What's new

DNS-overTLS and vpnserver?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

octopus

Part of the Furniture
Hi I discovered that my ISP supported DNS-over-TLS and a get connection. (dohdot.bahnhof.net (213.80.98.3)
I am routing over vpnclient1 at the moment (DNS-over-TLS 213.80.98.3 OVPN1). Traceroute shows that I reached the server.

But my clients can't access my devices on the server lan-side which worked before the DNS-over-TLS test.

How do I get my clients to reach my lan again?
Unsure about DNS-over-TLS if it works with my vpnserver2?

octopus@RT-AX86U-EA08:/tmp/home/root# traceroute 213.80.98.3
traceroute to 213.80.98.3 (213.80.98.3), 30 hops max, 38 byte packets
1 10.128.0.1 (10.128.0.1) 3.542 ms 3.356 ms 3.331 ms
2 46-227-66-169.static.obenetwork.net (46.227.66.169) 18.915 ms 17.131 ms 19.326 ms
3 ae0-10.kis-kg.obe.net (46.227.64.228) 3.458 ms 3.651 ms 3.575 ms
4 et2-9.sto-kn7-3.obe.net (185.242.229.19) 4.571 ms 4.260 ms 4.179 ms
5 xge0-0-35-bahnhof.sto-kn7-3.obe.net (185.242.229.41) 4.580 ms 4.252 ms 4.371 ms
6 sto-ste-er1.sto-cr3.bahnhof.net (46.59.112.160) 5.181 ms sto-ste-er1.sto-cr1.bahnhof.net (46.59.112.42) 4.770 ms sto-ste-er1.sto-cr3.bahnhof.net (46.59.112.160) 5.366 ms
7 sto-cr1.sto-ste-dr1.bahnhof.net (176.10.178.169) 7.638 ms 5.307 ms sto-cr3.sto-ste-dr3.bahnhof.net (176.10.178.173) 5.641 ms
8 sto-ste-dr1.ste-dr3.bahnhof.net (176.10.180.101) 4.690 ms sto-ste-dr3.ste-dr3.bahnhof.net (176.10.180.105) 5.243 ms 4.941 ms
9 dohdot.bahnhof.net (213.80.98.3) 4.264 ms 4.531 ms 4.310 ms
 
I can't really follow your setup. You're talking about VPN clients and servers but I can't work out how you've set your DNS at each end. Is this a LAN to LAN setup? Maybe you can post some screenshots of your DNS settings.
 
I can't really follow your setup. You're talking about VPN clients and servers but I can't work out how you've set your DNS at each end. Is this a LAN to LAN setup? Maybe you can post some screenshots of your DNS settings.
I realized after the post that it was a bit unclear.
I have a VPNServer (RT-AX86U) and an RT-AC56U) as a client.
Configured DNS-Over-TLS on the VPNServer.
Can't reach the VPNClient on (RT-AC56U) which worked before the test.
 
But my clients can't access my devices on the server lan-side which worked before the DNS-over-TLS test.

You need to be much more specific. What does "can't access" mean? Given you introduced a DNS change, should we assume you can't access them by their hostnames? Can they still be reached by explicit IP (e.g., 192.168.1.100)? Is it ALL devices are unreachable, or only some?

If I had to take a wild guess, perhaps you're bypassing DNSMasq usage on the server side because of your current DoT and OpenVPN server configurations. As a result, DNS wrt local hostnames on the server side can no longer be resolved. But as I said above, it's unclear if this is only a domain name resolution problem.

It's just difficult to provide good feedback when so many details are ambiguous.
 
You need to be much more specific. What does "can't access" mean? Given you introduced a DNS change, should we assume you can't access them by their hostnames? Can they still be reached by explicit IP (e.g., 192.168.1.100)? Is it ALL devices are unreachable, or only some?

If I had to take a wild guess, perhaps you're bypassing DNSMasq usage on the server side because of your current DoT and OpenVPN server configurations. As a result, DNS wrt local hostnames on the server side can no longer be resolved. But as I said above, it's unclear if this is only a domain name resolution problem.

It's just difficult to provide good feedback when so many details are ambiguous.
I think this explain what I want to do.
My WAN should use DNS-over-TLS and vpn client(x) use vpn-provider DNS in tunnel.
Server and client (not vpn provider) can talk with device in both directions.

I think this explain what I want. (use other provider though)
https://www.snbforums.com/threads/dns-over-tls-and-vpn-dns-servers.69590/
 
Last edited:
You need to be much more specific. What does "can't access" mean? Given you introduced a DNS change, should we assume you can't access them by their hostnames? Can they still be reached by explicit IP (e.g., 192.168.1.100)? Is it ALL devices are unreachable, or only some?

If I had to take a wild guess, perhaps you're bypassing DNSMasq usage on the server side because of your current DoT and OpenVPN server configurations. As a result, DNS wrt local hostnames on the server side can no longer be resolved. But as I said above, it's unclear if this is only a domain name resolution problem.

It's just difficult to provide good feedback when so many details are ambiguous.
Okay, it seems like there are two different issues.

I have a vpnserver(2) on my main router.
As a vpnclient connects in to. Now that I have tested DNS-over-TLS, (have turned that off for now)

I can connect again the client is connected and you can't see each other server/client from somewhere.
That working fine before this testing. :(
 
Last edited:
@octopus It seems to me that, what you may want to do is configure your VPN server's IP as the DNS for your VPN Clients (instead of the DOT IP), and make sure the VPN server (RT-AX86U) is where the DoT connection is active. That will surely allows the VPN clients to have access to the LAN where the VPN server resides and at the same time have DNS encryption.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top