Intermittent DNS failures

sbsnb

Very Senior Member
I've been having trouble with intermittent DNS failures over the years, but I just chalked it up to issues with my dnscrypt-proxy setup. However, I've been running without it for the last few days and I am still experiencing the issue.

The symptoms are that occasionally a well-known domain will fail to resolve and I get the browser error message that the name couldn't be resolved. Pressing reload usually just gives the error again. Pressing reload 4 or 5 times gets the domain to load. When it's happening running nslookup from a client yields the same problem: instant error. The error is so fast that there's no way it's an actual failure because it's instantaneous. It's not a timeout.

I don't even know how to troubleshoot because it only lasts for about 10-15 seconds when it happens, which is about every day or two.
 

bbunge

Part of the Furniture
First upgrade to Merlin 386.5.

Second, dump DNSCrypt-Proxy and try DoT to a secure DNS upstream resolver such as Quad9. Start without DNSSEC enabled. When you have better DNS function enable DNSSEC. Also use DNS Filter.

It is possible that other addons are causing issues. You may want to factory reset and run 386.5 without addons for a bit.
 

sbsnb

Very Senior Member
First upgrade to Merlin 386.5.
Is Asus still nagging about not using HTTPS? I don't intend to use any firmware that's intentionally designed to annoy me into participating in their security theater.

Second, dump DNSCrypt-Proxy and try DoT to a secure DNS upstream resolver such as Quad9. Start without DNSSEC enabled. When you have better DNS function enable DNSSEC. Also use DNS Filter.
That's what I'm using now and still experience the issue.

It is possible that other addons are causing issues. You may want to factory reset and run 386.5 without addons for a bit.
It may come to that, although sometimes I can go a month or more without issue and then other times it's multiple times a day. I don't know how long I'd have to go without the error to conclusively call it fixed.
 

sbsnb

Very Senior Member
What error does nslookup give you, if not a timeout?
It will say:
Code:
Server:  RT-AX86U-AB41.router.lan
Address:  192.168.1.1

*** RT-AX86U-AB41.router.lan can't find google.com: Non-existent domain
It almost makes me think that sometimes a cache miss is interpreted as an NXDOMAIN.

EDIT - Since this was an issue in my RT-AC88U and my RT-AX86U, I don't think there's any hardware issue or anything in any model-specific code.
 

bbunge

Part of the Furniture
Is Asus still nagging about not using HTTPS? I don't intend to use any firmware that's intentionally designed to annoy me into participating in their security theater.
Do not know what you are talking about. I have at times enabled http and https access but mostly use http. But I never enable WAN access like some do.
 

sbsnb

Very Senior Member
Do not know what you are talking about.
This:
 

OzarkEdge

Part of the Furniture
This:

Are you seeing this HTTPS 'nag' on your router?

OE
 

dave14305

Part of the Furniture

RMerlin

Asuswrt-Merlin dev
There’s some odd combination of nvram that results in the https messages:

I’ve never seen them either.
Short answer is: that feature is region-specific. Most likely certain countries have laws or regulations now requiring it.
 

heysoundude

Part of the Furniture
Is Asus still nagging about not using HTTPS? I don't intend to use any firmware that's intentionally designed to annoy me into participating in their security theater.


That's what I'm using now and still experience the issue.


It may come to that, although sometimes I can go a month or more without issue and then other times it's multiple times a day. I don't know how long I'd have to go without the error to conclusively call it fixed.
have you considered or tried using unbound?
If you're looking for security and privacy, I'm of a mind that it's a better way to go: You cache the addresses you visit most frequently locally (I do it on the entware USB drive I'm running diversion etc on), and when a query of the cache for an address isn't found, it goes straight to the authoritative servers that all the "big" well-known "fast" public DNS servers do, and you can even choose to use DoT/DoH to those, if they support it.
DNSCrypt-proxy may be a little more behind the curve compared to unbound (our version here is one behind the dev's current at the moment, but it's being worked on)
 

Tech9

Part of the Furniture
and when a query of the cache for an address isn't found, it goes straight to the authoritative servers that all the "big" well-known "fast" public DNS servers do

This is when big and fast public DNS servers beat you every single time with much bigger cache than yours.
 

heysoundude

Part of the Furniture
I don’t think that’s possible today. Root/TLD servers don’t support it, and I imagine most authoritative name servers don’t support it.

IIRC, the folks who built unbound have built in the functionality should the auth servers ever decide to go down the encryption path. but that would be indicative of greater concerns for the internet as a whole if there was demand for it
This is when big and fast public DNS servers beat you every single time with much bigger cache than yours.
Again, this is what OP is looking for, and I am just making them aware of their options.
I'll take the hit on ping time to stay a bit more private in what I search for, thanks. Those 10ms are my chance to flip the googles of the world the bird.
 

Tech9

Part of the Furniture
'll take the hit on ping time to stay a bit more private in what I search for, thanks.

Your ISP can re-create your browsing history with >90% accuracy and you may leak your real public IP address when using own resolver. Your beliefs lead to wrong conclusions, @heysoundude - Skynet, IPv6, Unbound. You're welcome. :)
 

sbsnb

Very Senior Member
Your ISP can re-create your browsing history with >90% accuracy and you may leak your real public IP address when using own resolver. Your beliefs lead to wrong conclusions, @heysoundude - Skynet, IPv6, Unbound. You're welcome. :)
Without access to my DNS queries they only know the IP I'm connecting to. For many sites that could mean any number of hundreds of domains hosted on the same server. Google doesn't know anything I query or connect to unless my ISP is selling them that information.

My personal reasons for using dnscrypt-proxy is to use servers that AREN'T run by the "big boys," to prevent them from building a record of my DNS queries, and to prevent my ISP or anyone else from intercepting my DNS queries similar to how DNS queries can be redirected on the router. Ever since the incident where the dude that runs Cloudfare reported that he woke up one morning and decided one of his customers shouldn't be on the Internet, flipped a switch, and made it so, I have steered clear of "the big boys" for DNS, for email, for web hosting, and even internet access in every way possible. It opened my eyes to how vulnerable I was to having my access to information controlled by some other person's opinions and whimsy. I currently use OpenNIC which seems more resilient against the personal whims of some megalomaniac or corporate behemoth with a political agenda.
 
Last edited:

heysoundude

Part of the Furniture
Your ISP can re-create your browsing history with >90% accuracy and you may leak your real public IP address when using own resolver. Your beliefs lead to wrong conclusions, @heysoundude - Skynet, IPv6, Unbound. You're welcome. :)
Our common ISP (iirc) has been pretty clear that they have better things to do, and would need legal compulsion to open their logs. I believe them, since they've taken a pretty adversarial stance with the big boys and the gov't agencies they're beholden to.
but granted, that is clearly not the case for everyone/everywhere
 

sbsnb

Very Senior Member
I started receiving interesting errors trying to visit some sites I regularly visit for years. These errors coincide with experimenting with Cloudfare's DNS. Here's an example:

2022-03-11 11_56_11-archive.ph - Chromium.png

Seems like something unrelated to Cloudfare, right? I dug a little deeper. Using Cloudfare's DNS servers the domain in question resolves to something in Cloudfare's IP space. When I use Quad 9 the domain resolves to a network in the UK and works perfectly fine in the browser.

This makes me very suspicious of Cloudfare. It's the kind of shenanigans I am trying to avoid in the first place.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top