What's new

Solved 386.5 AX58U: DNS-over-TLS keeps disabling itself

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

panni

Regular Contributor
Hey there,

I've successfully been using DoT on my router for about year now, using cloudflare and google DNS.

Since 386.5 the setting doesn't persist. After running with DoT enabled for a while, dnsmasq restarts and DoT is off again:
1648045336842.png



1648045866979.png


After this event no DNS queries make it through, internet access still there.

I have to re-apply the current settings (with DoT off), and DNS works again - without DoT, though.


Any suggestions? Is this a known bug with the current firmware?


Thanks!
 
I haven't seen your issue happen on my AX86U. This may not be intuitive: but if you have set up servers in the DNS-over-TLS Server List (?), you could try leaving DNS Server 1 and DNS Server 2 fields blank (see this thread).
I would also try not having both Google and Cloudflare - try only Cloudflare, and see if the issue duplicates (hopefully not).
 
Some addons like DNScrypt will disable DNS Privacy. What else do you run besides YazDHCP?
I actually have tried the DNSCrypt installer again recently but fully uninstalled it after it didn't work again (seems to be common with the Ax58u).

Might there be remnants (there haven't been before. I try the DNSCrypt installer every 6 months or so)? What do I look for?

Thanks!
 
I haven't seen your issue happen on my AX86U. This may not be intuitive: but if you have set up servers in the DNS-over-TLS Server List (?), you could try leaving DNS Server 1 and DNS Server 2 fields blank (see this thread).
I would also try not having both Google and Cloudflare - try only Cloudflare, and see if the issue duplicates (hopefully not).
Thanks for the suggestion. I've been running cloudflare and Google dns for DoT for nearly a year now, though, without issues.

I don't want to change too many variables right now :)
 
I actually have tried the DNSCrypt installer again recently but fully uninstalled it after it didn't work again (seems to be common with the Ax58u).

Might there be remnants (there haven't been before. I try the DNSCrypt installer every 6 months or so)? What do I look for?

Thanks!
Try running this to see if any remnants remain:
Bash:
/bin/grep -l -i -r dnscrypt /jffs/scripts
 
Try running this to see if any remnants remain:
Bash:
/bin/grep -l -i -r dnscrypt /jffs/scripts
Oooh yes, absolutely:

/bin/grep -l -i -r dnscrypt /jffs/scripts
/jffs/scripts/init-start
/jffs/scripts/services-stop
/jffs/scripts/service-event-end

I've removed the dnscrypt remnants from those files. Let's try DoT again.

Thank you!
 
Seems to work, thank you!!
For future reference , if you install dnscrypt proxy using the amtm installer and wish to fully uninstall it you have to choose the last uninstall option of the installer, the uninstall all option. Otherwise the manager file gets left which handles the auxiliary files.
 
Oooh yes, absolutely:



I've removed the dnscrypt remnants from those files. Let's try DoT again.

Thank you!
Also, if you are content with the routers DoT implementation, I highly encourage using it. There is no real advantage over continuously switching unless one offers some sort of smoking gun that you have been looking for. Dnscrypt-proxy is one layer between dnsmasq that sometimes becomes a bit to deal with over using stubby . For example, stubby uses the direct dot addresses, while dnscrypt proxy relies on reading sdns stamps from a file that is sometimes not updated enough. If you use only one specific server using dnscrypt proxy, then when that dns stamp doesn't get updated enough often for that server you may find yourself with no DNS. You won't experience this with using direct addresses unless the actual server itself goes down. While stubby has more of a set it and forget it interface, dnscrypt proxy has alot to offer as well in regards to its additional features, but requires users to be more vigilant with their setup.
 
Also, if you are content with the routers DoT implementation, I highly encourage using it. There is no real advantage over continuously switching unless one offers some sort of smoking gun that you have been looking for. Dnscrypt-proxy is one layer between dnsmasq that sometimes becomes a bit to deal with over using stubby . For example, stubby uses the direct dot addresses, while dnscrypt proxy relies on reading sdns stamps from a file that is sometimes not updated enough. If you use only one specific server using dnscrypt proxy, then when that dns stamp doesn't get updated enough often for that server you may find yourself with no DNS. You won't experience this with using direct addresses unless the actual server itself goes down. While stubby has more of a set it and forget it interface, dnscrypt proxy has alot to offer as well in regards to its additional features, but requires users to be more vigilant with their setup.
Can DNScrypt be combined with unbound running localy? And if so, should it be?
 
Too much work for the router, unless you are simply talking about putting a dnscrypt server's sdns stamp in your upstream of adguardhome along side you unbounds address.
Yeah it was exactly this i had in mind. SDNS stamp for adguard.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top