Problems setting up DNS-over-TLS on RT-AX86U and ZenWiFi AX

RogerSC

Part of the Furniture
I'm having a problem setting up DNS-over-TLS (DoT) on both of my routers, a ZenWiFi AX mesh (Asus firmware version 46061) and RT-AX86U (46061 as well). When I select DoT on the WAN page, I don't get the "Preset servers" field popping up anymore, so I can't configure it. I've tried multiple browsers (Firefox, Chrome, Edge, and Safari), both macOS and Windows systems, flushing my browser caches, a "nuclear reset" on the RT-AX86U, everything that I can think of. I tried this on the RT-AX86U first, and finally gave up there after trying everything. So I figured that the AX86U was broken in some way, and set it aside. Then I flashed the new firmware on the ZenWiFi AX (46061) that also offers DoT followed by a full factory reset, and saw the same thing there. No "Preset servers" field was offered.

Not at all sure what's going on, feels like the Bermuda Triangle for DoT over here *smile*. I am using Firefox on the mac, but I even tried turning off the DoH proxy stuff on Firefox and rebooted the mac, no good. On Windows I'm just using Chrome, which I don't think fiddles with DNS, and same thing there...no "Preset servers" field pops up in the Chrome browser on Windows when I select DoT in the AX86U web admin GUI.

I'm really puzzled by this, the DoT thing was working on the AX86U both on 45934 and on RMerlin 386.4. I did try going back to 45934 on the RT-AX86U, and still got the same behavior...that's when I decided to try the nuclear option *smile*, which didn't help.

Any ideas what might be going on? This must be a simple thing, but I've got no idea what happened to my functional DoT. For the time being, when I'm using Firefox on the mac I at least have DoH using that...
 

OzarkEdge

Part of the Furniture
I'm having a problem setting up DNS-over-TLS (DoT) on both of my routers, a ZenWiFi AX mesh (Asus firmware version 46061) and RT-AX86U (46061 as well). When I select DoT on the WAN page, I don't get the "Preset servers" field popping up anymore, so I can't configure it. I've tried multiple browsers (Firefox, Chrome, Edge, and Safari), both macOS and Windows systems, flushing my browser caches, a "nuclear reset" on the RT-AX86U, everything that I can think of. I tried this on the RT-AX86U first, and finally gave up there after trying everything. So I figured that the AX86U was broken in some way, and set it aside. Then I flashed the new firmware on the ZenWiFi AX (46061) that also offers DoT followed by a full factory reset, and saw the same thing there. No "Preset servers" field was offered.

Not at all sure what's going on, feels like the Bermuda Triangle for DoT over here *smile*. I am using Firefox on the mac, but I even tried turning off the DoH proxy stuff on Firefox and rebooted the mac, no good. On Windows I'm just using Chrome, which I don't think fiddles with DNS, and same thing there...no "Preset servers" field pops up in the Chrome browser on Windows when I select DoT in the AX86U web admin GUI.

I'm really puzzled by this, the DoT thing was working on the AX86U both on 45934 and on RMerlin 386.4. I did try going back to 45934 on the RT-AX86U, and still got the same behavior...that's when I decided to try the nuclear option *smile*, which didn't help.

Any ideas what might be going on? This must be a simple thing, but I've got no idea what happened to my functional DoT. For the time being, when I'm using Firefox on the mac I at least have DoH using that...

After a dirty upgrade here to AX86U 46061, I see (using MS Edge) no preset servers list and two previously configured servers for DoT:

1642251699292.png


OE
 

bbunge

Part of the Furniture
After a dirty upgrade here to AX86U 46061, I see (using MS Edge) no preset servers list and two previously configured servers for DoT:

View attachment 38618

OE
Same here! Bugger!
RogerSC. Do you have the blank boxes under the server list?

Edit: I was checking the WAN page on my tablet. On my PC with Firefox the Preset Servers List is present. WIll try my Mac Mini next.

2nd Edit: Firefox 96.01 on OSX the preset servers list is not there. I remember reading about a bug in Mac version of Firefox with HTML3 that some web pages were not rendered properly. The fix was to disable HTML3 in about.config.

One more edit: Safari did not show the list. Also tried Chromium on a Pi that had never connected to the router- no preset server list.
 
Last edited:

RogerSC

Part of the Furniture
Yes, that's how the DoT DNS issue started for me. I upgraded the RT-AX86U from 45934 to 46061 without a reset to defaults. At that point, DoT seemed to be configured and working from the previous firmware version. But traffic statistics wasn't working right, so I did a factory default reset. Configuring after that, no "Preset servers" list. Also no drop-down on the DNS Server1 and DNS Server2 fields, just the browser list of past values. That last is also true on the ZenWiFi AX.

So things seem to have gone haywire in DNS land. I'm currently using the ZenWiFi AX with 46061, with no DoT. Since no "Preset Servers" drop-down will appear when DoT is selected. As I said, I have flushed my browser caches and restarted the browsers, and done this on both the mac and Windows, so it seems to be independent of browser and OS.

And yes, when I select DoT the server list does appear with blank boxes, just no "Preset Servers" field above it. I tried putting 1.1.1.1 and 1.0.0.1 into the server list manually, but without the "Preset Servers" list...that didn't work for me.

Very mysterious. And frustrating....although a little less so since, as I said, still have DoH DNS from using Firefox.

Update: Oh wait, I was able to enter the cloudflare entries manually and get DoT going on the ZenWiFi AX...I was using a slightly wrong URL for cloudflare. Once I corrected that, I can get this working without the "Preset Servers" list. The correct URL is cloudflare-dns.com. and that works. So the underlying software functionality is there, the GUI is just screwed up, apparently. Now the cloudflare DNS test run on Firefox on my mac shows both DoH and DoT as working. Well, that's something, I guess *smile*.
 
Last edited:

bbunge

Part of the Furniture
Some time ago while testing Stubby I made a list of DoT Servers. I have since included the Cloudflare Security and Family servers.

With the preset servers not present in current Asus firmwares, I have tested that the entries can be made manually.

Code:
    upstream_recursive_servers:
    # IPv4 and IPV6 addresses
    # # Cloudflare servers
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"

      - address_data: 2606:4700:4700::1111
        tls_auth_name: "cloudflare-dns.com"
                  
    # # Cloudflare Alt servers
      - address_data: 1.0.0.1 
        tls_auth_name: "cloudflare-dns.com"

      - address_data: 2606:4700:4700::1001
        tls_auth_name: "cloudflare-dns.com"

    # # Cloudflare Security servers
      - address_data: 1.1.1.2
        tls_auth_name: "security.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1112
        tls_auth_name: "security.cloudflare-dns.com"
                  
    # # Cloudflare Security Alt servers
      - address_data: 1.0.0.2 
        tls_auth_name: "security.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1002
        tls_auth_name: "security.cloudflare-dns.com"

    # # Cloudflare Family servers
      - address_data: 1.1.1.3
        tls_auth_name: "family.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1113
        tls_auth_name: "family.cloudflare-dns.com"
                  
    # # Cloudflare Family Alt servers
      - address_data: 1.0.0.3 
        tls_auth_name: "family.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1003
        tls_auth_name: "family.cloudflare-dns.com"

# Quad9 Secure servers
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
                  
  - address_data: 2620:fe::fe
    tls_auth_name: "dns.quad9.net"
                  
# Quad9 Secure Alt servers
  - address_data: 149.112.112.112
    tls_auth_name: "dns.quad9.net"

  - address_data: 2620:fe::9
    tls_auth_name: "dns.quad9.net"

    # # Cleanbrowsing-Security servers
      - address_data: 185.228.168.9
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:1::2
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

    # # Cleanbrowsing-Security Alt servers
      - address_data: 185.228.169.9
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:2::2
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

    # # Cleanbrowsing-Family servers
      - address_data: 185.228.168.168
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:1::
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"
                  
    # # Cleanbrowsing-Family Alt servers
      - address_data: 185.228.168.169
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:2
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"

    # # Cleanbrowsing-Adult servers
      - address_data: 185.228.168.10
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:1::1
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"
                  
    # # Cleanbrowsing-Adult Alt servers
      - address_data: 185.228.168.11
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:2::1::
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top