Menu
What's new
By:
Filters Better Search

DNS Privacy appears to have stopped working for me

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

G

Goobi

Regular Contributor
Hi Community,

Running Merlin 384.13 on a AC86U. I had DNS privacy set for a couple of month now no problem. However, I noticed in the last couple of days that all the traffic is flowing through port 53 instead of port 853.

Here are my settings:
WAN:
upload_2019-11-12_8-41-41.png


LAN
upload_2019-11-12_8-42-0.png


Tools>Other Settings:
upload_2019-11-12_8-42-53.png


stubby log:
Code: 
 stubby -l
[14:36:18.263784] STUBBY: Read config from file /etc/stubby/stubby.yml
[14:36:18.264700] STUBBY: DNSSEC Validation is OFF
[14:36:18.265040] STUBBY: Transport list is:
[14:36:18.265344] STUBBY:   - UDP
[14:36:18.265679] STUBBY:   - TCP
[14:36:18.265960] STUBBY: Privacy Usage Profile is Opportunistic
[14:36:18.266240] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[14:36:18.266501] STUBBY: Starting DAEMON....
[14:36:20.530588] STUBBY: 1.1.1.1                                  : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
[14:36:21.340955] STUBBY: 1.0.0.1                                  : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
[14:36:21.556817] STUBBY: 9.9.9.9                                  : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
[14:36:22.248912] STUBBY: 149.112.112.112                          : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)

I have tried stopping and restarting DNS privacy and rebooting but the issue persists. Any ideas what could be causing this or what else I can look at?

Thanks!
 

Attachments

  • upload_2019-11-12_8-42-27.png
    upload_2019-11-12_8-42-27.png
    5.9 KB · Views: 258
Goobi said:
Hi Community,

Running Merlin 384.13 on a AC86U. I had DNS privacy set for a couple of month now no problem. However, I noticed in the last couple of days that all the traffic is flowing through port 53 instead of port 853.

Here are my settings:
WAN:
View attachment 19858

LAN
View attachment 19859

Tools>Other Settings:
View attachment 19861

stubby log:
Code: 
 stubby -l
[14:36:18.263784] STUBBY: Read config from file /etc/stubby/stubby.yml
[14:36:18.264700] STUBBY: DNSSEC Validation is OFF
[14:36:18.265040] STUBBY: Transport list is:
[14:36:18.265344] STUBBY:   - UDP
[14:36:18.265679] STUBBY:   - TCP
[14:36:18.265960] STUBBY: Privacy Usage Profile is Opportunistic
[14:36:18.266240] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[14:36:18.266501] STUBBY: Starting DAEMON....
[14:36:20.530588] STUBBY: 1.1.1.1                                  : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
[14:36:21.340955] STUBBY: 1.0.0.1                                  : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
[14:36:21.556817] STUBBY: 9.9.9.9                                  : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
[14:36:22.248912] STUBBY: 149.112.112.112                          : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)

I have tried stopping and restarting DNS privacy and rebooting but the issue persists. Any ideas what could be causing this or what else I can look at?

Thanks!
Click to expand...
Take out the DNS and WINS Server Setting (DNS Server 1) Mine is blank FYI....also do you have anything under DNS filter?
 
Thanks, I removed the DNS Server 1 setting. I am still getting traffic only on port 53. I am using DNS filtering but as you can see, it is in router mode and I don't have any IPs routed to any other DNS:

upload_2019-11-12_11-2-58.png
 
It does appear that the issue could be time related. I see this

upload_2019-11-12_14-36-47.png


I originally had 0.north-america.pool.ntp.org and tried time.nist.gov but I can't ping them, so I tested with the above which I can ping, but still time does not sync.

Code: 
# date
Tue Nov 12 14:35:47 CST 2019

Could there be some kind of firewall rule that is blocking ntp traffic? Is there some way I can force a sync? I do use Skynet and Diversion if it makes a difference. Thanks!
 
Goobi said:
It does appear that the issue could be time related. I see this

View attachment 19864

I originally had 0.north-america.pool.ntp.org and tried time.nist.gov but I can't ping them, so I tested with the above which I can ping, but still time does not sync.

Code: 
# date
Tue Nov 12 14:35:47 CST 2019

Could there be some kind of firewall rule that is blocking ntp traffic? Is there some way I can force a sync? I do use Skynet and Diversion if it makes a difference. Thanks!
Click to expand...

Try using a different NTP server selection and see if it clears it up.....
 
Also, please read the warning about DNSFilter in your first screenshot:

upload_2019-11-12_8-41-41-png.19858


What do you have configured under DNSFilter?
 
Goobi said:
It does appear that the issue could be time related. I see this

View attachment 19864

I originally had 0.north-america.pool.ntp.org and tried time.nist.gov but I can't ping them, so I tested with the above which I can ping, but still time does not sync.

Code: 
# date
Tue Nov 12 14:35:47 CST 2019

Could there be some kind of firewall rule that is blocking ntp traffic? Is there some way I can force a sync? I do use Skynet and Diversion if it makes a difference. Thanks!
Click to expand...
That time looks like it's set, but most likely the ntp client on the router can't resolve the hostname of the ntp server. Change this second setting below back to the default No and try again.
upload_2019-11-12_8-42-53-png.19861


Plus what RMerlin said.
 
Also, why do you (OP) have "Disable Asusnat tunnel" enabled?

Next, to follow up on Dave's post above - NTP.ORG should work fine if you just use "pool.ntp.org".

You do not usually need to determine your own geographic site!
 
That’s for the replies everyone. A few posts up I show my DNS filter settings (mode set to router and nothing else). I also did the following based on the collective feedback:

1) Disabled DNS filter just to rule it out
2) Set the NTP Server to pool.ntp.org (I can ping this hostname)
3) Set disable Asus tunnel to no
4) set WAN local caching to no

Still get the same message about not being able to sync.

Some additional commands I ran:
Code: 
nvram show|grep ntp
ntp_ready=0 —-> should this not be 1?
ntp_server0=pool.ntp.org
ntp_server1=
ntp_server_tried=pool.ntp.org
ntpd_enable=0

Code: 
 ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+helium.constant 128.59.0.245     2 u  752 1024  377   49.443    5.925   1.905
 1.time.dbsinet. .XFAC.          16 u    - 1024    0    0.000    0.000   0.000
*159.203.158.197 128.59.0.245     2 u  680 1024  377   53.799    1.366   2.634
+t1.time.gq1.yah 208.71.46.33     2 u  767 1024  377   94.230   -1.470  12.734

Any additional suggestions on what I can check or try? Thanks !

Edit:
It now looks like the dns traffic is going through port 853. However, still getting the “Reminder: The system time has not been synchronized with an NTP server. ” message.
 
Last edited:
Goobi said:
That’s for the replies everyone. A few posts up I show my DNS filter settings (mode set to router and nothing else). I also did the following based on the collective feedback:

1) Disabled DNS filter just to rule it out
2) Set the NTP Server to pool.ntp.org (I can ping this hostname)
3) Set disable Asus tunnel to no
4) set WAN local caching to no

Still get the same message about not being able to sync.

Some additional commands I ran:
Code: 
nvram show|grep ntp
ntp_ready=0 —-> should this not be 1?
ntp_server0=pool.ntp.org
ntp_server1=
ntp_server_tried=pool.ntp.org
ntpd_enable=0

Code: 
 ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+helium.constant 128.59.0.245     2 u  752 1024  377   49.443    5.925   1.905
 1.time.dbsinet. .XFAC.          16 u    - 1024    0    0.000    0.000   0.000
*159.203.158.197 128.59.0.245     2 u  680 1024  377   53.799    1.366   2.634
+t1.time.gq1.yah 208.71.46.33     2 u  767 1024  377   94.230   -1.470  12.734

Any additional suggestions on what I can check or try? Thanks !

Edit:
It now looks like the dns traffic is going through port 853. However, still getting the “Reminder: The system time has not been synchronized with an NTP server. ” message.
Click to expand...



For what it’s worth, I’ve had zero time set hassles by just using the Cloudflare time server IP.

162.159.200.1

YMMV. ;-)
 
Last edited:
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
R DNS Privacy Protocol wont enable Asuswrt-Merlin 2
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
pdc Router DNS returning Refused Asuswrt-Merlin 2
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
R Would any of this make my browsing more secure? (WAN DNS settings) Asuswrt-Merlin 20
A DNS/TLS IPv6. Asuswrt-Merlin 4
X DNS Director - question Asuswrt-Merlin 6
X RT-AX58U sudden DNS problem - URGENT Asuswrt-Merlin 14
P Solved Router DHCP and DNS not responding to changes Asuswrt-Merlin 35

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 737 (members: 28, guests: 709)
Top