Enabling DNS-over-TLS Breaks My Emporia Smart Plug Connection

kngklla

Occasional Visitor
Hi All,

Enabling DNS over TLS seems to break my Emporia Smart Plug's ability to communicate with its respective cloud. Any ideas why? DNSoTLS works fine, and I have Asus configured to hand out itself as the DNS server to all clients, but whenever I enable DNS-over-TLS it seems to break the smart plugs and I can't fathom why that would be. Any ideas are much appreciated.

Thank you
 

bbunge

Part of the Furniture
Hi All,

Enabling DNS over TLS seems to break my Emporia Smart Plug's ability to communicate with its respective cloud. Any ideas why? DNSoTLS works fine, and I have Asus configured to hand out itself as the DNS server to all clients, but whenever I enable DNS-over-TLS it seems to break the smart plugs and I can't fathom why that would be. Any ideas are much appreciated.

Thank you
If you search the forum you will discover this was reported before. Turning off DoT while setting up the IoT device should help. Then turn DoT back on.
 

kngklla

Occasional Visitor
If you search the forum you will discover this was reported before. Turning off DoT while setting up the IoT device should help. Then turn DoT back on.
Hi there. Unfortunately, the device is already setup, it’s when I enable DoT after that it breaks. I’ll search around some more though, see if any ideas turn up.

thank you
 

Tech9

Part of the Furniture
I don't have IoT devices and I use the washer and dryer for testing. No one else is using their Wi-Fi anyway. The dryer stays connected with DoT, the washer re-connects all the time generating endless log messages. With DoT disabled the messages stop. Both Asuswrt and Asuswrt-Merlin do the same thing.
 

Jumpstarter

Senior Member
I don't have IoT devices and I use the washer and dryer for testing. No one else is using their Wi-Fi anyway. The dryer stays connected with DoT, the washer re-connects all the time generating endless log messages. With DoT disabled the messages stop. Both Asuswrt and Asuswrt-Merlin do the same thing.
Generally speaking, the dryer performs DoT with counter clock wise round robins, while the fabric sheets encrypt the tunnel. The washer really doesn't like those reconnects, since the tunnel cannot stay encrypted using it.
 

kngklla

Occasional Visitor
Bumping this one more time to see if anyone has any ideas. I couldn't seem to find any related or similar posts on here.

Thank you
 

kngklla

Occasional Visitor
It's an RT-AX92U running OEM firmware version 3.0.0.4.386_46061-g9a06866

1669126544570.png
 

Tech9

Part of the Furniture
I'd prefer it if my ISP was unable to monitor my DNS requests.

Your ISP knows at any moment what servers you connect to by IP. This is enough to recreate your browsing habits. If there is no MITM concerns DNS encryption only slows down your DNS and limits the number of available servers. The choice is yours, of course.
 

kngklla

Occasional Visitor
Your ISP knows at any moment what servers you connect to by IP. This is enough to recreate your browsing habits. If there is no MITM concerns DNS encryption only slows down your DNS and limits the number of available servers. The choice is yours, of course.
Hmm, I'm not sure about that. One Content Deliver Networks (CDN) IP can serve up multiple sites, so I don't think that's necessarily true. For example, there are more than 2,700 domains associated with the Cloudflare IP 104.21.12.237.

It doesn't seem like anyone else has seen this issue or has any ideas as to with enabling DoT would cause some specific devices on my network to stop working, so I'll table it for now until I have motivation to dig into it. If anyone comes across this with an idea or solution please feel free to bump the thread.

Thank you!
 

Kingp1n

Very Senior Member
Don't use DoT. This is the only solution so far. You don't really need it anyway.
@Tech9

Do you feel the same way about using Unbound? Just curious on your thoughts!
 

sfx2000

Part of the Furniture
Do you feel the same way about using Unbound? Just curious on your thoughts!

The earth is flat there... if you really want to spin up things, ask him about IPv6 :D

DoT/DoH on unbound works fine - I'm not a big fan of DoH, but DNS over TLS is something I can get behind...
 

Tech9

Part of the Furniture
Do you feel the same way about using Unbound? Just curious on your thoughts!

DoT is encryption. Unbound is a server. You can use Unbound with DoT to upstream servers, resolver or forwarder. I never tested the effect of Unbound + DoT on IoT devices connected to an Asus router - if this is what you're asking. What I know is my test IoT (an LG washer) stays connected to my main system regardless of settings (including DoT), but generates endless reconnection logs when connected to AX86U with DoT enabled. I don't know what's the issue yet, but DoT disabled on AX86U stops the reconnections.

If you're asking about using Unbound in general - your choice. As resolver it may reveal your public IP upstream, but not really a big concern. Once it builds the cache you'll get 1ms queries resolution. Before that it will be slow >100-200ms. As forwarder you'll get constant 10-40ms to your DNS provider servers, whatever speed they have in your area. They don't need to build the cache, they have it already much larger than yours. If you want filtering DNS service, but you don't know what to filter - use it as forwarder to Cloudflare, Quad9, OpenDNS, etc. I personally wouldn't bother - built-in Dnsmasq is doing a good job already. It's light weight and you'll see no difference.

I'm not a big fan of DoH

Blocked on my networks.
 

Kingp1n

Very Senior Member
The earth is flat there... if you really want to spin up things, ask him about IPv6 :D

DoT/DoH on unbound works fine - I'm not a big fan of DoH, but DNS over TLS is something I can get behind...
I don't use IPV6.

I do use Unbound but without DoT enabled installed thru amtm.
 
Last edited:

sfx2000

Part of the Furniture
Enabling DNS over TLS seems to break my Emporia Smart Plug

Seems to be a firmware issue with the smart plug connecting to Emporia's backend...

https://www.reddit.com/r/HomeNetworking/comments/rd2hro
I've got a couple of Kasa Smart plugs are they are fine with DoT enabled on my network - actually, they're good even with IPv6 in play...


These are the ones I have... they don't do all the functionality of the Empora's perhaps, but they do work nicely over the WAN side...
 

kngklla

Occasional Visitor
Seems to be a firmware issue with the smart plug connecting to Emporia's backend...

https://www.reddit.com/r/HomeNetworking/comments/rd2hro
I've got a couple of Kasa Smart plugs are they are fine with DoT enabled on my network - actually, they're good even with IPv6 in play...
Thanks. I came across this thread where someone dug deeper with a similar issue on Wyze cameras. My guess is the same thing is happening here, the Emporia devices can’t handle the responses they are receiving from the router. I’m not sure which vendor is really to blame, but I imagine it’s the IoT devices running insufficient software:

 

Kingp1n

Very Senior Member
DoT is encryption. Unbound is a server. You can use Unbound with DoT to upstream servers, resolver or forwarder. I never tested the effect of Unbound + DoT on IoT devices connected to an Asus router - if this is what you're asking. What I know is my test IoT (an LG washer) stays connected to my main system regardless of settings (including DoT), but generates endless reconnection logs when connected to AX86U with DoT enabled. I don't know what's the issue yet, but DoT disabled on AX86U stops the reconnections.

If you're asking about using Unbound in general - your choice. As resolver it may reveal your public IP upstream, but not really a big concern. Once it builds the cache you'll get 1ms queries resolution. Before that it will be slow >100-200ms. As forwarder you'll get constant 10-40ms to your DNS provider servers, whatever speed they have in your area. They don't need to build the cache, they have it already much larger than yours. If you want filtering DNS service, but you don't know what to filter - use it as forwarder to Cloudflare, Quad9, OpenDNS, etc. I personally wouldn't bother - built-in Dnsmasq is doing a good job already. It's light weight and you'll see no difference.



Blocked on my networks.
The basic unbound install/ setup from amtm would be consider a "resolver" setup?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top