Solved 386.5 AX58U: DNS-over-TLS keeps disabling itself

panni

Occasional Visitor
Hey there,

I've successfully been using DoT on my router for about year now, using cloudflare and google DNS.

Since 386.5 the setting doesn't persist. After running with DoT enabled for a while, dnsmasq restarts and DoT is off again:
1648045336842.png



1648045866979.png


After this event no DNS queries make it through, internet access still there.

I have to re-apply the current settings (with DoT off), and DNS works again - without DoT, though.


Any suggestions? Is this a known bug with the current firmware?


Thanks!
 

Chuckles67

Regular Contributor
I haven't seen your issue happen on my AX86U. This may not be intuitive: but if you have set up servers in the DNS-over-TLS Server List (?), you could try leaving DNS Server 1 and DNS Server 2 fields blank (see this thread).
I would also try not having both Google and Cloudflare - try only Cloudflare, and see if the issue duplicates (hopefully not).
 

dave14305

Part of the Furniture
Some addons like DNScrypt will disable DNS Privacy. What else do you run besides YazDHCP?
 

panni

Occasional Visitor
Some addons like DNScrypt will disable DNS Privacy. What else do you run besides YazDHCP?
I actually have tried the DNSCrypt installer again recently but fully uninstalled it after it didn't work again (seems to be common with the Ax58u).

Might there be remnants (there haven't been before. I try the DNSCrypt installer every 6 months or so)? What do I look for?

Thanks!
 

panni

Occasional Visitor
I haven't seen your issue happen on my AX86U. This may not be intuitive: but if you have set up servers in the DNS-over-TLS Server List (?), you could try leaving DNS Server 1 and DNS Server 2 fields blank (see this thread).
I would also try not having both Google and Cloudflare - try only Cloudflare, and see if the issue duplicates (hopefully not).
Thanks for the suggestion. I've been running cloudflare and Google dns for DoT for nearly a year now, though, without issues.

I don't want to change too many variables right now :)
 

dave14305

Part of the Furniture
I actually have tried the DNSCrypt installer again recently but fully uninstalled it after it didn't work again (seems to be common with the Ax58u).

Might there be remnants (there haven't been before. I try the DNSCrypt installer every 6 months or so)? What do I look for?

Thanks!
Try running this to see if any remnants remain:
Bash:
/bin/grep -l -i -r dnscrypt /jffs/scripts
 

SomeWhereOverTheRainBow

Part of the Furniture
Seems to work, thank you!!
For future reference , if you install dnscrypt proxy using the amtm installer and wish to fully uninstall it you have to choose the last uninstall option of the installer, the uninstall all option. Otherwise the manager file gets left which handles the auxiliary files.
 

SomeWhereOverTheRainBow

Part of the Furniture
Oooh yes, absolutely:



I've removed the dnscrypt remnants from those files. Let's try DoT again.

Thank you!
Also, if you are content with the routers DoT implementation, I highly encourage using it. There is no real advantage over continuously switching unless one offers some sort of smoking gun that you have been looking for. Dnscrypt-proxy is one layer between dnsmasq that sometimes becomes a bit to deal with over using stubby . For example, stubby uses the direct dot addresses, while dnscrypt proxy relies on reading sdns stamps from a file that is sometimes not updated enough. If you use only one specific server using dnscrypt proxy, then when that dns stamp doesn't get updated enough often for that server you may find yourself with no DNS. You won't experience this with using direct addresses unless the actual server itself goes down. While stubby has more of a set it and forget it interface, dnscrypt proxy has alot to offer as well in regards to its additional features, but requires users to be more vigilant with their setup.
 

johndoe85

Regular Contributor
Also, if you are content with the routers DoT implementation, I highly encourage using it. There is no real advantage over continuously switching unless one offers some sort of smoking gun that you have been looking for. Dnscrypt-proxy is one layer between dnsmasq that sometimes becomes a bit to deal with over using stubby . For example, stubby uses the direct dot addresses, while dnscrypt proxy relies on reading sdns stamps from a file that is sometimes not updated enough. If you use only one specific server using dnscrypt proxy, then when that dns stamp doesn't get updated enough often for that server you may find yourself with no DNS. You won't experience this with using direct addresses unless the actual server itself goes down. While stubby has more of a set it and forget it interface, dnscrypt proxy has alot to offer as well in regards to its additional features, but requires users to be more vigilant with their setup.
Can DNScrypt be combined with unbound running localy? And if so, should it be?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top