My DoT configuration (eventually) blocks sites again

[swejuggalo]

One more service that fails.
https://play.google.com/store/apps/details?id=com.folksam.folksamapp (app or homepage does not matter)
Redirections that happens before identification stage fail after a while with DoT turned on.
So I never get to the location where it can offer to open my BankID.
It's not a problem with BankID either since several other services works just fine with it. It's a highly limited problem... But sadly on important parts.

If DoT as a whole would fail there must have been way more issues, right?

 

[Tech9]

Is it the same without Skynet, Diversion (+UI), Scribe (+UI), ntp/spd/scMerlin, OpenVPN/Wireguard/Tailmon?

Random issues with Stubby were reported. I've seen some, but not this type of consistent resolution failure.

 

[swejuggalo]

Is it the same without Skynet, Diversion (+UI), Scribe (+UI), ntp/spd/scMerlin, OpenVPN/Wireguard/Tailmon?

Random issues with Stubby were reported. I've seen some, but not this type of consistent resolution failure.

Well, I guess I can try.

But I guess I can also fire up my AX88U and do a simple setup only for this purpose. It did after all exist there too. On the exact same services if I recall it correctly. I don't know how often Stubby may update/change so maybe a relevant test.

 

[Tech9]

Assuming nothing is affecting port 853 traffic on your new BE88U router - set the AX88U in double NAT, keep stock Asuswrt in basic configuration on it. When you hit a site with issues on BE88U check the same site through AX88U. Use the same DoT servers upstream, see what happens.

 

[swejuggalo]

Assuming nothing is affecting port 853 traffic on your new BE88U router - set the AX88U in double NAT, keep stock Asuswrt in basic configuration on it. When you hit a site with issues on BE88U check the same site through AX88U. Use the same DoT servers upstream, see what happens.

So far looking good. Will do a long term test and eventually add more and more on the router and see what it could be that starts the behavior.
For everyone that can try it, and use similar scripts, it's the "logga in" button on both www.swedbank.se and www.folksam.se that fails.

 

[swejuggalo]

Tests done on BE88U.
Restart/disable Skynet and Diversion. No effect when the issue already exists.
Reboot of all Entware components. No effect.

Change DNS settings or Internet connection restart. Working.

 

[Tech9]

I don't have an Asus router running at the moment. Can only test this for you, if it helps:

The two websites above, Login button, Cloudflare with DoH*, Chrome with uBlock.

* - UniFi OS doesn't have DoT option, unfortunately.

 

[swejuggalo]

I don't have an Asus router running at the moment. Can only test this for you, if it helps:

View attachment 67001

View attachment 67002

View attachment 67003

The two websites above, Login button, Cloudflare with DoH*, Chrome with uBlock.

* - UniFi OS doesn't have DoT option, unfortunately.

From what I can tell, this seems highly limited to DoT. I'll try the setting that would allow DoH to run despite having DoT enabled in the router. Not what I want, but still an interesting test to see what happens.
Just tried the other router. Still works. Perhaps I can soon add some scripts, maybe move over my server to run on it for a while.

 

[Tech9]

So the test router on stock firmware and DoT to Cloudflare opens all the pages properly and the Login buttons work as expected? If this is the case - must be something around your main router's configuration of firmware base. Step two is testing the main router on stock firmware under the same conditions.

 

[swejuggalo]

So the test router on stock firmware and DoT to Cloudflare opens all the pages properly and the Login buttons work as expected? If this is the case - must be something around your main router's configuration of firmware base. Step two is testing the main router on stock firmware under the same conditions.

But has stock DoT?
Problem is that I have replicated the exact same scenario on the test router in the past when it was my main router. Again, as far as I can recall, only a problem when DoT was used.
Maybe a combination of DoT and scripts. Hopefully moving some workload into it and some scripts might help pinpointing the trigger.

 

[Tech9]

Problem is that I have replicated the exact same scenario on the test router in the past when it was my main router

Did it have the same Skynet, Diversion (+UI), Scribe (+UI), ntp/spd/scMerlin, OpenVPN/Wireguard/Tailmon on it?

Maybe a combination of DoT and scripts.

This is what you are trying to find out. Backup your router, load stock firmware, reset it to defaults, test with DoT.