What's new

DoT Internet Connectivity

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

CF900

New Around Here
I am running AirVPN on an Asus RT-AC86U router running Asuswrt-Merlin 386.7_2.

I encountered a problem when trying to enable DNS-over-TLS. I’m using my VPN’s DNS as the resolver in the DoT Server List but I’ve lost internet connectivity. I also tried Cloudfare’s 1.1.1.1 and 1.0.0.1 but no connectivity there, either.

This led me to a Merlin Wiki on GitHub that mentioned this:

“OpenVPN Clients​

This will mostly work as before. OpenVPN clients with "Accept DNS configuration"set to "Exclusive" will still use the DNS servers provided by the VPN server, bypassing DNS Privacy. Setting DNS configuration to "Disabled" on the OpenVPN client configuration will allow it to use DNS Privacy, however note that some VPN providers will block the use of DNS servers other than their own, to protect you against leaking information by sending DNS queries outside of the tunnel. If you trust the OpenVPN server you connect to, it's usually best to leave the setting to Exclusive mode - your DNS queries are already encrypted by the VPN tunnel anyway (for all clients configured to use the tunnel).”


As I am using an OpenVPN client with Accept DNS configuration set to Exclusive, am I right in interpreting this to mean that DoT would be redundant for me as my DNS queries are already encrypted by the tunnel?

Encrypting my DNS queries was my main reason for using DoT.

Am I missing something?

I am also curious as to why I’m losing internet connectivity?

Thanks for any clarification you can provide.
 
I am running AirVPN on an Asus RT-AC86U router running Asuswrt-Merlin 386.7_2.

I encountered a problem when trying to enable DNS-over-TLS. I’m using my VPN’s DNS as the resolver in the DoT Server List but I’ve lost internet connectivity. I also tried Cloudfare’s 1.1.1.1 and 1.0.0.1 but no connectivity there, either.

This led me to a Merlin Wiki on GitHub that mentioned this:

“OpenVPN Clients​

This will mostly work as before. OpenVPN clients with "Accept DNS configuration"set to "Exclusive" will still use the DNS servers provided by the VPN server, bypassing DNS Privacy. Setting DNS configuration to "Disabled" on the OpenVPN client configuration will allow it to use DNS Privacy, however note that some VPN providers will block the use of DNS servers other than their own, to protect you against leaking information by sending DNS queries outside of the tunnel. If you trust the OpenVPN server you connect to, it's usually best to leave the setting to Exclusive mode - your DNS queries are already encrypted by the VPN tunnel anyway (for all clients configured to use the tunnel).”


As I am using an OpenVPN client with Accept DNS configuration set to Exclusive, am I right in interpreting this to mean that DoT would be redundant for me as my DNS queries are already encrypted by the tunnel?

Encrypting my DNS queries was my main reason for using DoT.

Am I missing something?

I am also curious as to why I’m losing internet connectivity?

Thanks for any clarification you can provide.

Somewhat redundant. If you don’t want a man in the middle like a isp or a bad actor from easily seeing or spoofing your dns in unencrypted form then yes your encrypting your dns simply by using their dns over a VPN. However your VPN provider sees it as unencrypted dns traffic. If your VPN provider allows third party dns then it will be double encrypted until it hits the vpn provider then remain encrypted until it hits the dns provider.

However note isp can still dns lookup any IP address to know the site hostname your requesting. However how much information they get might only get so far. For example they could see that the ip belongs to a vpn provider, but not know the true destination past that point. DoT is more important to prevent site spoofing. Also I believe https/ssl/tls still has markers indicating it’s destination so well it kind of obfuscates/encrypts data it’s not impossible to know a piece of where it’s going. The main point is that it remains tamper proof.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top