Help needed with DNS settings

[calamity]

I have the Asus XT8 router (with 1 mesh node), running Gnuton 388.8 FW. I tried to switch my DNS from Cloudflare to CleanBrowsing (security). I entered the IP addresses of the CleanBrowsing servers in the DNS Server field on the WAN tab. I also have DNS Director enabled on the LAN tab, and Global Redirection set to router. (Pls see the screenshots that follow.) But when I tried to check that this was working on DNSLeakTest.org, the results do NOT show that CleanBrowsing is my current DNS server.

Do the LAN>DHCP settings also have an influence?

And I think the result might be influenced by DNS settings in my browser.

Using Brave, DDG, and Safari, I get the same essentially the same result - the IP address may vary, but the hostname, ISP, and location are the same - and NOT CleanBrowsing. (This is regardless of how I set the DNS setting in Brave - even if I explicitly set it to CleanBrowsing in the dropdown menu.)

Using Firefox and Mullvad, I have a more fundamental problem, usually getting the “Hmm… we are having trouble finding that website” message, even though I’ve tried various network settings.

Any suggestions as to how I can resolve this mess? Please remember I’m technologically impaired when replying! Thank you.

Brave DNSLeakTest result (Brave DNS set to CleanBrowsing in drop-down menu):

Thank you!

 

[Rajjco]

The hostname in DNSLeakTest shows it's actually using CleanBrowsing.

"dns-edge-usa-east-newyork9.cleanbrowsing.org"

Try dns test from https://browserleaks.com/ip to be sure

 

[GWTechTalk]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

There are two places to set DNS. LAN & WAN. This first one is LAN. If you intend to use the router as the primary DNS internally make sure that the Advertise Router's IP is set to "Yes" and leave the DNS 1 & 2 boxes empty.

The next area is the WAN area. This is where you set your upstream DNS server. This is your DNS server you want to use outside your network to find WAN sites and services. You will see a section for WAN DNS. Since I use an on prem DNS filter / server of my own my internal server is both the internal and external setting because I want ALL my traffic to go through my on prem. In your case you would set this to the IP of the WAN DNS you want to use. Leaving default it will pull in your ISPs DNS servers.

Last bit of info here, more and more browsers are building in DNS directors, meaning the browser itself can override your router. That DNS over TLS setting, or even DoH, specifically, will not be decrypted by your router so if that's being used the router config has almost no bearing on the DNS to use. As you see I have that off because I do not want my traffic going around my on prem DNS server. My on prem also blocks ALL other DNS IPs and FQDNs.

So as stated turn of the DNS director and use LAN/WAN settings for a simple setup like yours and if the browser you are using is controlling DNS requests, then your router is doing very little here, and DNS director is likely adding a bit of latency to the look ups. 10 ms maybe, not huge.

NOTE: If you do not block DNS IPs and FQDNs with a DNS filter there are some devices and software that hardcode a specific DNS to use. There is not much you can do about that unless you setup your own DNS filter / server.

I don't use Brave browser but I'm almost certain that your browser has controls for DNS choice. Which is why you set Google's IPs for DNS, but you show traffic going to the Clean Browsing, which is contradictive to your router settings, other than the DNS over TLS IP you have set. You have set Global DNS redirection to the router and put in Google's DNS server IP in the "User Defined". User defined in this case does nothing because you are not assigning any of your internal device IPs to use user defined. Again, another reason to just turn off DNS director in this case. As stated, DNS over TLS will not allow the router to interfere in the DNS choice but it also adds a small bit of latency to the look ups.