1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Help configuring and testing DNS-over-TLS on 384.13

Discussion in 'Asuswrt-Merlin' started by djphilosophy, Nov 8, 2019.

  1. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    I'm trying to setup DNS over TLS on 384.13. Both the Cloudflare help page and the Tenta test page report that TLS over DNS is not enabled (DNSSEC currently disabled).

    Is this a configuration problem? A shortcoming of the testing pages? Might I need to do a factory reset (didn't do one after recent upgrade to 384.13)?

    Here are my current WAN DNS settings (DNSFilter is set to "Router"):

    [​IMG]

    I've spent an hour doing searches for solutions, followed one thread here which got me to where I am (the settings above). Any help is much appreciated.
     
  2. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    951
    Location:
    USA
    Have you tried this thread?
    https://www.snbforums.com/threads/how-to-set-up-dns-over-tls-384-13.59461/
     
  3. krgck

    krgck Occasional Visitor

    Joined:
    Sep 24, 2019
    Messages:
    11
    Cloudflare test doesn't work dnssec enabled. Their issue.

    Tenta's test works only when using their public dns.

    Your config is fine.
     
  4. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    316
    Your configuration looks good and it probably works, but the online tests are flawed. You can do a DNS over TLS check from your SSH console with the following command:
    tcpdump -ni eth0 -p port 53 or port 853

    Watch the traffic and you should see DNS requests being routed through port 853 to quad9 or cloudflare deepening on your configuration. It will look something like this:
    15:59:18.936390 IP your.ip.address.43711 > 1.0.0.1.853: Flags [.], ack 1, win 229, length 0

    If you see port 53 instead then you have it not working correctly.
     
    royarcher and Makaveli like this.
  5. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
  6. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    Connecting via SSH to the router I get "-sh: tcpdump: not found". I'm guessing I have to install it via package manager?
     
  7. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    316
    Yes, sorry forgot that little info.
    Run: At a ssh prompt.

    opkg update
    opkg install tcpdump
     
    Makaveli likes this.
  8. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    Is LAN / DHCP Server / DNS Server 1 entry blank?
     
  9. DocUmibozu

    DocUmibozu New Around Here

    Joined:
    Nov 22, 2015
    Messages:
    7
    Change eth0 with ppp0 if you use pppoe....
     
  10. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    Looks like opkg isn't installed either: "-sh: opkg: not found"

    This is from /tmp/home/root. Do I need to change directories?

    Yup, both 1 and 2.
     
  11. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    Do you have any reason to think it's not working? It looks right as rain to me. If it were "broken" you would be having trouble getting to the Internet at all.

    You can switch your DNS Privacy servers from Quad9 to Cloudflare and retest their 1.1.1.1/help site if it makes it any better. If it still comes back as WoodyNet it means it's using your WAN DNS servers, and DoT is not working.

    Using tcpdump from Entware requires a USB drive attached to your router.
     
  12. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    I don't have any reason to think it's not working, I just figured that there was a way to reliably test that it is. If I switch the DNS servers in the DNS-over-TLS Server List to Cloudflare's, I do see Cloudflare instead of WoodyNet on Cloudflare's test site. I guess that means it's working?
     
  13. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,348
    Does it show connected with TLS in that help page? Or still No?
     
  14. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    Still "No".
     
  15. krgck

    krgck Occasional Visitor

    Joined:
    Sep 24, 2019
    Messages:
    11
    Set cloudflare as your dot dns

    1.1.1.1/help will show DOT enabled when you turn off dnssec it will break this test. Well known issue at their end.

    Already told you this on 3rd post.
     
  16. MarkRH

    MarkRH Senior Member

    Joined:
    Oct 1, 2015
    Messages:
    236
    Location:
    Oklahoma City, OK
    You can try going to the Network Tools menu -> Netstat Tab and click Diagnose. You should see under the Foreign Address something like
    Code:
    one.one.one.one:853
    when using Cloudflare or perhaps
    Code:
    9.9.9.9:853
    if using Quad9.
     
    dave14305 likes this.
  17. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    Assuming you mean that DNSSEC should be disabled in the WAN DNS settings, as you can see from my screenshot in post #1, it already is disabled.
     
  18. krgck

    krgck Occasional Visitor

    Joined:
    Sep 24, 2019
    Messages:
    11
    Set "Connect to DNS Server automatically" to yes.
     
  19. djphilosophy

    djphilosophy Occasional Visitor

    Joined:
    May 9, 2019
    Messages:
    12
    Doing this, I do see "one.one.one.one:853", preceded by and address connected to my local ISP. Changed it to Quad9 and I see "dns9.quad9.net:853". This confirms it's working?
     
  20. MarkRH

    MarkRH Senior Member

    Joined:
    Oct 1, 2015
    Messages:
    236
    Location:
    Oklahoma City, OK
    Yes. 853 is the port used by DNS over TLS.
     
    Makaveli likes this.