DNS over TLS - which servers?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Justinh

Regular Contributor
So, which DNS server am I using? DNS1, DN2, DoT(1), or DoT(2)? What is the fallback sequence?
If I remove the DNS IPs, then do the DoT servers get used in order of top-to-bottom?
The routing table indicates it prefers DNS1 first, so what's the point of specifying a DoT server if it doesn't disable the non-DoTs?

DNS_DOT.PNG


And what is the deal with the terrible UI by dividing the DoT infos with a DHCP options panel?
 

RMerlin

Asuswrt-Merlin dev
The routing tables have no impact as to which DNS server is used. Dnsmasq's configuration determines that.

If you enable DNS Privacy, then these servers get used. If you don't, then DNS1 et DNS2, in no definitive order, get used.
 

bbunge

Part of the Furniture
When the router boots it will use WAN/DNS Server 1 and or 2. You need valid DNS resolver IP addresses or DNS resolver anycast addresses here in order for the router to set its time.
With DoT enabled it will use each resolver or server in the DNS-over-TLS Server List in turn and not use the resolvers in WAN/DNS Server 1 and or 2.
 
Last edited:

Justinh

Regular Contributor
What I found out is if DNS1 and DNS2 are not populated (leave only DoT populated) then I get the ISP's DNS.

How do you two know how this process works (DoT is used instead of DNS1/2)? Is this known only by looking at open-source code or is there documentation somewhere describing this?

@RMerlin it's bothersome that the routing table is meaningless. How do I have confidence that the router is doing what it says it is doing and that Dnsmasq is actually doing its thing?
 

ColinTaylor

Part of the Furniture
How do you two know how this process works (DoT is used instead of DNS1/2)? Is this known only by looking at open-source code or is there documentation somewhere describing this?
That's the way it works in Merlin's firmware. As it appears that Asus has copied Merlin's implementation I assume it works the same way. Looking at the dnsmasq and DoT config files would confirm this.

@RMerlin it's bothersome that the routing table is meaningless. How do I have confidence that the router is doing what it says it is doing and that Dnsmasq is actually doing its thing?
The routing table is not meaningless it's just that routing and DNS are two unrelated things. So I'm confused by why you would think they are connected. You could probably use https://www.dnsleaktest.com/ to verify which DNS servers you're currently using.
 
Last edited:

bbunge

Part of the Furniture
What I found out is if DNS1 and DNS2 are not populated (leave only DoT populated) then I get the ISP's DNS.

How do you two know how this process works (DoT is used instead of DNS1/2)? Is this known only by looking at open-source code or is there documentation somewhere describing this?

@RMerlin it's bothersome that the routing table is meaningless. How do I have confidence that the router is doing what it says it is doing and that Dnsmasq is actually doing its thing?
There is plenty of documentation in this forum on DNS over TLS going back to Oct 2018 when it was an Entware add on. Several of us were brave enough to use our main line routers to prove that it did work. So, don't complain about something you did not look for.

AS for seeing if it works, log into the router with SSH and at the command prompt run:

Code:
stubby -l

To close Stubby do:
Code:
CTRL c

If you use Cloudflare you can go to their help page to see if DoT is working. Note that if you run Merlin firmware you will need to disable DNSSEC:

Edit: Normally you would use two DoT resolvers (AKA DNS Servers) from the same provider. For example, Quad9 1 and 2. If you use IPV6 you can alternate the two IPV4 with the IPV6 resolvers. You can add up to eight DoT resolvers in both Asus and Merlin firmwares. As a test I have used six IPV4 resolvers; Quad 9 1 and 2, Cleanbrowsing 1 and 2 and Cloudflare Secure 1 and 2 (Cloudflare Secure is a manual add using anycast addresses 1.1.1.2 and 1.0.0.2). I did this as each of my selections is in a different geographic location and the chance that all three locations would be off line is remote. It worked but I have since gone back to Quad9 1 and 2.
The DoT implementation using Stubby uses a feature called roundrobbin which will query each resolver in the list in turn. This is supposed to reduce the load a bit and in use does work well.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top