properly sent to Google.

Is this a limitation of DOT in general or the implementation of DOT in Merlin?
 
In Merlin, using stubby for DoT, the firmware enables EDNS privacy, since it’s all about privacy. edns_client_subnet_private is the option enabled.
 
Only using a custom script.

www.snbforums.com

Customize stubby.yml

I understand the privacy implication, but I'd like to send the subnet EDNS in the DoT queries. I'm using Quad9 9.9.9.11 (ECS enabled). It seems that is controlled by this line in /etc/stubby/stubby.yml edns_client_subnet_private: 1 How do I permanently either remove this line, or set it...
www.snbforums.com www.snbforums.com
 
Perfect, I will add this and give it a shot. I find my streaming services are much more reliable when ECS is passed. Yes I know the evils of Google, but at least I can stop my ISP from getting in the middle of DNS requests and injecting their own data.
 
tnpapa said:
Perfect, I will add this and give it a shot. I find my streaming services are much more reliable when ECS is passed. Yes I know the evils of Google, but at least I can stop my ISP from getting in the middle of DNS requests and injecting their own data.
Click to expand...
Cloudflare Security works very well for me. 1.1.1.2 and 1.0.0.2. It is a manual entry in DoT.
 
tnpapa said:
I noticed that if I use the DOT version of Google DNS servers in the WAN settings, that ECS data is not being passed to Google. If I turn off DOT and just use unencrypted 8.8.8.8 then ECS data is properly sent to Google.

Is this a limitation of DOT in general or the implementation of DOT in Merlin?
Click to expand...

One probably doesn't want ECS for privacy and security reasons...
 
You must log in or register to reply here.

Similar threads

R
Would any of this make my browsing more secure? (WAN DNS settings)
2
Replies
20
Views
1K
aru
aru
StrikerXXX
Correct way to configure quad9 dns in EDNS/ECS
Replies
0
Views
2K
StrikerXXX
StrikerXXX
wordlesswind
DNS over TLS & EDNS Client Subnet
Replies
6
Views
2K
wordlesswind
wordlesswind
D
WAN DNS Setting: Using different DoT servers
Replies
19
Views
1K
drinkingbird
drinkingbird
A
DNS Director - Issues when using Private DNS on mobile devices
Replies
15
Views
1K
Unetwork
U
Similar threads
Thread starter Title Forum Replies Date
D WAN DNS Setting: Using different DoT servers Asuswrt-Merlin 19
K Using Asus XT8 with DS-Lite internet provider Asuswrt-Merlin 0
U multiple entries using ‘arp-scan’ but not reflected in ‘arp’ command Asuswrt-Merlin 3
F cru not using sytem date Asuswrt-Merlin 10
GShlomi Using Dual-WAN failover but using the passive with a rule Asuswrt-Merlin 0
jetpack42 Correctly using VPN Director? Asuswrt-Merlin 2
F NordVPN with Asus 88XU Pro UDP connection bandwidth limit when using Geforce now Asuswrt-Merlin 0
D Guest network with intranet access v. using the main network Asuswrt-Merlin 4
R DNS filtering when using cloudflare DNS? Asuswrt-Merlin 4
P Creating a VPN network using VPS and RT-AX68U Asuswrt-Merlin 24

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 708 (members: 45, guests: 663)
Top