DNS-over-TLS problem

[Wako]

Hi,

When I use DNS-over-TLS (CleanBrowsing in my case), all works fine for some minutes or hours, but then, I am unable to resolve domains from time to time. I need to refresh the page 2-3 times (and somtimes 6-7 times) before the domain resolve and I get directed to the website.

I did try to turn on and off DNSSEC and restore default settings on the router with no better results. Is there any problem with DoT?

For now, I use OpenDNS until I can find a solution with DoT.

Thank you for your help.

 

[Odkrys]

that happens to me too.

 

[RMerlin]

You'll have to figure out what's the timeout value used by that DNS provider. If it's too short (like Quad9), then you might have to customize your stubby configuration to match their own timeout value.

 

[bbunge]

Did a test this morning with Quad9 and Cleanbrowsing Secure. I have modified Stubby using a /jffs/scripts/stubby.postconf
Here are the contents of the file:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "idle_timeout: 9000" "idle_timeout: 2000" $CONFIG
pc_replace "tls_connection_retries: 2" "tls_connection_retries: 5" $CONFIG
pc_replace "timeout: 3000" "timeout: 2000" $CONFIG
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
# pc_append "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

I use WinSCP to create the file and change the properties to 755 to make the file executable.
Restart Stubby with: service restart_stubby

Note: I use DNSSEC in Stubby. To enable this remove the "#" from the last line of the code above. Make sure to disable DNSSEC in the "WAN - Enable DNSSEC support" if you plan to use DNSSEC in Stubby. I you are wondering why I do DNSSEC this way it is my preference. Testing has shown that either DNSSEC via Stubby or Dnsmasq works. The advantage of using Dnsmasq is that you will log DNSSEC failures.