Enabling DNS-over-TLS (DoT) is now allowing a flood of ads through

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Ronbo

Occasional Visitor
Well Well. While posting this thread, I discover that changes I made to Firefox are the issue!
network.trr.mode 0 -> 2
network.security.esni.enabled false -> true
The above settings were related to more secure DNS-over-HTTPS (DoH)

When I enabled the above Firefox configuration, it allows a flood of ads. It makes me appreciate all the wonderful software provided by contributors!
***********************************************************************************************
I am going ahead with the post because I do detail my DNS related settings and this may help someone else.

I am running 384.15 Asus Merlin on an AC86U router. Since installing 384.15 I have had issues with DNS I didn't notice in prior releases. Some devices (such as my SmartTV, a Kindle, old ipad & Firestick) couldn't connect to the internet at all using the Gateway 192.168.1.1 and DNS 192.168.1.1. Most of my network devices could access the Internet using these Gateway/DNS settings. Very confusing why some worked & others didn't. I also continued to get DNS leaks.

I am running amtm, Skynet, Diversion, ya-block-malware

Prior to making the bolded changes below, I had a handful of devices that simply would not access the internet. Once I started using DNS-over-TLS, every single device on the network connects to the internet. However, all the above adware/malware blockers appear to no longer block anything. It appears that my traffic is not going through the router the way it was. When I use Firefox to browser a website, I see ads popping up everywhere.

I tried to use different DNS settings to get all my devices accessing the Internet.

LAN/DHCP Server
DNS Server 1 & 2: Blank
Advertise router's IP in addition to user-specified DNS: Yes
WINS Server: Blank
WAN DNS Setting
Connect to DNS Server Automatically: No
DNS Server 1: 8.8.8.8
DNS Server 2: 1.1.1.1
Forward local domain queries to upstream DNS: No
Enable DNSSEC support: No
DNS Privacy Protocol: DNS-over-TLS (DoT) <-- Was set to NONE
DNS-over-TLS Profile: Strict
I have 4 Preset Servers in the list

VPN Client
Accept DNS Configuration: Strict
Create NAT on tunnel: Yes
Inbound Firewall: Block
Force Internet traffic through tunnel: Policy Rules (Strict)
Block routed clients if tunnel goes down: Yes
ALL-LAN 192.168.1.0/24 0.0.0.0 VPN

Question: Does anyone know what, if any, servers (like CloudFlare but not CloudFlare) handle DNS-over-TLS (DoT) who advertise they don't record/track DNS queries coming through their servers?
 

Mutzli

Very Senior Member
NextDNS might be of interest to you:
One of the developers is a (recent) member of this forum.

and you can configure Firefox to use NextDNS as default resolver:
upload_2020-2-25_16-55-52.png
 

RMerlin

Asuswrt-Merlin dev
Well Well. While posting this thread, I discover that changes I made to Firefox are the issue!
network.trr.mode 0 -> 2
network.security.esni.enabled false -> true
The above settings were related to more secure DNS-over-HTTPS (DoH)

When I enabled the above Firefox configuration, it allows a flood of ads. It makes me appreciate all the wonderful software provided by contributors!

What you did there is basically tell Firefox to ignore any DNS features from your router, and use their built-in DNS handling instead. So if you have ad blocking implemented on your router, you are bypassing it by using that feature.
 

rgnldo

Very Senior Member
network.trr.mode 0 -> 2
Your router's ad blocking is based on your DNS.
with this activated:
.trr = Trusted Recursive Resolver
will have another resolver, doing a bypass DNS. Like VPN, it ignores any local DNS service management.

It is an unreliable feature at the browser level. You will have problems.
 

JohnD5000

Senior Member
What you did there is basically tell Firefox to ignore any DNS features from your router, and use their built-in DNS handling instead. So if you have ad blocking implemented on your router, you are bypassing it by using that feature.

Is there any test to confirm that what we setup on our router is what is being used by our browser?
 

RMerlin

Asuswrt-Merlin dev

ankhazam

Regular Contributor
Hi,
I wanted to confirm one thing about DoT in RMerlin firmware. Namely is this comment still valid and in e.g. 384.17 we still need to set it instead of leaving those fields blank?
https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Privacy said:
IMPORTANT: for DNS Privacy to work in IPv6, you must set IPv6 DNS Server in IPv6 page (not equivalent to add IPv6 DoT servers on the WAN -> Internet Connection page) to your router's LAN IPv6 Link-Local Address. You can find your router's LAN IPv6 Link-Local Address in System Log -> IPv6 tab.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top