Menu
What's new
By:
Filters Better Search

Trying the new DoT feature

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

tarassippo

Regular Contributor
Today I decided to test the DoT feature on my RT-AC66U_B1 running Merlin v384.13 and it seems working fine - this is the configuration
Capture.JPG


but when I run the IPv6 test I get a lower score (without DoT it was 19/20).

Would someone please explain to me why the DNS6+IP4 and DN6+IP6 tests are failing ?
Capture2.JPG


Tia.
 
I think you have to set 'Connect to DNS server automatically' to No. Otherwise your router will still get the DNS server from you ISP. Also in LAN set DNSFilter to ON and Global Filtering Mode to Router.
upload_2019-8-5_8-36-58.png


upload_2019-8-5_8-37-42.png
 
Let us know if the suggestion works. I have not done that test on an AC68U on dual stack. When I ran DoT on dual stack I alternated the ipv4 and ipv6 resolvers. It seemed to work ok even though the internal connection between dnsmasq and stubby uses just the ipv4 loopback. Also, some ipv4 resolvers will resolve ipv6 requests. Don't think Cleanbrowsing does.

Sent from my SM-T380 using Tapatalk
 
bbunge said:
Also, some ipv4 resolvers will resolve ipv6 requests. Don't think Cleanbrowsing does.

Sent from my SM-T380 using Tapatalk
Click to expand...
I believe this is the core of the issue. You are likely using different DNS servers when DoT is off which is why the test result is coming back differently.
 
Thanks all... I reckon the issue is with the CleanBrowsing servers... In the last couple of hours I've run the test several times trying different configurations with no luck, but if I change the DoT servers, i.e. Quad9 or Cloudflare (no matter whether 'Connect to DNS server automatically' is set to Yes or No) then I get 19/20...
 
tarassippo said:
And one more thing: using this link https://dnssec.vs.uni-due.de/ I can check whether the DNS server validates DNSSEC signatures, but how to check whether TLS has been enabled on that DNS server ?
Click to expand...
Cloudflare does have a test page that validates DoT/DoH. DNSSEC has to be off. Other sites publish that they support DoT or not. The resolvers loaded with Merlin all support DoT.

Sent from my SM-T380 using Tapatalk
 
Hi all....I would say I have the same verification issues as others with DoT but I have the configuration set like others....

One question I have is regarding the preferred server list and the DNSServer1/2 fields...….I have selected Cloudflare and put their DNS servers in the Server1/2 fields in WAN...and have added their servers in the preferred list....then Quad then CF IPv6, then Quad IPv6...….I understand (I believe) that the preferred listing is priority based so it will walk down the list.....so in the case of my setup, CF IPv4 first, then failing that Quad IPv4....

Now my likely naïve question....if the failover to Quad occurs....how does the DNSServer1/2 inputs change or effect the failover to the next preferred server in the list?
 
Mutzli said:
I think you have to set 'Connect to DNS server automatically' to No. Otherwise your router will still get the DNS server from you ISP. Also in LAN set DNSFilter to ON and Global Filtering Mode to Router.
View attachment 18893

View attachment 18894
Click to expand...

I have my setup as you do.....and it works as expected (I believe) but the DoT wiki would seem to indicate that setting DNS from automatic isn't required.....that's part of my confusion from my previous post.....

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy
 
SuperDuke said:
I have my setup as you do.....and it works as expected (I believe) but the DoT wiki would seem to indicate that setting DNS from automatic isn't required.....that's part of my confusion from my previous post.....

https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy
Click to expand...
You can leave the DNS setting on automatic. If you leave it on automatic your router will during boot set your ISP's DNS server and once the DNS stack loads it will change over to your specified DNS. That means your time sync and AI services would be going through your ISP's DNS at first. When its entered manually your router will boot up without getting your ISP's DNS first and use whatever DNS is defined.
 
SuperDuke said:
One question I have is regarding the preferred server list and the DNSServer1/2 fields...….I have selected Cloudflare and put their DNS servers in the Server1/2 fields in WAN...and have added their servers in the preferred list....then Quad then CF IPv6, then Quad IPv6...….I understand (I believe) that the preferred listing is priority based so it will walk down the list.....so in the case of my setup, CF IPv4 first, then failing that Quad IPv4....
Click to expand...
It uses all the servers in a round-robin manner by default. So you’ll never know if you’re getting Quad9 malware filtering or not.
SuperDuke said:
Now my likely naïve question....if the failover to Quad occurs....how does the DNSServer1/2 inputs change or effect the failover to the next preferred server in the list?
Click to expand...
WAN DNS 1 and 2 function independently from DoT. Only the router will use them for its own lookups. Clients will use dnsmasq and DoT.
 
Mutzli said:
I think you have to set 'Connect to DNS server automatically' to No. Otherwise your router will still get the DNS server from you ISP. Also in LAN set DNSFilter to ON and Global Filtering Mode to Router.
View attachment 18893

View attachment 18894
Click to expand...
I tried to set up mine and I'm getting different behavior. I try to config DoT with QUAD9 but some of my laptops on the LAN DNS-filter page have been defined with CleanBrowsing-Security or CleanBrowsing-Family. My laptop is not part of the list. If I set up "Global Filter mode" to "Router", my laptop can't get anywhere. Where is my problem? What am I doing wrong? If I set it to "No filtering" then leaktest shows that my DNS is QUAD9.
 
You must log in or register to reply here.

Similar threads

M
USB drive not mounted and read-only error
Replies
3
Views
1K
ColinTaylor
C
L
Is It Possible To Exclude IPv6 Data For Certain LAN IP's Using VPN Director Rules?
Replies
12
Views
2K
learning_curve
L
N
Trying to add second AiMesh Node - Need Help
Replies
3
Views
2K
supe
S
Phrede
RT-AC88U demanding new wifi password format
Replies
3
Views
822
Tech9
Tech9
G
Killswitch on updated RT-AX56U (V1) works
Replies
4
Views
1K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
S Anyone else having issues trying to flash the newest merlin (stable or beta) to the GT-0AXE11000? Asuswrt-Merlin 4
J Trying to understand system log entries related to rebooting router Asuswrt-Merlin 4
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
U Solved Cloudflare DoT test Asuswrt-Merlin 5
D WAN DNS Setting: Using different DoT servers Asuswrt-Merlin 19
D Can't seem to get DoT to work with Cloudflare Asuswrt-Merlin 23
M [🙏 Feature request For Asus Merlin] Add Public WiFi Mode for GT-AX11000 Asuswrt-Merlin 7
G Feature request: firewall url filter log Asuswrt-Merlin 0
Q [Feature Request] Schedule DoS Protection state and/or whitelist option Asuswrt-Merlin 5
mekki Solved UPDATE: No longer required. See thread. - [Feature request] Option for DHCP Query Frequency Backoff Mode Asuswrt-Merlin 76

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,102 (members: 36, guests: 1,066)
Top