RT-AX82U DNS OVER TLS

[tiomiguel]

Anybody know if this service works in RT-AX82U or similar routers. I have configured bur wireshark does no show TLS... but, is conveniente use thsi security layer or better use DNS plain. I use adguard family DNS long tiem ago...

 

[Analog-1]

Asus routers running stock firmware do not support DoT for their own DNS.

??

 

[bbunge]

Asus routers do not block outbound traffic. So your clients should be able to connect to public DoT servers on port 853 if they are configured to do so.

Public Resolvers :: dnsprivacy.org

dnsprivacy.org

Asus routers running stock firmware do not support DoT for their own DNS. Merlin/GNUton firmware does provide DoT support on the router.

Not true. Most Asus routers do support DoT.

 

[ColinTaylor]

??

Not true. Most Asus routers do support DoT.

Apologies. I stand corrected. I hadn't looked at that part of stock firmware for a very long time. In light of this I've deleted my original post as I misunderstood the question.

 

[tiomiguel]

DOT configured but it seems is not working

configured but not working

 

[ColinTaylor]

DOT configured but it seems is not working
View attachment 67587
configured but not working

View attachment 67588
View attachment 67589

You are querying the wrong DNS server. You should be using the router's server.

nslookup www.snbforums.com 192.168.1.1

 

[bbunge]

When using DoT disable DNSSEC You do not need both.

 

[vit5421]

Works great

 

[tiomiguel]

I have heard dns server has to be left empty for router go to DNS OVER TLS dns ies this true?

 

[ColinTaylor]

I have heard dns server has to be left empty for router go to DNS OVER TLS dns ies this true?

No.

 

[Ripshod]

I have heard dns server has to be left empty for router go to DNS OVER TLS dns ies this true?
View attachment 67601

Definitely not. DoT overrides that setting, you'll see it stated on the Network Map (Internet status)

 

[tiomiguel]

I left blank and works

 

[tiomiguel]

ASUS RT-AX82U – Secure DoT (DNS-over-TLS) Setup with AdGuard Family​

1. WAN DNS Settings​

• DNS Server → Leave blank
  (If you put IPs here, the router may bypass DoT and use plain DNS over UDP/53.)

GPT say this...

 

[ColinTaylor]

I left blank and works

Don't leave it blank. It is unnecessary and will cause problems for services running on the router.

 

[tiomiguel]

but all traffic will be DOT?????

 

[RMerlin]

DOT does not override regular DNS. If you manually query a standard public DNS server, then you will be doing just that. Only queries sent to the router (which should be the default DNS for your LAN clients) will use DOT when being sent upstream- and Wireshark would need to monitor the traffic between the router and the ISP, not between the clients and the router.

 

[jmpr]

I have heard dns server has to be left empty for router go to DNS OVER TLS dns ies this true?

Try this to check your dns:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

dnscheck.tools

And these are my settings with no problems at all:

And for ipv6:

 

[consorts]

since we're on the subject, let me (nyc) know if i did anything
wrong here or there is room for improvement.
according to various tsl test sites, tsl seems to be working fine.
i leave everything ipv6 = disabled and blank.

 

[dave14305]

if i did anything wrong here or there is room for improvement

If you trust Cloudflare and Quad9 to validate DNSSEC for you on their end, you can disable DNSSEC on the router.

You only get malware protection from Quad9 50% of the time since you alternate with an unfiltered Cloudflare service. Consider using 1.1.1.2 if you want malware protection all the time.

 

[bbunge]

since we're on the subject, let me (nyc) know if i did anything
wrong here or there is room for improvement.
according to various tsl test sites, tsl seems to be working fine.
i leave everything ipv6 = disabled and blank.

Use Quad9 or Cloudflare Security but not both at the same time.

Cloudflare Security is 1.1.1.2 and 1.0.0.2. TLS Hostname: security.cloudflare-dns.com. This is a manual input to the Asus DoT settings.

I find that Cloudflare Security is more reliable than Quad9 in my area when using DoT.