What's new

Problems setting up DNS-over-TLS on RT-AX86U and ZenWiFi AX

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RogerSC

Part of the Furniture
I'm having a problem setting up DNS-over-TLS (DoT) on both of my routers, a ZenWiFi AX mesh (Asus firmware version 46061) and RT-AX86U (46061 as well). When I select DoT on the WAN page, I don't get the "Preset servers" field popping up anymore, so I can't configure it. I've tried multiple browsers (Firefox, Chrome, Edge, and Safari), both macOS and Windows systems, flushing my browser caches, a "nuclear reset" on the RT-AX86U, everything that I can think of. I tried this on the RT-AX86U first, and finally gave up there after trying everything. So I figured that the AX86U was broken in some way, and set it aside. Then I flashed the new firmware on the ZenWiFi AX (46061) that also offers DoT followed by a full factory reset, and saw the same thing there. No "Preset servers" field was offered.

Not at all sure what's going on, feels like the Bermuda Triangle for DoT over here *smile*. I am using Firefox on the mac, but I even tried turning off the DoH proxy stuff on Firefox and rebooted the mac, no good. On Windows I'm just using Chrome, which I don't think fiddles with DNS, and same thing there...no "Preset servers" field pops up in the Chrome browser on Windows when I select DoT in the AX86U web admin GUI.

I'm really puzzled by this, the DoT thing was working on the AX86U both on 45934 and on RMerlin 386.4. I did try going back to 45934 on the RT-AX86U, and still got the same behavior...that's when I decided to try the nuclear option *smile*, which didn't help.

Any ideas what might be going on? This must be a simple thing, but I've got no idea what happened to my functional DoT. For the time being, when I'm using Firefox on the mac I at least have DoH using that...
 
0n Firefox hold shift key then click refresh. Or clear the browser cache.
 
I'm having a problem setting up DNS-over-TLS (DoT) on both of my routers, a ZenWiFi AX mesh (Asus firmware version 46061) and RT-AX86U (46061 as well). When I select DoT on the WAN page, I don't get the "Preset servers" field popping up anymore, so I can't configure it. I've tried multiple browsers (Firefox, Chrome, Edge, and Safari), both macOS and Windows systems, flushing my browser caches, a "nuclear reset" on the RT-AX86U, everything that I can think of. I tried this on the RT-AX86U first, and finally gave up there after trying everything. So I figured that the AX86U was broken in some way, and set it aside. Then I flashed the new firmware on the ZenWiFi AX (46061) that also offers DoT followed by a full factory reset, and saw the same thing there. No "Preset servers" field was offered.

Not at all sure what's going on, feels like the Bermuda Triangle for DoT over here *smile*. I am using Firefox on the mac, but I even tried turning off the DoH proxy stuff on Firefox and rebooted the mac, no good. On Windows I'm just using Chrome, which I don't think fiddles with DNS, and same thing there...no "Preset servers" field pops up in the Chrome browser on Windows when I select DoT in the AX86U web admin GUI.

I'm really puzzled by this, the DoT thing was working on the AX86U both on 45934 and on RMerlin 386.4. I did try going back to 45934 on the RT-AX86U, and still got the same behavior...that's when I decided to try the nuclear option *smile*, which didn't help.

Any ideas what might be going on? This must be a simple thing, but I've got no idea what happened to my functional DoT. For the time being, when I'm using Firefox on the mac I at least have DoH using that...

After a dirty upgrade here to AX86U 46061, I see (using MS Edge) no preset servers list and two previously configured servers for DoT:

1642251699292.png


OE
 
After a dirty upgrade here to AX86U 46061, I see (using MS Edge) no preset servers list and two previously configured servers for DoT:

View attachment 38618

OE
Same here! Bugger!
RogerSC. Do you have the blank boxes under the server list?

Edit: I was checking the WAN page on my tablet. On my PC with Firefox the Preset Servers List is present. WIll try my Mac Mini next.

2nd Edit: Firefox 96.01 on OSX the preset servers list is not there. I remember reading about a bug in Mac version of Firefox with HTML3 that some web pages were not rendered properly. The fix was to disable HTML3 in about.config.

One more edit: Safari did not show the list. Also tried Chromium on a Pi that had never connected to the router- no preset server list.
 
Last edited:
Yes, that's how the DoT DNS issue started for me. I upgraded the RT-AX86U from 45934 to 46061 without a reset to defaults. At that point, DoT seemed to be configured and working from the previous firmware version. But traffic statistics wasn't working right, so I did a factory default reset. Configuring after that, no "Preset servers" list. Also no drop-down on the DNS Server1 and DNS Server2 fields, just the browser list of past values. That last is also true on the ZenWiFi AX.

So things seem to have gone haywire in DNS land. I'm currently using the ZenWiFi AX with 46061, with no DoT. Since no "Preset Servers" drop-down will appear when DoT is selected. As I said, I have flushed my browser caches and restarted the browsers, and done this on both the mac and Windows, so it seems to be independent of browser and OS.

And yes, when I select DoT the server list does appear with blank boxes, just no "Preset Servers" field above it. I tried putting 1.1.1.1 and 1.0.0.1 into the server list manually, but without the "Preset Servers" list...that didn't work for me.

Very mysterious. And frustrating....although a little less so since, as I said, still have DoH DNS from using Firefox.

Update: Oh wait, I was able to enter the cloudflare entries manually and get DoT going on the ZenWiFi AX...I was using a slightly wrong URL for cloudflare. Once I corrected that, I can get this working without the "Preset Servers" list. The correct URL is cloudflare-dns.com. and that works. So the underlying software functionality is there, the GUI is just screwed up, apparently. Now the cloudflare DNS test run on Firefox on my mac shows both DoH and DoT as working. Well, that's something, I guess *smile*.
 
Last edited:
Some time ago while testing Stubby I made a list of DoT Servers. I have since included the Cloudflare Security and Family servers.

With the preset servers not present in current Asus firmwares, I have tested that the entries can be made manually.

Code:
    upstream_recursive_servers:
    # IPv4 and IPV6 addresses
    # # Cloudflare servers
      - address_data: 1.1.1.1
        tls_auth_name: "cloudflare-dns.com"

      - address_data: 2606:4700:4700::1111
        tls_auth_name: "cloudflare-dns.com"
                  
    # # Cloudflare Alt servers
      - address_data: 1.0.0.1 
        tls_auth_name: "cloudflare-dns.com"

      - address_data: 2606:4700:4700::1001
        tls_auth_name: "cloudflare-dns.com"

    # # Cloudflare Security servers
      - address_data: 1.1.1.2
        tls_auth_name: "security.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1112
        tls_auth_name: "security.cloudflare-dns.com"
                  
    # # Cloudflare Security Alt servers
      - address_data: 1.0.0.2 
        tls_auth_name: "security.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1002
        tls_auth_name: "security.cloudflare-dns.com"

    # # Cloudflare Family servers
      - address_data: 1.1.1.3
        tls_auth_name: "family.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1113
        tls_auth_name: "family.cloudflare-dns.com"
                  
    # # Cloudflare Family Alt servers
      - address_data: 1.0.0.3 
        tls_auth_name: "family.cloudflare-dns.com"

      - address_data: 2606:4700:4700::1003
        tls_auth_name: "family.cloudflare-dns.com"

# Quad9 Secure servers
  - address_data: 9.9.9.9
    tls_auth_name: "dns.quad9.net"
                  
  - address_data: 2620:fe::fe
    tls_auth_name: "dns.quad9.net"
                  
# Quad9 Secure Alt servers
  - address_data: 149.112.112.112
    tls_auth_name: "dns.quad9.net"

  - address_data: 2620:fe::9
    tls_auth_name: "dns.quad9.net"

    # # Cleanbrowsing-Security servers
      - address_data: 185.228.168.9
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:1::2
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

    # # Cleanbrowsing-Security Alt servers
      - address_data: 185.228.169.9
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:2::2
        tls_auth_name: "security-filter-dns.cleanbrowsing.org"

    # # Cleanbrowsing-Family servers
      - address_data: 185.228.168.168
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:1::
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"
                  
    # # Cleanbrowsing-Family Alt servers
      - address_data: 185.228.168.169
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:2
        tls_auth_name: "family-filter-dns.cleanbrowsing.org"

    # # Cleanbrowsing-Adult servers
      - address_data: 185.228.168.10
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:1::1
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"
                  
    # # Cleanbrowsing-Adult Alt servers
      - address_data: 185.228.168.11
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

      - address_data: 2a0d:2a00:2::1::
        tls_auth_name: "adult-filter-dns.cleanbrowsing.org"
 
Finally figured this one out...once I did a WPS button reset on both nodes, the "Preset servers" field came back on the ZenWiFi AX. Nice to see again, bit of a surprise, though *smile*. I suspect that would work for the RT-AX86U as well, though switching to the latest RMerlin firmware on that one did the job. So haven't actually tried a WPS reset on the AX86U.
 
Oh yes, one more thing. When I just reverted from 386.4 (RMerlin) to 45934 (Asus) firmware tonight on the RT-AX86U, where the "Preset servers" drop-down had not been there last time I tried going back to 45934, I did both a web admin interface reset to factory defaults, and a WPS factory default reset. That brought back the all the drop-downs, as well as the "Preset servers" list. So it's pretty clear to me that these problems have been related to incomplete factory resets to defaults.

Just upgraded the AX86U to 46061, did the WPS and software factory default resets, and everything is now fixed relative to DoT and all. Good to know. Interesting about factory resets. It would be nice if the reset button did the right thing, it should.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top