Menu
What's new
By:
Filters Better Search

DNS over TLS - which servers?

J

Justinh

Regular Contributor
So, which DNS server am I using? DNS1, DN2, DoT(1), or DoT(2)? What is the fallback sequence?
If I remove the DNS IPs, then do the DoT servers get used in order of top-to-bottom?
The routing table indicates it prefers DNS1 first, so what's the point of specifying a DoT server if it doesn't disable the non-DoTs?

DNS_DOT.PNG


And what is the deal with the terrible UI by dividing the DoT infos with a DHCP options panel?
 
RMerlin

RMerlin

Asuswrt-Merlin dev
The routing tables have no impact as to which DNS server is used. Dnsmasq's configuration determines that.

If you enable DNS Privacy, then these servers get used. If you don't, then DNS1 et DNS2, in no definitive order, get used.
 
bbunge

bbunge

Part of the Furniture
When the router boots it will use WAN/DNS Server 1 and or 2. You need valid DNS resolver IP addresses or DNS resolver anycast addresses here in order for the router to set its time.
With DoT enabled it will use each resolver or server in the DNS-over-TLS Server List in turn and not use the resolvers in WAN/DNS Server 1 and or 2.
 
Last edited:
J

Justinh

Regular Contributor
What I found out is if DNS1 and DNS2 are not populated (leave only DoT populated) then I get the ISP's DNS.

How do you two know how this process works (DoT is used instead of DNS1/2)? Is this known only by looking at open-source code or is there documentation somewhere describing this?

@RMerlin it's bothersome that the routing table is meaningless. How do I have confidence that the router is doing what it says it is doing and that Dnsmasq is actually doing its thing?
 
C

ColinTaylor

Part of the Furniture
Justinh said:
How do you two know how this process works (DoT is used instead of DNS1/2)? Is this known only by looking at open-source code or is there documentation somewhere describing this?
Click to expand...
That's the way it works in Merlin's firmware. As it appears that Asus has copied Merlin's implementation I assume it works the same way. Looking at the dnsmasq and DoT config files would confirm this.

Justinh said:
@RMerlin it's bothersome that the routing table is meaningless. How do I have confidence that the router is doing what it says it is doing and that Dnsmasq is actually doing its thing?
Click to expand...
The routing table is not meaningless it's just that routing and DNS are two unrelated things. So I'm confused by why you would think they are connected. You could probably use https://www.dnsleaktest.com/ to verify which DNS servers you're currently using.
 
Last edited:
bbunge

bbunge

Part of the Furniture
Justinh said:
What I found out is if DNS1 and DNS2 are not populated (leave only DoT populated) then I get the ISP's DNS.

How do you two know how this process works (DoT is used instead of DNS1/2)? Is this known only by looking at open-source code or is there documentation somewhere describing this?

@RMerlin it's bothersome that the routing table is meaningless. How do I have confidence that the router is doing what it says it is doing and that Dnsmasq is actually doing its thing?
Click to expand...
There is plenty of documentation in this forum on DNS over TLS going back to Oct 2018 when it was an Entware add on. Several of us were brave enough to use our main line routers to prove that it did work. So, don't complain about something you did not look for.

AS for seeing if it works, log into the router with SSH and at the command prompt run:

Code: 
stubby -l

To close Stubby do:
Code: 
CTRL c

If you use Cloudflare you can go to their help page to see if DoT is working. Note that if you run Merlin firmware you will need to disable DNSSEC:
cloudflare-dns.com

1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver

✌️✌️ Browse a faster, more private internet.
cloudflare-dns.com cloudflare-dns.com

Edit: Normally you would use two DoT resolvers (AKA DNS Servers) from the same provider. For example, Quad9 1 and 2. If you use IPV6 you can alternate the two IPV4 with the IPV6 resolvers. You can add up to eight DoT resolvers in both Asus and Merlin firmwares. As a test I have used six IPV4 resolvers; Quad 9 1 and 2, Cleanbrowsing 1 and 2 and Cloudflare Secure 1 and 2 (Cloudflare Secure is a manual add using anycast addresses 1.1.1.2 and 1.0.0.2). I did this as each of my selections is in a different geographic location and the chance that all three locations would be off line is remote. It worked but I have since gone back to Quad9 1 and 2.
The DoT implementation using Stubby uses a feature called roundrobbin which will query each resolver in the list in turn. This is supposed to reduce the load a bit and in use does work well.
 
Last edited:
J

Justinh

Regular Contributor
ColinTaylor said:
The routing table is not meaningless it's just that routing and DNS are two unrelated things.
Click to expand...
Right. I misunderstood what RMerlin said and what I was looking at in the logs. My apologies for adding confusion.
 
Last edited:
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
B Cloudflare DNS over TLS malware settings ASUSWRT - Official 5
R Problems setting up DNS-over-TLS on RT-AX86U and ZenWiFi AX ASUSWRT - Official 8
OzarkEdge Wyze cams and Quad9 DNS-over-TLS issue ASUSWRT - Official 3
J DNS-OVER-TLS AND VPN — 3.0.0.4.386.45956 ASUSWRT - Official 7
H DNS over TLS and Recommended Privacy configurations ASUSWRT - Official 7
R AP always adds LAN gateway to DNS via resolv.conf ASUSWRT - Official 10
maniusng RT-AC68U LAN DNS issue ASUSWRT - Official 1
J PIA Smart DNS Configuration ASUSWRT - Official 0
S DNS with Instant Guard ASUSWRT - Official 5
A Any good cloud based remote Log Servers where to send ASUS's logs? ASUSWRT - Official 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 342 (members: 16, guests: 326)
Top