WAN DNS - TLS or not?

Justinh

Regular Contributor
The ASUS firmware allows for a WAN "DNS Server" server and for a "DNS-over-TLS Server". If I populate both, which one is the router using for DNS queries? Is the non-DoT server just used as a failover in this case?
 

Tech9

Part of the Furniture
DoT set with Strict profile will override your WAN DNS servers. They will be used for router's own queries and before Stubby starts.
 

rxe25

Occasional Visitor
Set the DNS server 1 to your router's IP (Possibly 192.168.50.1), then pick the DNS-over-TLS(DoT) servers you want either manually or from the ones included in firmware.

Your choice whether to use strict or opportunistic DoT after that.

Setting it up this way will route all DNS queries over TLS.

I've used Quad9 in strict mode without issues.

If you input a DNS, say Google 8.8.8.8, in WAN DNS you will likely not have DoT on all your network if that is what you wish for.
 

ColinTaylor

Part of the Furniture
Set the DNS server 1 to your router's IP (Possibly 192.168.50.1), then pick the DNS-over-TLS(DoT) servers you want either manually or from the ones included in firmware.

Your choice whether to use strict or opportunistic DoT after that.

Setting it up this way will route all DNS queries over TLS.

I've used Quad9 in strict mode without issues.

If you input a DNS, say Google 8.8.8.8, in WAN DNS you will likely not have DoT on all your network if that is what you wish for.
This is incorrect.
 

bbunge

Part of the Furniture
Well, what is correct-
On router boot the WAN DNS Server1 or 2 will be active and used to set the router time. As the boot, or start up, progresses and DoT is enabled, the upstream resolvers, or DNS Servers, chosen in DNS-over-TLS Server List will become active.
If the router is set to be the clients DNS server, which it is by default, the client DNS queries will be collected by DNSMASQ then passed to Stubby/GetDNS to be encrypted and forwarded to the servers in the DNS-over-TLS Server List. Those servers are used in turn in a process called round robin. Replies use the reverse path to get to the client.
 

Tech9

Part of the Furniture
Not according to the GUI.

Correct settings with OpenDNS example:

1659920584263.png
 

bbunge

Part of the Furniture
Not according to the GUI.
Don't know what you are putting in your pipe but it is very wrong to use the router LAN IP address in the WAN DNS Server 1 and 2. Some also put their Pi-Hole IP address there but that is wrong as well even though they get away with it sometimes. YOU NEED A VALID UPSTREAM RESOLVER ANYCAST ADDRESS IN WAN/DNS SERVER 1 AND 2!

See my prior comment above. One computer professional, a retired computer professional, me, and another very knowledgeable computer hobbyist really do know what is going on here. I was also involved in the initial DoT testing on Asus routers before Merlin then Asus added it to the firmware.
 

rxe25

Occasional Visitor
Well, what is correct-
On router boot the WAN DNS Server1 or 2 will be active and used to set the router time. As the boot, or start up, progresses and DoT is enabled, the upstream resolvers, or DNS Servers, chosen in DNS-over-TLS Server List will become active.

By not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.

I've been unable to recreate the GUI advice from when I first setup DoT, but I have a clear recollection of being advised that having DNS in WAN 1and/or 2 would negate DoT settings further down.
If the router is set to be the clients DNS server, which it is by default, the client DNS queries will be collected by DNSMASQ then passed to Stubby/GetDNS to be encrypted and forwarded to the servers in the DNS-over-TLS Server List. Those servers are used in turn in a process called round robin. Replies use the reverse path to get to the client.
I don't doubt your experience, but I can prove my own point.

Having no DNS in the WAN while using DoT works just fine.

DoT2.png
DoT1.png
 

det721

Part of the Furniture
By not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.

I've been unable to recreate the GUI advice from when I first setup DoT, but I have a clear recollection of being advised that having DNS in WAN 1and/or 2 would negate DoT settings further down.

I don't doubt your experience, but I can prove my own point.

Having no DNS in the WAN while using DoT works just fine.

View attachment 43416View attachment 43415

Having no DNS server in wan 1 and 2 the router will use your ISP DNS severs you need some kinda of non tls server for the time to set on the router at boot up.
 

bbunge

Part of the Furniture
By not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.

I've been unable to recreate the GUI advice from when I first setup DoT, but I have a clear recollection of being advised that having DNS in WAN 1and/or 2 would negate DoT settings further down.

I don't doubt your experience, but I can prove my own point.

Having no DNS in the WAN while using DoT works just fine.

View attachment 43416View attachment 43415
Also kinda dumb to alternate a filtered DNS service with a non-filtered DNS service. You would be better off using 1.1.1.2 and 1.0.0.2 security.cloudflare-dns.com

And I bet the router does not have the right time.
 

Tech9

Part of the Furniture
By not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.

Your settings are wrong. What you need to protect so much? The queries to pool.ntp.org or to dns.msftncsi.com?

DoT to Quad9 filtered and Cloudflare non-filtered doesn't make sense. And you better set Prevent Client Auto DoH to Yes.
 

Tech9

Part of the Furniture
One computer professional, a retired computer professional, me, and another very knowledgeable computer hobbyist

I'm sorry... who's the computer hobbyist? :D

Can you revive a board like this from no boot condition? Because I can and just did it.

20220808_015328731_iOS.jpg
 

bbunge

Part of the Furniture
I'm sorry... who's the computer hobbyist? :D

Can you revive a board like this from no boot condition? Because I can and just did it.

View attachment 43419
Was not referring to you as a hobbyist. Guess I should not try to influence dummies who will not listen to reason and experience. I have enough stress in my life and need no more bloody spots on the head. Also need to leave the folks having issues with Merlin alone.
Have you tried the AX86U 388 Beta?
 

Tech9

Part of the Furniture

rxe25

Occasional Visitor
Your settings are wrong. What you need to protect so much? The queries to pool.ntp.org or to dns.msftncsi.com?

DoT to Quad9 filtered and Cloudflare non-filtered doesn't make sense. And you better set Prevent Client Auto DoH to Yes.
The setings work just fine, so "wrong" is a point of view.

I don't filter my DNS so those addresses are exactly what I require.
 

rxe25

Occasional Visitor
Having no DNS server in wan 1 and 2 the router will use your ISP DNS severs you need some kinda of non tls server for the time to set on the router at boot up.
That directly conflicts with what the GUI implies.

DoT3.png


I will have a look at my logs next bootup to see what the behaviour is, I am aware that the time will be reset at bootup to a time around when the firmware was compiled, but my time has never been wrong once bootup completes, and I have to deal with silly DST where I am.
 

rxe25

Occasional Visitor
Also kinda dumb to alternate a filtered DNS service with a non-filtered DNS service. You would be better off using 1.1.1.2 and 1.0.0.2 security.cloudflare-dns.com

And I bet the router does not have the right time.
Router time is always correct, and I have set local NTP.org pool servers in the admin - system panel and also have the router intercept client NTP requests.
 

ColinTaylor

Part of the Furniture
The setings work just fine, so "wrong" is a point of view.
They are "wrong" in your original post, and your description of what is happening in it and your subsequent post is incorrect.

Your second set of settings "work" because you haven't put any custom DNS addresses in the fields like you're meant to. So rather than using encrypted DoT as you think it is the router is failing back to normal DNS (just as if you had selected "auto"). Once it has acquired NTP and resolved the TLS hostname only then can it start using DoT. So all you've done is misconfigure the WAN DNS and made the startup process obscure for no benefit.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top