DoT
- Thread starter umrico
- Start date
Diamond67
Senior Member
My settings are exactly like yours.
However, when I check the traffic with
Code:
tcpdump -i eth0 port 53in order to test that all the traffic would go thru port 853 instead of 53, for some reason several lines mainly like this start appearing:
Code:
09:21:51.501330 IP 12-34-56-78.bb.myinternetserviceprovider.XY.35264 > 1.1.1.2.domain: 2+ AAAA? dns.msftncsi.com. (34)where IP 12-34-56-78 would contain the exact digits of my current IP 12.34.56.78, and .XY is my two-letter internet country code.
Is there something wrong with my setup? dns.msftncsi.com?
I did the tcpdump when I run dig command for subforums.com. The tcpdump output right after > is the DNS server. In my case is 9.9.9.9 (dns9.quad9.net). The right most snbforums.com is actually what trying to resolve the IP for. From your output, looks like your configured DNS is 1.1.1.2. Is this correct? It appears some device in your network is asking your DNS 1.1.1.2 to resolve the IP address for dns.msftncsci.com.
Code:
18:21:37.518927 PPPoE [ses 0x67d0] IP <my_public_ip>.54122 > dns9.quad9.net.domain: 10713+ [1au] A? snbforums.com. (54)
18:21:37.534732 PPPoE [ses 0x67d0] IP dns9.quad9.net.domain > <my_public_ip>.54122: 10713 3/0/1 A 104.26.9.66, A 172.67.69.81, A 104.26.8.66 (90)By looking at the dig output, SERVER 9.9.9.9#53(9.9.9.9) shows this is using port 53:
Code:
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/tmp# dig snbforums.com
; <<>> DiG 9.16.8 <<>> snbforums.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10713
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;snbforums.com. IN A
;; ANSWER SECTION:
snbforums.com. 300 IN A 104.26.9.66
snbforums.com. 300 IN A 172.67.69.81
snbforums.com. 300 IN A 104.26.8.66
;; Query time: 19 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Feb 16 18:21:37 MYT 2021
;; MSG SIZE rcvd: 90
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/tmp#Other tcpdump output, I can see something like one.one.one.one.853, it shows port 853 is used. Do you see something like this?
Code:
18:42:09.461916 IP <my_public_ip>.44598 > one.one.one.one.853: Flags [.], ack 4262, win 636, length 0
18:42:09.471698 IP dns9.quad9.net.853 > <my_public_ip>.40518: Flags [P.], seq 2884:3123, ack 350, win 118, options [nop,nop,TS val 2463546271 ecr 7251271], length 239
18:42:09.471823 IP <my_public_ip>.40518 > dns9.quad9.net.853: Flags [P.], seq 350:502, ack 3123, win 589, options [nop,nop,TS val 7251273 ecr 2463546271], length 152
18:42:09.471712 IP dns9.quad9.net.853 > <my_public_ip>.40518: Flags [P.], seq 3123:3362, ack 350, win 118, options [nop,nop,TS val 2463546271 ecr 7251271], length 239
18:42:09.480189 IP dns9.quad9.net.853 > <my_public_ip>.40518: Flags [P.], seq 3362:3480, ack 502, win 122, options [nop,nop,TS val 2463546280 ecr 7251273], length 118
18:42:09.480400 IP <my_public_ip>.40518 > dns9.quad9.net.853: Flags [.], ack 3480, win 634, options [nop,nop,TS val 7251273 ecr 2463546271], length 0
18:42:18.491516 IP <my_public_ip>.44598 > one.one.one.one.853: Flags [P.], seq 659:683, ack 4262, win 636, length 24
18:42:18.491683 IP <my_public_ip>.44598 > one.one.one.one.853: Flags [F.], seq 683, ack 4262, win 636, length 0
dave14305
Part of the Furniture
Is Network Monitoring enabled on the Administration / System tab?
Diamond67
Senior Member
Network Monitoring: DNS Query checked, Ping not checked.
Resolve Hostname: dns.msftncsi.com
Should I keep those settings intact? Or maybe change something?
Diamond67
Senior Member
Seems like the smoking gun was already found...
bbunge
Part of the Furniture
DNS Server 1 1.1.1.3
DNS Server 2 1.0.0.3
Dot
Set the TLS Host name to cloudflare-dns.com for both 1.1.1.3 and 1.0.0.3
It is easiest when setting up DoT to select the Cloudflare servers 1.1.1.1 and 1.0.0.1 then change the last number. You may not need IPV6 resolvers as the Cloudflare IPV4 resolvers do resolve IPV6 addresses.
DNS Server 2 1.0.0.3
Dot
Set the TLS Host name to cloudflare-dns.com for both 1.1.1.3 and 1.0.0.3
It is easiest when setting up DoT to select the Cloudflare servers 1.1.1.1 and 1.0.0.1 then change the last number. You may not need IPV6 resolvers as the Cloudflare IPV4 resolvers do resolve IPV6 addresses.
bbunge
Part of the Furniture
A good idea to do so.
Mutzli
Very Senior Member
You should be good to go with my earlier configuration posted minus the rebind protection as per @dave14305 explanation.
I was under the knowledge that the DNS Server 1 & 2 should be to a different company than DNS-over-TLS Server List since those are the fallback DNS if DNS-over-TLS Server List servers are down I.E. DNS-over-TLS Server List = Cloudflare then DNS Server 1 & 2 Quad 9. If Cloudflare is down, then Quad 9 would be used In your case, if Cloudflare is down, you have no DNS.....Or, am I wrong on my understanding on this?
dave14305
Part of the Furniture
I don't think there's any automatic failback to plain DNS if DoT servers are unresponsive. You would need to manually disable DNS Privacy on the WAN page. I may be wrong, since it's been a while since I bothered with DoT, but there is no inherent failover mechanism. The router will restart stubby if it dies, but that's about it.
Using multiple diverse services is a good practice for redundancy, but if you're using a service for filtering capability, you may not want to use Quad9 if your goal is to filter adult content with 1.1.1.3 for example.
OK, I was not remembering correctly. According to this post, the DNS Servers 1 & 2 are used at startup. Having all the same would be confusing if performing leak testing (if I understand that correctly).
new to dns over tls
Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions. In...
www.snbforums.com
Thanks again for all your help I have learned a lot today. The only thing I have not been able to do is confirm. If I SSH to router via putty and do tcpdump it says command not found. Not sure what I'm doing wrong :/
dave14305
Part of the Furniture
It comes from Entware. If you have Entware setup, you can install tcpdump:
Code:
opkg update
opkg install tcpdump
tcpdump -i $(nvram get wan0_ifname) -n port 53
Last edited:
Ahhhh thank you. I will have to cross that bridge later this week!
Diamond67
Senior Member
You don't have Entware installed yet?
No problem. You just need an empty usb stick (a few gigabytes of size may be enough, depends on your needs). Connect it to your router, run amtm and format your stick with Format disk of amtm (to ext something, just don't ask me which one is the best choice, ext2 or ext4 or whatever LUL) and create a swap file (2 gigabytes of size would be nice) with amtm swap file management tool as well. Then install Diversion, because it will automagically install Entware for you while you just sit and relax.
And that's it, pretty much. I think.
Funny you mention that. I have diversion installed. I wonder why it didn't work out of the box? I'll keep digging!
Diamond67
Senior Member
I will give this a try Thursday. Thanks!
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| T | Using DOT DNS breaks ECS | Asuswrt-Merlin | 9 | |
| U | Solved Cloudflare DoT test | Asuswrt-Merlin | 5 | |
| D | WAN DNS Setting: Using different DoT servers | Asuswrt-Merlin | 19 | |
| D | Can't seem to get DoT to work with Cloudflare | Asuswrt-Merlin | 23 |
Similar threads
Latest threads
-
-
RT-AC87U 5GHz frequently dropping after latest signature update
- Started by bibbis
- Replies: 0
-
-
Yet another question about VLAN w/ RT-AX88U Pro in AP mode.
- Started by mbze430
- Replies: 1
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!