Bell home internet users with Asus routers - does DoT work for you?

[SkippyP]

My in-laws have Bell FTTH internet with a Gigahub gateway and an Asus AX86U Pro configured in PPPoE passthrough. The Asus is on the latest 3.0.0.4 Merlin FW (not 3.0.0.6).

When I was there today and connected to their WiFi with my iPhone that has a DoT config profile installed, I wasn’t able to use the Internet. Nothing worked from my phone. Even Ping Plotter gave me a DNS error. As soon as I disabled the profile, everything worked. So I decided to configure DoT directly on the router (I tried 3 different resolvers), but then all devices in the house didn’t have internet. I then disabled DoT on the router and installed a DoH profile on my phone, and everything worked. Note: I don’t have any issues with DoT profiles on my phone when I’m connected to my home internet (Rogers) or my cell network (also Rogers).

Any Bell home internet users out there using DoT successfully on your Asus routers (Merlin or stock FW)?

 

[Makaveli]

I was actually just checking this.

I installed tcpdump and used this command in ssh

tcpdump -ni ppp0 -p port 53 or port 853

However I noticed its still using port 53.

 

[bbunge]

When I was testing 3006.102.4 on my AX86U Pro I suspected that DoT was not working properly. I set up the Cloudflare resolvers in DoT and use the 1.1.1.1/help page that told me that DoT was working. In the past, you could run "stubby -l" in a terminal and see that Stubby and GetDNS was connecting to the upstream DoT resolvers. This does not work in current firmware either Merlin or Asus ( I tested "stubby -l" and "stubby -v 7" on my router this morning). Reading the configuration file for Stubby on my Asus firmware (stubby -i) it also showed that DoT was running in Opportunistic mode. I have strict mode selected in the GUI.
Something does not seem right about DoT in these recent firmwares. It may be just me not understanding. But then again it may be a problem. For now I have disabled DoT and have enabled DNSSEC. As time permits in my busy retired schedule I plan to delve into the current Stubby to find out what is going on.
For the OP, it is possible that Bell is blocking port 853.

Edit: I set up my old AX86U running firmware 388.24339 to test DoT. It is running the same version of Stubby (0.4.2) as the AX86U Pro. I believe the Merlin firmware is also using Stubby 0.4.2. Running the command "stubby -l" on the AX86U does show the correct log operation and verifies that the DoT is connecting successfully to the upstream resolvers. My conclusion is that the DoT in the AX86U Pro and possibly all the 3.0.0.6.102.x firmwares is not working as intended. I could be mistaken or plane old wrong. But I have reported my findings to Asus via feedback. For the meantime I would recommend not using DoT.

 

[SkippyP]

When I was testing 3006.102.4 on my AX86U Pro I suspected that DoT was not working properly. I set up the Cloudflare resolvers in DoT and use the 1.1.1.1/help page that told me that DoT was working. In the past, you could run "stubby -l" in a terminal and see that Stubby and GetDNS was connecting to the upstream DoT resolvers. This does not work in current firmware either Merlin or Asus ( I tested "stubby -l" and "stubby -v 7" on my router this morning). Reading the configuration file for Stubby on my Asus firmware (stubby -i) it also showed that DoT was running in Opportunistic mode. I have strict mode selected in the GUI.
Something does not seem right about DoT in these recent firmwares. It may be just me not understanding. But then again it may be a problem. For now I have disabled DoT and have enabled DNSSEC. As time permits in my busy retired schedule I plan to delve into the current Stubby to find out what is going on.
For the OP, it is possible that Bell is blocking port 853.

Edit: I set up my old AX86U running firmware 388.24339 to test DoT. It is running the same version of Stubby (0.4.2) as the AX86U Pro. I believe the Merlin firmware is also using Stubby 0.4.2. Running the command "stubby -l" on the AX86U does show the correct log operation and verifies that the DoT is connecting successfully to the upstream resolvers. My conclusion is that the DoT in the AX86U Pro and possibly all the 3.0.0.6.102.x firmwares is not working as intended. I could be mistaken or plane old wrong. But I have reported my findings to Asus via feedback. For the meantime I would recommend not using DoT.

DoT is working perfectly fine for me on Merlin 3.0.0.6. My ISP is Rogers (Canada). My in-laws’ ISP is Bell, and when DoT is enabled (either on the router or locally on a device connected to the router), the internet doesn’t work at all…ping tests time-out, nothing loads, nada. Their router is also still on Merlin 3.0.0.4 as I mentioned before. DoT also worked fine for me at home when I was on Merlin 3.0.0.4. I don’t think it’s the firmware at all. I suspect it has something to do with the ISP (Bell), which is why I was asking if other Bell users are having the same problem.

My initial suspicion was that Bell is blocking port 853, but that would only be true if all other Bell users are having the same problem with DoT.

I apologize - the post title should’ve been “Bell home internet users with Asus routers - does the internet work when you enable DoT?”

 

[Tech9]

Look at the Gateway configuration options, it may be doing some filtering. There was a case like this recently and the user found the ISP provided Gateway was redirecting DNS queries as part of some built-in security features.

 

[sto]

Apparently Bell forces all DNS queries to go through GigaHub servers. Google it. Lots of posts, from pi-hole users, for instance, on reddit etc.

 

[SkippyP]

Look at the Gateway configuration options, it may be doing some filtering. There was a case like this recently and the user found the ISP provided Gateway was redirecting DNS queries as part of some built-in security features.

OK, I’ll do that next time I’m there. Thanks.

Too bad there’s no DoH option on Asus routers as DoH seems to work fine with Bell internet (tested with a DoH profile on my iPhone), and would’ve been an easy workaround for encrypted DNS.

 

[bbunge]

DoT is working perfectly fine for me on Merlin 3.0.0.6. My ISP is Rogers (Canada). My in-laws’ ISP is Bell, and when DoT is enabled (either on the router or locally on a device connected to the router), the internet doesn’t work at all…ping tests time-out, nothing loads, nada. Their router is also still on Merlin 3.0.0.4 as I mentioned before. DoT also worked fine for me at home when I was on Merlin 3.0.0.4. I don’t think it’s the firmware at all. I suspect it has something to do with the ISP (Bell), which is why I was asking if other Bell users are having the same problem.

My initial suspicion was that Bell is blocking port 853, but that would only be true if all other Bell users are having the same problem with DoT.

I apologize - the post title should’ve been “Bell home internet users with Asus routers - does the internet work when you enable DoT?”

I understood what you were saying about DoT not working. I did say that "it is possible that Bell is blocking port 853" and this is likely the case for the Bell network.

But, there is an issue with the DoT implementation in Asus 3.0.0.6.102.x firmwares and Merlin 3006.102.4 firmware. DoT seems to work in some cases but testing the connections with the Stubby log function does not work and it should.

I am suddenly suspect of the Asus Pro firmware and may just haul out the old AX86U until Asus comes out with a new firmware for the AX86U Pro.

 

[Makaveli]

Look at the Gateway configuration options, it may be doing some filtering. There was a case like this recently and the user found the ISP provided Gateway was redirecting DNS queries as part of some built-in security features.

my setup has the bell router by passed its in the box in the closet.

I'm using a media converter.

I understood what you were saying about DoT not working. I did say that "it is possible that Bell is blocking port 853" and this is likely the case for the Bell network.

This is possible I do remember it working before been on bell fiber for about 6 years now.

 

[Tech9]

I'm using a media converter

Means the network upstream is not filtered. Must be the Gateway doing something.

 

[dave14305]

In the past, you could run "stubby -l" in a terminal and see that Stubby and GetDNS was connecting to the upstream DoT resolvers. This does not work in current firmware either Merlin or Asus ( I tested "stubby -l" and "stubby -v 7" on my router this morning). Reading the configuration file for Stubby on my Asus firmware (stubby -i) it also showed that DoT was running in Opportunistic mode. I have strict mode selected in the GUI.

I find that even the default stubby instance for the main LAN has a unique configuration filename, so stubby -l has to point to the correct config file. The default stubby config file doesn't exist anymore, so it results in a minimal configuration when invoked without a config.

# stubby -l -C /etc/stubby/stubby-0.yml 
[23:37:40.199796] STUBBY: Read config from file /etc/stubby/stubby-0.yml
[23:37:40.200455] STUBBY: Stubby version: Stubby 0.4.2
[23:37:40.200574] STUBBY: DNSSEC Validation is OFF
[23:37:40.200613] STUBBY: Transport list is:
[23:37:40.200649] STUBBY:   - TLS
[23:37:40.200685] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[23:37:40.200722] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[23:37:40.200754] STUBBY: Starting DAEMON....
[23:37:43.952028] STUBBY: --- SETUP(TLS): : Verify locations loaded
[23:37:43.952469] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[23:37:43.952926] STUBBY: 2606:4700:4700::1111                     : Conn opened: TLS - Strict Profile
[23:37:43.979609] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[23:37:43.984071] STUBBY: 2606:4700:4700::1111                     : Verify passed : TLS
[23:37:49.685803] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[23:37:49.686388] STUBBY: 2606:4700:4700::1001                     : Conn opened: TLS - Strict Profile
[23:37:49.713668] STUBBY: 1.0.0.1                                  : Verify passed : TLS
[23:37:49.719183] STUBBY: 2606:4700:4700::1001                     : Verify passed : TLS
[23:37:53.042932] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:53.042975] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:53.043001] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:37:53.045877] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:53.045909] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:53.045933] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:37:58.745873] STUBBY: 2606:4700:4700::1001                     : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:58.745927] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:58.745953] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:37:58.775369] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:58.775404] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:58.775429] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:38:15.536690] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[23:38:15.537029] STUBBY: 2606:4700:4700::1111                     : Conn opened: TLS - Strict Profile
[23:38:15.537265] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[23:38:15.570229] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[23:38:15.574535] STUBBY: 2606:4700:4700::1111                     : Verify passed : TLS
[23:38:15.578740] STUBBY: 1.0.0.1                                  : Verify passed : TLS
[23:38:15.643392] STUBBY: 2606:4700:4700::1001                     : Conn opened: TLS - Strict Profile
[23:38:15.671862] STUBBY: 2606:4700:4700::1001                     : Verify passed : TLS
[23:38:24.720853] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:38:24.720907] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=     3, Timeouts  =     0, Best_auth =Success
[23:38:24.720934] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:38:24.721187] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:38:24.721218] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=     3, Timeouts  =     0, Best_auth =Success
[23:38:24.721245] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0

 

[bbunge]

I find that even the default stubby instance for the main LAN has a unique configuration filename, so stubby -l has to point to the correct config file. The default stubby config file doesn't exist anymore, so it results in a minimal configuration when invoked without a config.

# stubby -l -C /etc/stubby/stubby-0.yml
[23:37:40.199796] STUBBY: Read config from file /etc/stubby/stubby-0.yml
[23:37:40.200455] STUBBY: Stubby version: Stubby 0.4.2
[23:37:40.200574] STUBBY: DNSSEC Validation is OFF
[23:37:40.200613] STUBBY: Transport list is:
[23:37:40.200649] STUBBY:   - TLS
[23:37:40.200685] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[23:37:40.200722] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[23:37:40.200754] STUBBY: Starting DAEMON....
[23:37:43.952028] STUBBY: --- SETUP(TLS): : Verify locations loaded
[23:37:43.952469] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[23:37:43.952926] STUBBY: 2606:4700:4700::1111                     : Conn opened: TLS - Strict Profile
[23:37:43.979609] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[23:37:43.984071] STUBBY: 2606:4700:4700::1111                     : Verify passed : TLS
[23:37:49.685803] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[23:37:49.686388] STUBBY: 2606:4700:4700::1001                     : Conn opened: TLS - Strict Profile
[23:37:49.713668] STUBBY: 1.0.0.1                                  : Verify passed : TLS
[23:37:49.719183] STUBBY: 2606:4700:4700::1001                     : Verify passed : TLS
[23:37:53.042932] STUBBY: 1.1.1.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:53.042975] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:53.043001] STUBBY: 1.1.1.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:37:53.045877] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:53.045909] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:53.045933] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:37:58.745873] STUBBY: 2606:4700:4700::1001                     : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:58.745927] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:58.745953] STUBBY: 2606:4700:4700::1001                     : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:37:58.775369] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     1, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:37:58.775404] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=     1, Timeouts  =     0, Best_auth =Success
[23:37:58.775429] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=     1, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:38:15.536690] STUBBY: 1.1.1.1                                  : Conn opened: TLS - Strict Profile
[23:38:15.537029] STUBBY: 2606:4700:4700::1111                     : Conn opened: TLS - Strict Profile
[23:38:15.537265] STUBBY: 1.0.0.1                                  : Conn opened: TLS - Strict Profile
[23:38:15.570229] STUBBY: 1.1.1.1                                  : Verify passed : TLS
[23:38:15.574535] STUBBY: 2606:4700:4700::1111                     : Verify passed : TLS
[23:38:15.578740] STUBBY: 1.0.0.1                                  : Verify passed : TLS
[23:38:15.643392] STUBBY: 2606:4700:4700::1001                     : Conn opened: TLS - Strict Profile
[23:38:15.671862] STUBBY: 2606:4700:4700::1001                     : Verify passed : TLS
[23:38:24.720853] STUBBY: 2606:4700:4700::1111                     : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:38:24.720907] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Resps=     3, Timeouts  =     0, Best_auth =Success
[23:38:24.720934] STUBBY: 2606:4700:4700::1111                     : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0
[23:38:24.721187] STUBBY: 1.0.0.1                                  : Conn closed: TLS - Resps=     2, Timeouts  =     0, Curr_auth =Success, Keepalive(ms)=  9000
[23:38:24.721218] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Resps=     3, Timeouts  =     0, Best_auth =Success
[23:38:24.721245] STUBBY: 1.0.0.1                                  : Upstream   : TLS - Conns=     2, Conn_fails=     0, Conn_shuts=      0, Backoffs     =     0

Good catch! Thanks. Same path in the Asus firmware.