Priority for DoT Server List?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Matthew Patrick

Senior Member
Hey guys. so weeks ago i had a problem with my ISP's connection to Cloudflare which fails my DNS resolution. I wanted to prevent that in the future, but it doesn't seem that you can set the priority for DoT in the preset list... Is it possible to set a priority for each servers? so say all Cloudflare's DNS will be priority 1 and say Google's DNS will be priority 2 and be used if there are problems with connecting with the first DoT server. ( Say when the server is down, or their DNSSEC thing isnt working. since it had happened before with Cloudflare for me )

Thank you
 

bbunge

Part of the Furniture
The DoT via Stubby the way Merlin has it configured will query each upstream resolver in turn. No need to set priority.
 

gattaca

Senior Member
^^^ Yes, having "priority groups or a preferred provider" would be a nice feature. If primary and backups of a single preferred DNS service is down, dnsmasq a/o stubby could try the next priority group. The trick is when to fall-back and how long and how to determine stability. I've thought about this with NextDNS b/c of they way it must be setup and then using QUAD9 and Cloudflare as Group2, Group3. It may be more programming gotchas and code complexity than either dnsmasq or stubby was designed to consider. Stay safe, stay alive! Peace.
 

EmeraldDeer

Very Senior Member
I am not arguing against the proposal.

But if your ISP cannot connect to Cloudflare, what are the odds that the rest of the Internet is OK? I am thinking close to zero.

And if the problem is just Cloudflare's DNS service, then choose another one, especially one that filters malware.
 

Matthew Patrick

Senior Member
I am not arguing against the proposal.

But if your ISP cannot connect to Cloudflare, what are the odds that the rest of the Internet is OK? I am thinking close to zero.

And if the problem is just Cloudflare's DNS service, then choose another one, especially one that filters malware.
It's not cloudflare per se. It's just dns in general. And my point still stands. There aren't any guarantee that a dns server would stay on without problems for 24/7 . I've had some time when say Google services were down. Not even a ping to the dns works. But the other works fine. So yeah still having priorities and DoT backup server seems nice
 

underdose

Regular Contributor
  • Add your desired DoT servers, ordered by priority under WAN > DNS-over-TLS Server List
  • SSH into your router and edit /tmp/etc/stubby/stubby.yml line 9 as "round_robin_upstreams: 0" OR comment out that line completely by inserting a "#" at the beginning of the line so that Stubby checks that list in order instead of round-robin.
  • Restart Stubby (or router) to see if that works.

That's supposed to work, since:
round_robin_upstreams: Round robin queries across all the configured upstream servers. Without this option Stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.
 

gattaca

Senior Member
TY and yes sir, that is a correct setting "round_robin_upstreams: 0" as 0 is required per NextDNS.
I've had QUAD9 + Cloudflare in the manual setup listing too with manual NextDNS listed first in my attempts to debug some DNS failures and who's doing what, when. I have watched stubby descend thru the listed providers when one just seems to "take a break a/o my ISP's network blips"... there's just no "preferred or fall-back" option. You can monitor what stubby is doing via "stubby -l"
 

Matthew Patrick

Senior Member
@gattaca @underdose wow yeah it is working. Now my question is . This is supposed to survive reboots right? And server changes from the WAN DoT list?? And where is this file located when backed up??

My last question, does it roll down to other servers too if say their DNSSEC reply server is broken? Since I've had that with 1.1.1.1 before . Once. So basically I think they can't verify DNSSEC for every domain I tried to query so I can't use the dns at all. Does this mean if that happens it'll automatically drop down the list and try other servers? Thanks !
 
Last edited:

gattaca

Senior Member
^^ Good morning @Matthew Patrick To the best of my limited knowledge:
a) No, "0" will be reset to "1" when the router is rebooted b/c 1 is the default behavior of our Merlin setups.
b) The server changes in the WAN DoT are preserved in the order as listed - see the d) item below.
c) IDK for sure on the last ?.. I think it will try any server in the listing in order, after the default timeouts expire for each entry in the same file. Depending on what you have in the other DNS entries will determine what the router searches for next.
d) The files/settings end up in '/etc/stubby/stubby.yml' which stubby runs from.
e) if you wanted to consistently change 1 to 0 you have to create '/jffs/scripts/stubby.postconf' make it executable and do something like this. Note: I copied this routine from other scripters who were tinkering with the NextDNS and other setups early-on.

#!/bin/sh
#
# This info belongs in "/jffs/scripts/stubby.postconf", must be executable chmod +x..
#------------------------------------------------------------------------------------------------------------------------------------------------
# YYYYMMDD - Who Comment
#------------------------------------------------------------------------------------------------------------------------------------------------
#
CONFIG=$1
source /usr/sbin/helper.sh
# Required for NextDNS setup - you cannot have round_robin_upstreams = 1 !
#
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
#
# <EOF>
#

Stay safe, stay alive. Peace.

Modified on 06-Apr-2021 with commands which I've been using to debug my NextDNS issues as well as two useful setup pages:

Helpful ASUS Router Monitoring Windows (SSH)
a) tail -n25 -f /opt/var/log/dnsmasq.log
b) amtm > diversion follow dnsmasq logs, unfiltered extra hightlighing
c) amtm > diversion follow dnsmasq logs, show ONLY blocked
d) see what stubby is doing -> stubby -l
e) tcpdump -i $(nvram get wan0_ifname) -n port 53 (must have tcpdump package installed - opkg install tcpdump) what what's happening for unencrypted DNS port 53 on WAN port.
e) htop
f) ...

Helpful DNS info on Cloudflare and QUAD9
a) Well done router setup instructions -> https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/router
b) QUAD9 table of options, settings, what's what -> https://support.quad9.net/hc/en-us/articles/360041193212-Quad9-IPs-and-other-settings
 
Last edited:

Matthew Patrick

Senior Member
^^ Good morning @Matthew Patrick To the best of my limited knowledge:
a) No, "0" will be reset to "1" when the router is rebooted b/c 1 is the default behavior of our Merlin setups.
b) The server changes in the WAN DoT are preserved in the order as listed - see the d) item below.
c) IDK for sure on the last ?.. I think it will try any server in the listing in order, after the default timeouts expire for each entry in the same file. Depending on what you have in the other DNS entries will determine what the router searches for next.
d) The files/settings end up in '/etc/stubby/stubby.yml' which stubby runs from.
e) if you wanted to consistently change 1 to 0 you have to create '/jffs/scripts/stubby.postconf' make it executable and do something like this. Note: I copied this routine from other scripters who were tinkering with the NextDNS and other setups early-on.

#!/bin/sh
#
# This info belongs in "/jffs/scripts/stubby.postconf", must be executable chmod +x..
#------------------------------------------------------------------------------------------------------------------------------------------------
# YYYYMMDD - Who Comment
#------------------------------------------------------------------------------------------------------------------------------------------------
#
CONFIG=$1
source /usr/sbin/helper.sh
# Required for NextDNS setup - you cannot have round_robin_upstreams = 1 !
#
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
#
# <EOF>
#

Stay safe, stay alive. Peace.
Woah thanks so much! Anyways I've decided to just leave it in roundrobin mode, since my list only contains Cloudflare and Google's DNS Servers. As far as I know they are both unfiltered and fast so I guess I'm gonna let it be in round robin mode. As long as I've got internet access if one of the dns host is down or something. :D
 

bbunge

Part of the Furniture
For malware filter on Cloudflare use 1.1.1.2 and 1.0.0.2. Change the default DoH Cloudflare resolver when you select it from the list.
To get the round_robin 0 to stick on reboot use a stubby.postconf file.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top