Menu
What's new
By:
Filters Better Search

Solved DNS-over-TLS and chroot (NextDNS DOT issue)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

papypaprika

Occasional Visitor
Hi Merlin community,

I'm a longtime user of Merlin, initially on RT-AC66u, and now RT-AX86u running Merlin 386.3_2.

I'm trying to improve security of my setup and I'm since recently using DNS over TLS. I've opted for NextDNS, though I'm not using their cli client, I prefer to use manually their DNS addresses tied to my fixed IP address.

I have been using a chrooted debian on my router (based on instruction from hqt.ro) without any issue in the past (before using DoT).

I have now an issue getting my chrooted debian accessing internet when using DNS over TLS. A simple apt update says:
Code: 
 "Err:1 http://deb.debian.org/debian stable InRelease. Temporary failure resolving 'deb.debian.org'"

I attach a screenshot of my Wan page setup, in case you see anything suspicious.

When not using DNS over TLS, I have no issue having my chrooted debian accessing internet.

Any ideas what could be the issue?

Note that:
LAN -> DNS servers are empty.
"Wan: Use local caching DNS server as system resolver (default: No)" on Tools -> Other settings is set to No.

Thank you for your help !!
 

Attachments

  • Screen Shot 2021-08-28 at 14.46.55.png
    Screen Shot 2021-08-28 at 14.46.55.png
    496.6 KB · Views: 287
Last edited:
Plenty of reading out on the web about issues with NextDNS and DoT. Especially if you do not do things their way and use their clients. You may do just as well using NextDNS with DNSSEC enabled. Or dumping NextDNS for Quad9 or Cloudflare Secure. I am currently running Quad9 with DNSSEC on my router and a Pi-Hole (running just malware blocking lists). I am getting a bit better performance this way resolving hosts than running DoT on the router.
If you are interested you can run DoT (Stubby) as a front end to Pi-Hole. You can also enable Stubby to do DNSSEC on the Pi or Merlin.
As a final shot - DNS filtering is not what it is cracked up to be and can never be as secure as other means. IP based filtering is much better but almost impossible to implement on consumer grade routers.
 
Thank you @bbunge.

Will try another DoT provider.

As a temporary solution for those interested, a not so elegant solution is to copy /etc/resolv.conf to /opt/debian/etc/resolv.conf
 
I can confirm that changing the DoT DNS provider (to Quad9 here rather than NextDNS) solves my connectivity issue.

I renamed the title of the post in case the NextDNS team keeps an eye on this forum.

Thank you very much @bbunge for taking the time to answer and propose a solution.
 
You must log in or register to reply here.

Similar threads

D
WAN DNS Setting: Using different DoT servers
Replies
19
Views
1K
drinkingbird
drinkingbird
icanfly
custom domains report NXDOMAIN for IPv6 DNS and fail to resolve in Alpine OS
Replies
2
Views
506
sfx2000
sfx2000
P
Solved Router DHCP and DNS not responding to changes
2
Replies
35
Views
1K
PTS
P
B
Configure Adguard TLS DNS with Asuswrt-Merlin
Replies
17
Views
5K
Ellenswamy
E
J
DNS Privacy with Adguard + unbound
Replies
4
Views
2K
jata
J
Similar threads
Thread starter Title Forum Replies Date
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
A DNS/TLS IPv6. Asuswrt-Merlin 4
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
pdc Router DNS returning Refused Asuswrt-Merlin 2
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
R Would any of this make my browsing more secure? (WAN DNS settings) Asuswrt-Merlin 20
X DNS Director - question Asuswrt-Merlin 6
X RT-AX58U sudden DNS problem - URGENT Asuswrt-Merlin 14
P Solved Router DHCP and DNS not responding to changes Asuswrt-Merlin 35
icanfly DNS fails for local devices when there is no WAN! Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 866 (members: 11, guests: 855)
Top