What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DNS over TLS don't appear to be working?

JT Strickland

Very Senior Member
RT-AC86U w/ 384.15, RT-AC68U aimesh node 384.15, diversion, uidivstats, Skynet, scribe, uiscribe, conmon, spdMerlin, scmerlin, nsrum

I am hoping someone will take a look at my settings screenshot and tell me what I need to change. I am a little confused about some of the posts that I've been reading regarding this. Are the DoT Servers supposed to be different from DNS server 1 and 2 as shown? I had cloudfare servers in this list along with Quad 9, but took them out trying to make it work which didn't help. I also tried with "Vaildate unsigned DNSSEC replies" set to Yes and No, but got the same results as shown from Cloudfare test. I am using Firefox browser with windows 10 and DoH is turned off in it. DNSfilter in the LAN is turned off, maybe it should be on? Thanks for any help.

upload_2020-3-30_17-58-20.png

upload_2020-3-30_17-57-47.png
 

Attachments

  • dnsresolver.png
    dnsresolver.png
    187.2 KB · Views: 496
  • myWAN.png
    myWAN.png
    355.4 KB · Views: 507
You need to change nothing! You have the same DoT setup as I do. But, the Cloudflare test only works with Cloudflare resolvers (1.1.1.1 and 1.0.0.1) with DNSSEC disabled.
Well, you could change DNS Server 1 to 9.9.9.9 and DNS Server 2 to 149.112.112.112 but nothing would change.
 
Agreed, your settings are fine. If you notice any performance problems with streaming services, you can try using Quad9 EDNS-enabled service at 9.9.9.11 and 149.112.112.11. Better location awareness for CDN content, with a minor privacy giveaway of EDNS Client Subnet.
 
Agreed, your settings are fine. If you notice any performance problems with streaming services, you can try using Quad9 EDNS-enabled service at 9.9.9.11 and 149.112.112.11. Better location awareness for CDN content, with a minor privacy giveaway of EDNS Client Subnet.

OK, Thanks, folks, I appreciate it. I didn't understand some of the posts that I read that said to use two sets of DoT servers? Should I add another, or is it beneficial? I wasn't sure if they were talking about two including the existing set of Cloudfare servers at the top or what. If it's working, it's good enough for me anyhow.
thanks again,
jts
 
OK, Thanks, folks, I appreciate it. I didn't understand some of the posts that I read that said to use two sets of DoT servers? Should I add another, or is it beneficial? I wasn't sure if they were talking about two including the existing set of Cloudfare servers at the top or what. If it's working, it's good enough for me anyhow.
thanks again,
jts
Where you have Cloudflare setup now in the WAN DNS fields will only be used until the DoT service starts up at boot time (i.e. the Stubby daemon). Then LAN clients will have their requests sent to the DoT servers at Quad9. Any DNS requests originating from the router itself (i.e. not a LAN client) will continue to use the Cloudflare DNS IPs.

If you wanted to be “all-in” with Quad9 for their filtering, then you could replace the Cloudflare entries with Quad9 entries.

Using multiple providers within DoT gives you some redundancy/diversity but if you mix a filtering service with a non-filtering service, you have no control of when the filtering would be applied. It’s like cyber security Russian roulette.

I would just stick with multiple servers from the same provider. It’s even debatable whether the secondary servers are necessary for these Anycast IP addresses. But still a good practice for now since I have nothing to back that statement up.
 
Where you have Cloudflare setup now in the WAN DNS fields will only be used until the DoT service starts up at boot time (i.e. the Stubby daemon). Then LAN clients will have their requests sent to the DoT servers at Quad9. Any DNS requests originating from the router itself (i.e. not a LAN client) will continue to use the Cloudflare DNS IPs.

If you wanted to be “all-in” with Quad9 for their filtering, then you could replace the Cloudflare entries with Quad9 entries.

Using multiple providers within DoT gives you some redundancy/diversity but if you mix a filtering service with a non-filtering service, you have no control of when the filtering would be applied. It’s like cyber security Russian roulette.

I would just stick with multiple servers from the same provider. It’s even debatable whether the secondary servers are necessary for these Anycast IP addresses. But still a good practice for now since I have nothing to back that statement up.

OK, thanks, I will save that info and switch to the EDNS servers if we see significant degradation. It doesn't matter to me which one that I use. I thought that mixing them on the DoT server list might have undesirable consequences, but didn't know. I'm still very green at this, but I'm a learnin'. I now know what a EDNS server is (barely) after looking it up tonight. I got a long way to go though. I appreciate the confirmation and the pointers.
jts
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top