Help needed with DNS settings

[calamity]

I have the Asus XT8 router (with 1 mesh node), running Gnuton 388.8 FW. I tried to switch my DNS from Cloudflare to CleanBrowsing (security). I entered the IP addresses of the CleanBrowsing servers in the DNS Server field on the WAN tab. I also have DNS Director enabled on the LAN tab, and Global Redirection set to router. (Pls see the screenshots that follow.) But when I tried to check that this was working on DNSLeakTest.org, the results do NOT show that CleanBrowsing is my current DNS server.

Do the LAN>DHCP settings also have an influence?

And I think the result might be influenced by DNS settings in my browser.

Using Brave, DDG, and Safari, I get the same essentially the same result - the IP address may vary, but the hostname, ISP, and location are the same - and NOT CleanBrowsing. (This is regardless of how I set the DNS setting in Brave - even if I explicitly set it to CleanBrowsing in the dropdown menu.)

Using Firefox and Mullvad, I have a more fundamental problem, usually getting the “Hmm… we are having trouble finding that website” message, even though I’ve tried various network settings.

Any suggestions as to how I can resolve this mess? Please remember I’m technologically impaired when replying! Thank you.

Brave DNSLeakTest result (Brave DNS set to CleanBrowsing in drop-down menu):

Thank you!

 

[Rajjco]

The hostname in DNSLeakTest shows it's actually using CleanBrowsing.

"dns-edge-usa-east-newyork9.cleanbrowsing.org"

Try dns test from https://browserleaks.com/ip to be sure

 

[GWTechTalk]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

There are two places to set DNS. LAN & WAN. This first one is LAN. If you intend to use the router as the primary DNS internally make sure that the Advertise Router's IP is set to "Yes" and leave the DNS 1 & 2 boxes empty.

The next area is the WAN area. This is where you set your upstream DNS server. This is your DNS server you want to use outside your network to find WAN sites and services. You will see a section for WAN DNS. Since I use an on prem DNS filter / server of my own my internal server is both the internal and external setting because I want ALL my traffic to go through my on prem. In your case you would set this to the IP of the WAN DNS you want to use. Leaving default it will pull in your ISPs DNS servers.

Last bit of info here, more and more browsers are building in DNS directors, meaning the browser itself can override your router. That DNS over TLS setting, or even DoH, specifically, will not be decrypted by your router so if that's being used the router config has almost no bearing on the DNS to use. As you see I have that off because I do not want my traffic going around my on prem DNS server. My on prem also blocks ALL other DNS IPs and FQDNs.

So as stated turn of the DNS director and use LAN/WAN settings for a simple setup like yours and if the browser you are using is controlling DNS requests, then your router is doing very little here, and DNS director is likely adding a bit of latency to the look ups. 10 ms maybe, not huge.

NOTE: If you do not block DNS IPs and FQDNs with a DNS filter there are some devices and software that hardcode a specific DNS to use. There is not much you can do about that unless you setup your own DNS filter / server.

I don't use Brave browser but I'm almost certain that your browser has controls for DNS choice. Which is why you set Google's IPs for DNS, but you show traffic going to the Clean Browsing, which is contradictive to your router settings, other than the DNS over TLS IP you have set. You have set Global DNS redirection to the router and put in Google's DNS server IP in the "User Defined". User defined in this case does nothing because you are not assigning any of your internal device IPs to use user defined. Again, another reason to just turn off DNS director in this case. As stated, DNS over TLS will not allow the router to interfere in the DNS choice but it also adds a small bit of latency to the look ups.

 

[dave14305]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

There are a few misunderstandings in your post about how the Asus DNS settings work.

 

[dave14305]

If you are not using the DNS director to point to other devices such as on prem DNS servers or a combination of WAN DNS servers for different clients, then turn DNS director off.

DNS Director is mostly used to prevent clients from ignoring the DHCP-provided DNS servers or overriding them with hardcoded DNS servers. It will also block DoT from clients depending on the chosen blocking mode.

If you intend to use the router as the primary DNS internally make sure that the Advertise Router's IP is set to "Yes" and leave the DNS 1 & 2 boxes empty.

The "Advertise Router's IP..." option is ignored if both DNS 1 & 2 boxes are empty. Note the "...in addition to user-specified DNS" in the option's text.

NOTE: If you do not block DNS IPs and FQDNs with a DNS filter there are some devices and software that hardcode a specific DNS to use. There is not much you can do about that unless you setup your own DNS filter / server.

This is exactly what DNS Director is for, in fact it used to be called "DNS Filter" a while back.

Which is why you set Google's IPs for DNS, but you show traffic going to the Clean Browsing, which is contradictive to your router settings, other than the DNS over TLS IP you have set. You have set Global DNS redirection to the router and put in Google's DNS server IP in the "User Defined". User defined in this case does nothing because you are not assigning any of your internal device IPs to use user defined.

Google DNS is the default for those 3 User Defined fields, and was irrelevant to the discussion since they aren't being assigned anywhere (as you noted correctly).

Again, another reason to just turn off DNS director in this case.

If the OP wants all outgoing DNS traffic to be encrypted, setting up DoT on the router and setting DNS Director global mode to "Router" will accomplish that.

Apologies if this feels like an attack or takedown, but these misconceptions pop up frequently on the forums. Maybe AI has propagated them.

 

[GWTechTalk]

DNS Director is mostly used to prevent clients from ignoring the DHCP-provided DNS servers or overriding them with hardcoded DNS servers. It will also block DoT from clients depending on the chosen blocking mode.

The "Advertise Router's IP..." option is ignored if both DNS 1 & 2 boxes are empty. Note the "...in addition to user-specified DNS" in the option's text.

This is exactly what DNS Director is for, in fact it used to be called "DNS Filter" a while back.

Google DNS is the default for those 3 User Defined fields, and was irrelevant to the discussion since they aren't being assigned anywhere (as you noted correctly).

If the OP wants all outgoing DNS traffic to be encrypted, setting up DoT on the router and setting DNS Director global mode to "Router" will accomplish that.

Apologies if this feels like an attack or takedown, but these misconceptions pop up frequently on the forums. Maybe AI has propagated them.

All good man! DNS director is not included with stock firmware so i just went through the information on google and this fourm. Seems there is some details I overlooked.

When you’re wrong, you learn how to become right. Thank you for correcting my misinformation.

At least for me the DNS director was not robust enough to keep devices with hard coded DNS IPs from bypassing it. Either way I get better functionality out of my separated DNS on prem.

Doesn't DNS over TLS or DoH bypass all this anyways? It was my understanding that once the session is connected the router just routes packets and is unable to modify or redirect it. This is why I do not use those features yet. I need to be able to inspect traffic so that i keep my kids from bypassing my DNS filters and safe search enforcement. I will admit I lack complete knowledge on DNS TLS and DoH and how it interacts with the router.

 

[calamity]

@Rajjco - Thank you, your link helped me see that the DNS server IS successfully set to CleanBrowsing (I didn’t realize that VULTR was associated with CleanBrowsing, and hadn’t seen the fully expanded hostname).

But other than that, sorry, I’m still completely lost, as most of this discussion is completely over my head - although I thank everyone for trying to help me.

1. On the WAN Internet Connection tab - under WAN DSN Setting - DNS Server:

Isn’t this the place to fill in the CleanBrowsing DNS server IP addresses?

Or should these DNS fields be set to my router’s IP address, as @GWTechTalk seems to have done?

Also, my additional settings beneath that differ from theirs, namely for Validate unsigned DNSSEC replies, Prevent client auto DoH, and DNS Privacy Protocol.

(I believe someone on this forum once recommended using DNS-over-TLS to me.)

2) Should LAN DNS Director be on or off? I currently have it ON, and I have Global redirections set to router.

3) On the LAN - DHCP tab, under DNS and WINS Server Setting, should I have something in the DNS Server fields? And if yes, what? And if yes, should advertise router’s IP be yes or no?

4) Browser DNS settings - Should I, whenever possible, set browser DNS settings to OFF? Will this allow my router to control everything? If my browser’s DNS setting differs from the router’s, does the browser’s win out?

5) Any thoughts as to why, in Firefox and Mullvad, I’m getting the “we are having trouble finding that website” message?

6) I am also having a problem where the Zoom Workplace app cannot connect from my mac, yet it does connect from my ipad, used on the same network. (Before I updated my router FW and started messing with the DNS settings, I could connect from both.)

7) I hope I am correct that none of my DNS requests are going to Google’s DNS server.

I guess it might help if I say that my goals are to 1) keep malware away, 2) prevent ads and tracking as much as possible, and 3) keep my browsing private from my ISP (and anyone else who would seek to use to further their own interests). And yes, I'd like to understand all this router stuff a bit better!

Thanks very much for the help!

 

[dave14305]

as most of this discussion is completely over my head

Your settings were fine.

4) Browser DNS settings - Should I, whenever possible, set browser DNS settings to OFF? Will this allow my router to control everything? If my browser’s DNS setting differs from the router’s, does the browser’s win out?

Browser secure DNS should be disabled, at least when on your trusted home network.

5) Any thoughts as to why, in Firefox and Mullvad, I’m getting the “we are having trouble finding that website” message?

You might face problems using CleanBrowsing over DoT for a couple reasons:
1. You've only added one cleanbrowsing IP address to the DoT server list. Add .11 as a secondary.
2. Cleanbrowsing implements an unusually short 5 second idle timeout for TLS connections. Stubby's idle_timeout setting should be changed from 9000 ms to 5000 ms to avoid being unable to forward to the cleanbrowsing servers.

You can verify the timeout by logging into the router over SSH and running:

time openssl s_client -port 853 -connect 185.228.168.10

You'll see a lot of TLS negotiation stuff scroll by, then wait for the end when it finally closes the connection from the remote side and the time command will display the elapsed "real" time. In my tests it's been about 5 seconds.

You would need to setup a custom script to update Stubby since it's not configurable via the GUI. See this post for an example:

[Release] Asuswrt-Merlin 384.12 is now available

Indeed, the “noob blackbox” aproach isn’t helping anyone. It’s just a linuxpc, nothing magical about it. Just reset via the option in the backup/restore menu You”ll know your router is in virgin mode once you see the unprotected network and configuration assistant. Everything is back to default...

www.snbforums.com

You would replace the 1500 in that example with 5000, or even 4500 if you still face problems with Cleanbrowsing.
See the wiki if you haven't used custom scripts before:

Custom config files

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com