Lost functionality 384.12

[Deleted member 62525]

With the new release implementing DNS over TLS how dns works with OpenVPN client has changed.

Using Stubby I was able to have OpenVPN client and DoT working perfectly. With OpenVPN client connected the router would use VPN DNS and if I got disconnected or VPN connection dropped DoT took over.

This config no longer works in the newest release 384.12. If both VPN and DoT is configured the VPN client uses DoT dns servers. I have VPN client dns set to strict as before using rt-86u.

Any suggestions guys? I have tried many things and the only config that works for me is to disable DoT. Then VPN client picks up proper dns.

 

[RMerlin]

The only DNS-related change made in 384.12 involves the DNS server used by the router itself. You can revert to the previous behaviour by changing it under Tools -> Other Settings.

 

[Deleted member 62525]

I

The only DNS-related change made in 384.12 involves the DNS server used by the router itself. You can revert to the previous behaviour by changing it under Tools -> Other Settings.

What specific setting do you refer to? Also I think that if openvpn is activated shouldn’t VPN dns be the first in the list of dns servers ? It seams that it’s reversed. If I have DoT and VPN client active and perform dns leak test, the DoT dns servers shows first followed by VPN dns. I m not sure if this is correct but I would expect that it should be the other way around. VPN client DNS since it’s active should be preferred DNS. Please correct if I am wrong.

 

[martinr]

I


What specific setting do you refer to? Also I think that if openvpn is activated shouldn’t VPN dns be the first in the list of dns servers ? It seams that it’s reversed. If I have DoT and VPN client active and perform dns leak test, the DoT dns servers shows first followed by VPN dns. I m not sure if this is correct but I would expect that it should be the other way around. VPN client DNS since it’s active should be preferred DNS. Please correct if I am wrong.

I believe the setting Merlin refers to is: WAN: Use local caching DNS server as system resolver. Up until 384.12 the default was Yes. In 384.12 the default becomes No.

 

[scjr]

What specific setting do you refer to?

This setting:

 

[Deleted member 62525]

This setting:

Thanks. Going to try it.

 

[RMerlin]

BTW, reading the changelog is generally a good idea, especially while running beta releases. This change has been documented both in the Changelog, in the official beta thread, and in the unofficial alpha build thread.

  - CHANGED: The router will now use ISP-provided resolvers
             instead of local dnsmasq when attempting to
             resolve addresses, for improved reliability.
             This reproduces how stock firmware behaves.
             This only affects name resolution done
             by the router itself, not by the LAN clients.
             The behaviour can still be changed on the
             Tools -> Other Settings page.

 

[Deleted member 62525]

BTW, reading the changelog is generally a good idea, especially while running beta releases. This change has been documented both in the Changelog, in the official beta thread, and in the unofficial alpha build thread.

  - CHANGED: The router will now use ISP-provided resolvers
             instead of local dnsmasq when attempting to
             resolve addresses, for improved reliability.
             This reproduces how stock firmware behaves.
             This only affects name resolution done
             by the router itself, not by the LAN clients.
             The behaviour can still be changed on the
             Tools -> Other Settings page.

Right. So as I understand it if I set the Tools->Other Setting -> Use Local Cache to No the router would query DNS servers I entered in WAN DNS section.

I have entered NordVPN DNS servers in WAN DNS. I also have quad9 as DoT set up as below.

When I start OpenVPN client to NordVPN server (Canada) and I perform DNS Test leak, I expected to see only one DNS server (by Nord VPN).
Instead, what I see is quad9 DNS servers.

Am I interpreting this correctly? My VPN Client DNS is set to Strict and Rout All traffic to VPN.

The only way I can fix it is to disable Dot all together.

cheers

 

[QuikSilver]

Right. So as I understand it if I set the Tools->Other Setting -> Use Local Cache to No the router would query DNS servers I entered in WAN DNS section.

View attachment 18239View attachment 18240


I have entered NordVPN DNS servers in WAN DNS. I also have quad9 as DoT set up as below.

View attachment 18241View attachment 18242


When I start OpenVPN client to NordVPN server (Canada) and I perform DNS Test leak, I expected to see only one DNS server (by Nord VPN).
Instead, what I see is quad9 DNS servers.

View attachment 18243View attachment 18244


Am I interpreting this correctly? My VPN Client DNS is set to Strict and Rout All traffic to VPN.

The only way I can fix it is to disable Dot all together.

cheers

Keep in mind that DNS over TNS server settings takes priority over Wan DNS settings. For example I have mine blank to not accept ISP DNS server but added cloudflare under DNS over TLS.

 

[Deleted member 62525]

Keep in mind that DNS over TNS server settings takes priority over Wan DNS settings. For example I have mine blank to not accept ISP DNS server but added cloudflare under DNS over TLS.

That was my original point. With Stubby this worked and since we implemented this functionality into the firmware the behaviour has changed. Nothing wrong with that solution except in these kind of situations person needs to disable DoT. But doing this defits the purpose of having DoT and using it as backup for VPN client.

 

[RMerlin]

Make sure you do set the VPN clients to Policy mode, and set DNS mode to Exclusive.

 

[Gar]

Keep in mind that DNS over TNS server settings takes priority over Wan DNS settings. For example I have mine blank to not accept ISP DNS server but added cloudflare under DNS over TLS.

So you chose to select dns manually, but didn't put anything in, and it behaves fine I assume. How does that differ from me putting in quad9 and then setting dns filter to router?

 

[Deleted member 62525]

Make sure you do set the VPN clients to Policy mode, and set DNS mode to Exclusive.

Yes, that works except Exclusive DNS policy would bypass dnsmasq and Diversion would not work. Diversion and Skynet are very important to me. I tried all sort of configuration scenarios and the final setup I have is to leave DoT off. In my testing during all scenarios I am using/accessing Netflix.

In summary with our current firmware DoT takes precedence over everything and that include OpenVPN DNS. In my reasoning that is not a proper behaviour. Some may disagree. I'd like to keep Diversion and Skynet working regardless if I use VPN or not. For non-vpn uses the firmware and DoT works like a charm. But for VPN setup I would imagine that VPN DNS (in DNS Strict) should be the first in the list of DNS servers. This is the behaviour I observed in pre DoT implementation - with Stubby. Nice thing was that if for whatever reason the VPN tunnel would go down Stubby would redirect all DNS queries to DoT DNS. Nice and secure.

Also, as a side point - my observation - setting up OpenVPN client, DoT, Diversion and using VPN Policy routing is impossible to setup. Netflix for example would not work at all. I would be great to be able to get these services working together but I have a limited experience to give you more help. However, I can certainly do testing.

 

[QuikSilver]

So you chose to select dns manually, but didn't put anything in, and it behaves fine I assume. How does that differ from me putting in quad9 and then setting dns filter to router?

Works fine for me as I want my DNS over TLS servers to be Quad9 and Cloudflare not my ISP's. I also have DNS filter set to router so my Firetvs point to google DNS and my childrens's devices forced to use cleanbrowsing DNS servers.

Perhaps I am not understanding what your trying to accomplish. Are you wanting to force all your clients to use NordVPN DNS as well as Quad9??

 

[QuikSilver]

Yes, that works except Exclusive DNS policy would bypass dnsmasq and Diversion would not work. Diversion and Skynet are very important to me. I tried all sort of configuration scenarios and the final setup I have is to leave DoT off. In my testing during all scenarios I am using/accessing Netflix.

In summary with our current firmware DoT takes precedence over everything and that include OpenVPN DNS. In my reasoning that is not a proper behaviour. Some may disagree. I'd like to keep Diversion and Skynet working regardless if I use VPN or not. For non-vpn uses the firmware and DoT works like a charm. But for VPN setup I would imagine that VPN DNS (in DNS Strict) should be the first in the list of DNS servers. This is the behaviour I observed in pre DoT implementation - with Stubby. Nice thing was that if for whatever reason the VPN tunnel would go down Stubby would redirect all DNS queries to DoT DNS. Nice and secure.

Also, as a side point - my observation - setting up OpenVPN client, DoT, Diversion and using VPN Policy routing is impossible to setup. Netflix for example would not work at all. I would be great to be able to get these services working together but I have a limited experience to give you more help. However, I can certainly do testing.

Since your issue is with Diversion and Skynet not working as @RMerlin suggest you may need to post in those corresponding threads.

 

[Deleted member 62525]

Works fine for me as I want my DNS over TLS servers to be Quad9 and Cloudflare not my ISP's. I also have DNS filter set to router so my Firetvs point to google DNS and my childrens's devices forced to use cleanbrowsing DNS servers.

Perhaps I am not understanding what your trying to accomplish. Are you wanting to force all your clients to use NordVPN DNS as well as Quad9??

From your description you are not using OpenVPN client. That config is just fine. My point is that if you start VPN client the VON DNS should be your primary DNS and DoT DNS becomes secondary. This is all. In current firmware DoT DNS is always primary no matter what unless you configure VPN dns in exclusive mode, which has a side effect of disabling Diversion since dnsmasq is bypassed.

 

[QuikSilver]

From your description you are not using OpenVPN client. That config is just fine. My point is that if you start VPN client the VON DNS should be your primary DNS and DoT DNS becomes secondary. This is all. In current firmware DoT DNS is always primary no matter what unless you configure VPN dns in exclusive mode, which has a side effect of disabling Diversion since dnsmasq is bypassed.

No I don't use it the same way you are. I use NordVPN as well but use the windows client "on-demand" when I need to. I don't use it on the router (even though I have it setup to) as I don't need all my clients doing so.

 

[Deleted member 62525]

No I don't use it the same way you are. I use NordVPN as well but use the windows client "on-demand" when I need to. I don't use it on the router (even though I have it setup to) as I don't need all my clients doing so.

With further testing I have determined that if you leave WAN setting like below and VPN tunnel goes down, all clients will be disconnected to internet. It behaves like a kill switch since there is no DNS defined.

 

[QuikSilver]

With further testing I have determined that if you leave WAN setting like below and VPN tunnel goes down, all clients will be disconnected to internet. It behaves like a kill switch since there is no DNS defined.

View attachment 18264

That "kill switch" option is located under VPN Advanced settings.

 

[Deleted member 62525]

That "kill switch" option is located under VPN Advanced settings.

View attachment 18270

Yes. If you have VPN Policy enabled. In my case I don't and have it set up to All. I was simply telling that if your VPN policy is configured to "All" the setup I described also acts as a Kill Switch. Since WAN DNS is empty and I did not configured DoT, if VPN tunnel goes down there is no DNS. It works and this is a good thing. That is what I would expect.