What's new

Can't seem to get DoT to work with Cloudflare

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Deetlemore

Occasional Visitor
Running 388.2 on an AX86U Pro, and performed a full reset after flashing it last night just to be safe. I've got it configured as pictured (DNSSEC validation turned off temporarily as I saw it can cause issues with Cloudflare's test site). I've also got their IPv6 DNS servers input on the IPv6 config page.

I can confirm through other sites that I'm using Cloudflare's DNS servers, just not through TLS. This was working correctly with my ancient N66U two days ago, so I'm not sure what I've misconfigured.

tls.png

TLS2.png
 
Can that site tell whether DoH or DoT is being used? I can definitely communicate with Cloudflare without TLS (using UDP I'm assuming?)

As an experiment, I tried using Quad9, and can confirm that DoT works correctly for them. If I only populate the TLS portion in router configuration, and leave the other WAN and IPv6 DNS fields blank, it will strictly use DoT and fail to connect in any other manner like I would expect. Doing the reverse will allow unencrypted connections and no TLS, also as expected.

If I do the same with Cloudflare, then URL's never get resolved, so it's unique to Cloudflare. I'm just not sure if it's something I've done wrong, or maybe it's on their end. I even tried with Internet Explorer since I don't think it would force DoH, and it also fails to connect with TLS.

Edit: I can confirm it's something on my side. If I set private DNS on my Android device to one.one.one.one and connect to the test site with mobile data, it passes normally.

So either I've got a setting screwed up, or maybe there's something going on with 388.2?

tls3.png
 
Last edited:
Disable IPV6 and the IPV6 DNS and try again. I have run DoT with 388.2 and it worked fine. And make sure DoH is disabled in your web browsers.
 
No change unfortunately. I'm tempted to toss the N66U back in place and retest just out of curiosity, I can't imagine what changed that broke this.

tls4.png
 
No change unfortunately. I'm tempted to toss the N66U back in place and retest just out of curiosity, I can't imagine what changed that broke this.

View attachment 49945
Check Firefox - Settings - Scroll down to Network Settings and check Connection Settings:
Firefox.jpg


Make sure Enable DNS over HTTPS us unchecked.
 
No luck with Cloudflare's security servers either. I even tried 'one.one.one.one' as the host name just to experiment, but no dice. I can confirm I do have DoH disabled in Firefox, I forgot to mention that before.

I tossed the N66U back in place out of curiosity, and DoT works with it as it should, so it's something to do with the AX86U. I'm honestly stumped, I feel like I've checked every setting it could be related to. Maybe I'll try doing another full reset, but with the WPS method this time.

If it still doesn't work after all that, I suppose I'll just use Quad9 and call it a day. I always stuck with Cloudflare because they're the "fastest" resolver for my location, but this router seems determined to not allow it. Shame, as otherwise this thing is a fantastic upgrade
 
No change after another full reset, looks like I'm SOL for the time being.
What scripts or other settings are you using? Do you have anything in LAN/DHCP Server/DNS Server 1 or 2? Have you enabled DNS Director or are you using a Pi-Hole?

F.Y.I. the WPS or Hard Factory Reset does not always work on an AX86U. Also do a GUI Factory Reset with initialize. You might try the Asus 388-22525 firmware. My AX86U ran very well for two years and fifty nine days then acted up. It is currently on its way to Asus under an RMA.
 
What scripts or other settings are you using? Do you have anything in LAN/DHCP Server/DNS Server 1 or 2? Have you enabled DNS Director or are you using a Pi-Hole?

F.Y.I. the WPS or Hard Factory Reset does not always work on an AX86U. Also do a GUI Factory Reset with initialize. You might try the Asus 388-22525 firmware. My AX86U ran very well for two years and fifty nine days then acted up. It is currently on its way to Asus under an RMA.
No scripts running, I'm essentially running the bare minimum to connect to my ISP. LAN DNS fields are blank, and DNS Director is disabled. I've got 1 PC wired, 1 PC wireless, and a couple android phones connected, nothing else though.

I tried another GUI reset and even did a reset on my modem just to rule it out, but still nothing. I flashed up from 388.2 to 388.2_2, is 388-22525 in the alpha builds?

The thing that baffles me is that I can get DoT to work with multiple other providers, it's only Cloudflare that's screwy. But it wouldn't make sense to be an issue on their side because my phone can work with their DoT when using mobile data.
 
"DNS Director is disabled"
Surely DNS director should be enabled, pointing all DNS to the router?
Also "Prevent client auto DOH" should be YES?
 
No dice on the stock firmware either, even with DNSSEC completely disabled I never get a confirmation through cloudflare's site. I think I'll just leave it stock for now anyways, my original intention was to use the FlexQOS addon, but from my testing I think I'm fine leaving QoS off and just limiting downloads as needed.

Something to note, when I had DNSSEC and DoT working on my N66U, I was using John's fork of Merlin, so maybe there's some underlying difference that allowed it to work with the older router.

End of the day DNSSEC is at least working properly, so I'm calling that good enough. I debated on swapping to Quad9 since DoT seems to work there, but I value snappy responses more than DoT if I'm being honest.
 
No luck with Cloudflare's security servers either. I even tried 'one.one.one.one' as the host name just to experiment, but no dice. I can confirm I do have DoH disabled in Firefox, I forgot to mention that before.

I tossed the N66U back in place out of curiosity, and DoT works with it as it should, so it's something to do with the AX86U. I'm honestly stumped, I feel like I've checked every setting it could be related to. Maybe I'll try doing another full reset, but with the WPS method this time.

If it still doesn't work after all that, I suppose I'll just use Quad9 and call it a day. I always stuck with Cloudflare because they're the "fastest" resolver for my location, but this router seems determined to not allow it. Shame, as otherwise this thing is a fantastic upgrade

Just a side comment here...I also use Firefox, and it uses DoH. However, my router still does DoT. The Cloudflare test (https://cloudflare-dns.com/help/) simply shows both DoT and DoH in use, "Yes" for both. So you shouldn't have to turn off FIrefox's DoH to get DoT working through the router:

Untitled.png
 
The Cloudflare test site boils down to being able to resolve the following domains via the correct protocols via Cloudflare:
Code:
is-cf.help.every1dns.net
is-dot.help.every1dns.net
is-doh.help.every1dns.net
ipv6a.cloudflare-dns.com
ipv6b.cloudflare-dns.com
 
The Cloudflare test site boils down to being able to resolve the following domains via the correct protocols via Cloudflare:
Code:
is-cf.help.every1dns.net
is-dot.help.every1dns.net
is-doh.help.every1dns.net
ipv6a.cloudflare-dns.com
ipv6b.cloudflare-dns.com
The more I've messed with it, the more I think that I just can't reach those domains for whatever reason.

The fact that I don't even get a confirmation on Clodflare's test site that I'm using their DNS, when I can verify that I am through other methods, makes me think this is some fringe case and DoT is actually working fine.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top