DNS server - order of access

[m m.]

I have DNS server(2) and DNS-over-TLS List(2) configured in the WAN-Internet Connection page. How does the router select which DNS server to use and how does it decide when to the DoT?

 

[bbunge]

In the WAN the DNS Server (2) are used at router boot mainly to set the router time. Once booted, the DoT configured servers, also called resolvers, take over. They are used in a round robin scheme in the order you set them up.

 

[Tech9]

DoT set with Strict profile will override WAN DNS servers. They will be used for router's own queries and before Stubby starts.

Example with OpenDNS:

 

[lepa71]

I'm trying set up DOT and have Quad9 for 1st and 2nd. 3rd and 4th are set to be Cloudflare. When I run a DNS leak test, I get Cloudflare 1st. Does the order work? I like to have Quad9 for malware protection and Cloudflare for fallback. What am I doing wrong?

 

[Tech9]

You can't have backup DNS servers this way and mixing filtered/unfiltered DNS servers doesn't make sense. Also doesn't make sense enabling DNSSEC to upstream trusted DNS provider already doing DNSSEC when the communication to/from you is encrypted. In your case I would keep all four options above "Prevent client auto DoH" to default No and set DoT to Quad9 only.

 

[lepa71]

You can't have backup DNS servers this way and mixing filtered/unfiltered DNS servers doesn't make sense. Also doesn't make sense enabling DNSSEC to upstream trusted DNS provider already doing DNSSEC when the communication to/from you is encrypted. In your case I would keep all four options above "Prevent client auto DoH" to default No and set DoT to Quad9 only.

Question. Why not do the opposite? Keep all to YES to what I have and disable DOT. I already have Quad9 as the main DNS server. btw I do not have DNS director enabled.

 

[Tech9]

You can do anything you want based on your needs, it’s your router. When not sure how something works keep it at default setting.

 

[lepa71]

You can do anything you want based on your needs, it’s your router. When not sure how something works keep it at default setting.

This is why I'm asking. You definitely know more than I do. Just trying to learn.

 

[Tech9]

The four options to No and DoT disabled is the default configuration.

If you are asking about my personal preferences - fast unfiltered DNS upstream (location dependent, Google, OpenDNS, Cloudflare in my area) and local filtering of whatever I want to filter (I don't use Asus routers though, Diversion can do this in Asuswrt-Merlin with custom block lists). This way when something gets blocked I can see what it was in the logs. No block lists are perfect, false positives happen. Since ISPs see what was accessed by IP address they can still log user activity, DNS encryption won't help much with this type of "privacy". If you have no concerns about MITM (DNS queries interception and altering the resolution upstream) your ISP DNS servers (most likely not supporting DoT) are perhaps the fastest with resolution to local resources.

 

[lepa71]

Thank you for the reply. I'm trying to use Quad9 for the malware protection side, not necessarily privacy. My logic was, if I set up DOT then I can have a secondary DNS server in case Quad9 is down.
Can you post a screenshot like mine, please?

 

[Tech9]

Sorry, I don't have any Asus routers up and running at the moment.

Quad9 perhaps have close to 100% uptime, but in my area the servers are overloaded with higher latency and sending the user on a journey around the globe. I've also seen Stubby inconsistencies in Asuswrt(-Merlin) so can't really recommend using it unless it's absolutely necessary as problem solving measure. You have obviously followed someone else's advice altering the default settings. Just decide what do you want based on own needs and/or beliefs.

 

[bbunge]

Set Prevent Auto Client DoH to yes. Use the Quad9 revolvers with DNSSEC and disable DoT. Quad9 DoT has been unreliable but DNSSEC works well for me.
Edit: for added security install Diversion and use Steve Black's unified blocklist.

 

[Tech9]

Set Prevent Auto Client DoH to yes

This option MAY prevent some clients from doing DoH, eventually. It WILL break iCloud Private Relay though, guaranteed. I wouldn't advice enabling it without knowing what the clients on this network need. Some parts of this security/privacy chasing may backfire.

 

[Justinh]

I'm trying set up DOT and have Quad9 for 1st and 2nd. 3rd and 4th are set to be Cloudflare. When I run a DNS leak test, I get Cloudflare 1st. Does the order work? I like to have Quad9 for malware protection and Cloudflare for fallback. What am I doing wrong?

You may not be doing anything wrong. It has been said on this forum that the resolvers are used in round-robin style. Thus there is not fallback logic.