Unable to get DNS Director and DNS over TLS working together.

[glenw]

Hi,
I have a new RTBE92U router but whenever I activate DND Director DoT stops working. I have read many, many threads and believe all is setup OK. At least it is consistent, I suppose. I can see port 853 only when it's working and 53 when not with "netstat -an | grep :853" and "netstat -an | grep :853".

Can anyone who knows more than me provide some advice to resolve this?

Router: RTBE92U
Firmware: 3006.102.4
DoT to Cloudflare 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
LAN DHCP DNS Empty
DNS Director set to "Router"

Many thanks.

 

[bbunge]

Do you have DNS Director set to router?

 

[glenw]

Do you have DNS Director set to router?

Yes, thanks.

 

[bbunge]

Yes, thanks.

Then it should work. However, there is a bit of doubt in my mind that the implementation of Stubby (DoT) in this version of firmware is working. You can check Cloudflare Help (https://one.one.one.one/help/) to see if you are connected and if you are using DoT. I would also recommend alternating the IPV6 addresses with the IPV4 addresses in the DoT setup. Stubby alternates the resolvers in the order they are entered.
Cloudflare has a filtered DNS service at 1.1.1.2 and 1.0.0.2 with a TLS Hostname of security.cloudflare-dns.com This is a manual entry but works as well as the 1.1.1.1 and 1.0.0.1 resolvers.

 

[glenw]

Thanks bbunge,
I also have my doubts that Stubby is working 100% correctly in this version
I have used the 1.1.1.1/help page a lot in the last few days (along with the netstat grepping) - this reports DoT all good as long as DNS Director is switched off. As soon as DNS Director is enabled Dot fails. I also had the IPV6 Cloudflare DNS servers in various combinations with and without the IP4 ones. Currenting they are 2 IP4 followed by two IPV6 - 4 in total.
I did also use the .2 variants and the DoT encryption with the name "security.cloudflare-dns.com" but have since gone back to the standard DNS servers, just to remove a potential issue (don't think that is the issue myself).

My conclusion after many iterations is that there is something not quite right with the two working together.

 

[bbunge]

Maybe that is what caused me issues when I tested 3006.102.4.
Disable DoT and try DNS Director. It should work. You can always use DNSSEC. No encryption but DNS verification.

 

[Treadler]

Thanks bbunge,
I also have my doubts that Stubby is working 100% correctly in this version
I have used the 1.1.1.1/help page a lot in the last few days (along with the netstat grepping) - this reports DoT all good as long as DNS Director is switched off. As soon as DNS Director is enabled Dot fails. I also had the IPV6 Cloudflare DNS servers in various combinations with and without the IP4 ones. Currenting they are 2 IP4 followed by two IPV6 - 4 in total.
I did also use the .2 variants and the DoT encryption with the name "security.cloudflare-dns.com" but have since gone back to the standard DNS servers, just to remove a potential issue (don't think that is the issue myself).

My conclusion after many iterations is that there is something not quite right with the two working together.

Cloudflare + DoT + DNS Director shows DoT working on the Cloudflare ‘help’ site for me.
IPv4 & IPv6 servers alternated here.

Enable DNSSEC turned off.

 

[glenw]

Cloudflare + DoT + DNS Director shows DoT working on the Cloudflare ‘help’ site for me.
IPv4 & IPv6 servers alternated here.

Enable DNSSEC turned off.

Thanks for sharing - I have tried DNSSec on and off which made no difference for me.

 

[bbunge]

Cloudflare + DoT + DNS Director shows DoT working on the Cloudflare ‘help’ site for me.
IPv4 & IPv6 servers alternated here.

Enable DNSSEC turned off.

OK, In a command terminal connected to your router run: stubby -l
You should see the DoT connections to the upstream resolvers. I don't thus I suspect something is wrong with both the Asus firmware and Merlin/

 

[glenw]

Works if DNS are IPV4 - Daemon never loads if IPV6, if mixed fails on IPV6 DNS servers. Stubby reports DNSSEC off even if set to on in GUI.

[05:27:26.950845] STUBBY: Read config from file /etc/stubby/stubby-0.yml
[05:27:26.951473] STUBBY: Stubby version: Stubby 0.4.2
[05:27:26.951584] STUBBY: DNSSEC Validation is OFF
[05:27:26.951609] STUBBY: Transport list is:
[05:27:26.951632] STUBBY: - TLS
[05:27:26.951659] STUBBY: Privacy Usage Profile is Strict (Authentication required)
[05:27:26.951682] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[05:27:26.951705] STUBBY: Starting DAEMON....
[05:27:27.923749] STUBBY: --- SETUP(TLS): : Verify locations loaded
[05:27:27.924263] STUBBY: 1.0.0.2 : Conn opened: TLS - Strict Profile
[05:27:27.944451] STUBBY: 1.0.0.2 : Verify passed : TLS
[05:27:37.009037] STUBBY: 1.0.0.2 : Conn closed: TLS - Resps= 1, Timeouts = 0, Curr_auth =Success, Keepalive(ms)= 9000
[05:27:37.009095] STUBBY: 1.0.0.2 : Upstream : TLS - Resps= 1, Timeouts = 0, Best_auth =Success
[05:27:37.009125] STUBBY: 1.0.0.2 : Upstream : TLS - Conns= 1, Conn_fails= 0, Conn_shuts= 0, Backoffs = 0

 

[Treadler]

OK, In a command terminal connected to your router run: stubby -l
You should see the DoT connections to the upstream resolvers. I don't thus I suspect something is wrong with both the Asus firmware and Merlin/

Interesting…..
I get the following:

NB, I have DoT set to ‘strict’, go figure…

WARNING: No Stubby config file found... using minimal default config (Opportunistic Usage)
[06:42:11.285569] STUBBY: Stubby version: Stubby 0.4.2
[06:42:11.285697] STUBBY: DNSSEC Validation is OFF
[06:42:11.285737] STUBBY: Transport list is:
[06:42:11.285776] STUBBY: - TLS
[06:42:11.285813] STUBBY: - UDP
[06:42:11.285848] STUBBY: - TCP
[06:42:11.285896] STUBBY: Privacy Usage Profile is Opportunistic
[06:42:11.285934] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[06:42:11.285973] STUBBY: Starting DAEMON....

 

[glenw]

Interesting…..
I get the following:

NB, I have DoT set to ‘strict’, go figure…

WARNING: No Stubby config file found... using minimal default config (Opportunistic Usage)
[06:42:11.285569] STUBBY: Stubby version: Stubby 0.4.2
[06:42:11.285697] STUBBY: DNSSEC Validation is OFF
[06:42:11.285737] STUBBY: Transport list is:
[06:42:11.285776] STUBBY: - TLS
[06:42:11.285813] STUBBY: - UDP
[06:42:11.285848] STUBBY: - TCP
[06:42:11.285896] STUBBY: Privacy Usage Profile is Opportunistic
[06:42:11.285934] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
[06:42:11.285973] STUBBY: Starting DAEMON....

I think you need to force stubby to read the config file:

stubby -l -C /etc/stubby/stubby-0.yml

 

[Treadler]

I think you need to force stubby to read the config file:

stubby -l -C /etc/stubby/stubby-0.yml

Winner!

Strict is enforced & all IPv4 & IPv6 servers are go.

Thanks for that.

 

[Poul Bak]

I have been messing around with this (same router on latest Merlin).

It's easy to test (on Windows)), simply run 'nslookup'! It will timeout.

I have found that the bug is related to IPv6!

The bug happens when all of these are true:

1. DNS director is enabled
2. DNS over TLS is enabled
3. One of the servers in the DOT server list contains an IPv6 address!

If I recall correctly @merlin does not have ipv6. That could easily explain why this bug made it into the release.

 

[Treadler]

I have been messing around with this (same router on latest Merlin).

It's easy to test (on Windows)), simply run 'nslookup'! It will timeout.

I have found that the bug is related to IPv6!

The bug happens when all of these are true:

1. DNS director is enabled
2. DNS over TLS is enabled
3. One of the servers in the DOT server list contains an IPv6 address!

If I recall correctly @merlin does not have ipv6. That could easily explain why this bug made it into the release.

No problem seen here. I’m using two (Cloudflare) IPv4 servers, + two IPv6 servers + dns director + DoT.

 

[Poul Bak]

No problem seen here. I’m using two (Cloudflare) IPv4 servers, + two IPv6 servers + dns director + DoT.

Did you try 'nslookup'? It actually works in the browser, only 'nslookup' fails.

 

[bbunge]

I think you need to force stubby to read the config file:

stubby -l -C /etc/stubby/stubby-0.yml

Correct. I wonder why they felt it was needed to deviate from the default?

 

[glenw]

I think Poul Bak may be onto something.
I have found in my case having no IPV6 servers in the DoT server list works reliably for DoT.
BUT - consistently as soon as I enable DNS Director the DoT stops working.

 

[Treadler]

DNS director enabled + DoT enabled + ONLY IPv6 servers enabled and everything here is working fine. Stubby reports all ok, only finds IPv6 servers as expected.

 

[glenw]

Perhaps this is specific to the RTBE92U and 3006.102.4 Merlin firmware? Is there anyone with this HW/FW combination having DNS Director, DoT, and IPV6 operating together correctly?