What's new

WAN DNS - TLS or not?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

They are "wrong" in your original post, and your description of what is happening in it and your subsequent post is incorrect.

Your second set of settings "work" because you haven't put any custom DNS addresses in the fields like you're meant to. So rather than using encrypted DoT as you think it is the router is failing back to normal DNS (just as if you had selected "auto"). Once it has acquired NTP and resolved the TLS hostname only then can it start using DoT. So all you've done is misconfigure the WAN DNS and made the startup process obscure for no benefit.


Fair enough.

I should see my ISP's DNS in the startup log in this case? I will check for them when I reboot tomorrow.
 
@rxe25 To be clear on something; this thread is discussing stock Asus firmware, not Merlin's.

I should see my ISP's DNS in the startup log in this case? I will check for them when I reboot tomorrow.
To clarify my previous post - if you're using Merlin's firmware, it is Stubby (DoT) that is failing back to unencrypted mode not dnsmasq. As such you won't see any indication of this unless you enable debug mode for Stubby. For example,

Initial unencryted startup:
Code:
May  5 06:05:22 stubby[2624]: Stubby version: Stubby 0.4.0
May  5 06:05:22 stubby[2624]: Read config from file /etc/stubby/stubby.yml
May  5 06:05:24 stubby[2625]: 45.90.28.0                               : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)
May  5 06:05:24 stubby[2625]: 45.90.30.0                               : Upstream   : UDP - Resps=     1, Timeouts  =     0 (logged every 100 responses)

Stubby restarts after NTP has run successfully:
Code:
Aug 10 12:36:43 stubby[2787]: Stubby version: Stubby 0.4.0
Aug 10 12:36:43 stubby[2787]: Read config from file /etc/stubby/stubby.yml
Aug 10 12:36:44 stubby[2788]: 45.90.28.0                               : Upstream   : Could not setup TLS capable TFO connect
Aug 10 12:36:44 stubby[2788]: 45.90.28.0                               : Conn opened: TLS - Strict Profile
Aug 10 12:36:44 stubby[2788]: 45.90.28.0                               : Verify passed : TLS
Aug 10 12:36:44 stubby[2788]: 45.90.30.0                               : Conn opened: TLS - Strict Profile
Aug 10 12:36:44 stubby[2788]: 45.90.30.0                               : Verify passed : TLS

This is why I said you're just making the startup process more obscure for no real gain. IMHO it's better to put valid IP addresses in the WAN DNS fields (as RMerlin says) then you don't have to second-guess what failure activity is happening under the covers.
 
Last edited:
I set it up as DNS over TLS with google's IPv4 and IPv6 but it actually doesn't work and I still get peer reset errors for websites which my ISP has blocked by hijacking my DNS queries.
 
and I still get peer reset errors for websites which my ISP has blocked by hijacking my DNS queries.
"Connection resets" is not related to DNS, it means your ISP is actively blocking access to these sites. If they were filtering at the DNS level, then the browser would return a "site not found / NXDOMAIN" type of error instead, or would redirect you to a different site.
 
"Connection resets" is not related to DNS, it means your ISP is actively blocking access to these sites. If they were filtering at the DNS level, then the browser would return a "site not found / NXDOMAIN" type of error instead, or would redirect you to a different site.
Any solutions for this on router level? I hate to use third party apps like GoodbyeDPI or GreenTunnel for unblocking.
 
Any solutions for this on router level? I hate to use third party apps like GoodbyeDPI or GreenTunnel for unblocking.
No, sorry. The only way would be to tunnel your traffic through a VPN, either to a commercial VPN provider, or to a VPS that you own.
 
No, sorry. The only way would be to tunnel your traffic through a VPN, either to a commercial VPN provider, or to a VPS that you own.
Thanks, I prefer to not use VPN so I will stick to GoodbyeDPI and GreenTunnel for unblocking.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top