Help needed with DNS settings

[calamity]

I have the Asus XT8 router (with 1 mesh node), running Gnuton 388.8 FW. I tried to switch my DNS from Cloudflare to CleanBrowsing (security). I entered the IP addresses of the CleanBrowsing servers in the DNS Server field on the WAN tab. I also have DNS Director enabled on the LAN tab, and Global Redirection set to router. (Pls see the screenshots that follow.) But when I tried to check that this was working on DNSLeakTest.org, the results do NOT show that CleanBrowsing is my current DNS server.

Do the LAN>DHCP settings also have an influence?

And I think the result might be influenced by DNS settings in my browser.

Using Brave, DDG, and Safari, I get the same essentially the same result - the IP address may vary, but the hostname, ISP, and location are the same - and NOT CleanBrowsing. (This is regardless of how I set the DNS setting in Brave - even if I explicitly set it to CleanBrowsing in the dropdown menu.)

Using Firefox and Mullvad, I have a more fundamental problem, usually getting the “Hmm… we are having trouble finding that website” message, even though I’ve tried various network settings.

Any suggestions as to how I can resolve this mess? Please remember I’m technologically impaired when replying! Thank you.

Brave DNSLeakTest result (Brave DNS set to CleanBrowsing in drop-down menu):

Thank you!

 

[Rajjco]

The hostname in DNSLeakTest shows it's actually using CleanBrowsing.

"dns-edge-usa-east-newyork9.cleanbrowsing.org"

Try dns test from https://browserleaks.com/ip to be sure

 

[GWTechTalk]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

There are two places to set DNS. LAN & WAN. This first one is LAN. If you intend to use the router as the primary DNS internally make sure that the Advertise Router's IP is set to "Yes" and leave the DNS 1 & 2 boxes empty.

The next area is the WAN area. This is where you set your upstream DNS server. This is your DNS server you want to use outside your network to find WAN sites and services. You will see a section for WAN DNS. Since I use an on prem DNS filter / server of my own my internal server is both the internal and external setting because I want ALL my traffic to go through my on prem. In your case you would set this to the IP of the WAN DNS you want to use. Leaving default it will pull in your ISPs DNS servers.

Last bit of info here, more and more browsers are building in DNS directors, meaning the browser itself can override your router. That DNS over TLS setting, or even DoH, specifically, will not be decrypted by your router so if that's being used the router config has almost no bearing on the DNS to use. As you see I have that off because I do not want my traffic going around my on prem DNS server. My on prem also blocks ALL other DNS IPs and FQDNs.

So as stated turn of the DNS director and use LAN/WAN settings for a simple setup like yours and if the browser you are using is controlling DNS requests, then your router is doing very little here, and DNS director is likely adding a bit of latency to the look ups. 10 ms maybe, not huge.

NOTE: If you do not block DNS IPs and FQDNs with a DNS filter there are some devices and software that hardcode a specific DNS to use. There is not much you can do about that unless you setup your own DNS filter / server.

I don't use Brave browser but I'm almost certain that your browser has controls for DNS choice. Which is why you set Google's IPs for DNS, but you show traffic going to the Clean Browsing, which is contradictive to your router settings, other than the DNS over TLS IP you have set. You have set Global DNS redirection to the router and put in Google's DNS server IP in the "User Defined". User defined in this case does nothing because you are not assigning any of your internal device IPs to use user defined. Again, another reason to just turn off DNS director in this case. As stated, DNS over TLS will not allow the router to interfere in the DNS choice but it also adds a small bit of latency to the look ups.

 

[dave14305]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

There are a few misunderstandings in your post about how the Asus DNS settings work.

 

[dave14305]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

DNS Director is mostly used to prevent clients from ignoring the DHCP-provided DNS servers or overriding them with hardcoded DNS servers. It will also block DoT from clients depending on the chosen blocking mode.

If you intend to use the router as the primary DNS internally make sure that the Advertise Router's IP is set to "Yes" and leave the DNS 1 & 2 boxes empty.

The "Advertise Router's IP..." option is ignored if both DNS 1 & 2 boxes are empty. Note the "...in addition to user-specified DNS" in the option's text.

NOTE: If you do not block DNS IPs and FQDNs with a DNS filter there are some devices and software that hardcode a specific DNS to use. There is not much you can do about that unless you setup your own DNS filter / server.

This is exactly what DNS Director is for, in fact it used to be called "DNS Filter" a while back.

Which is why you set Google's IPs for DNS, but you show traffic going to the Clean Browsing, which is contradictive to your router settings, other than the DNS over TLS IP you have set. You have set Global DNS redirection to the router and put in Google's DNS server IP in the "User Defined". User defined in this case does nothing because you are not assigning any of your internal device IPs to use user defined.

Google DNS is the default for those 3 User Defined fields, and was irrelevant to the discussion since they aren't being assigned anywhere (as you noted correctly).

Again, another reason to just turn off DNS director in this case.

If the OP wants all outgoing DNS traffic to be encrypted, setting up DoT on the router and setting DNS Director global mode to "Router" will accomplish that.

Apologies if this feels like an attack or takedown, but these misconceptions pop up frequently on the forums. Maybe AI has propagated them.