Set the DNS server 1 to your router's IP
if you input a DNS in WAN DNS you will likely not have DoT
This is incorrect.Set the DNS server 1 to your router's IP (Possibly 192.168.50.1), then pick the DNS-over-TLS(DoT) servers you want either manually or from the ones included in firmware.
Your choice whether to use strict or opportunistic DoT after that.
Setting it up this way will route all DNS queries over TLS.
I've used Quad9 in strict mode without issues.
If you input a DNS, say Google 8.8.8.8, in WAN DNS you will likely not have DoT on all your network if that is what you wish for.
Not according to the GUI.This is incorrect.
Don't know what you are putting in your pipe but it is very wrong to use the router LAN IP address in the WAN DNS Server 1 and 2. Some also put their Pi-Hole IP address there but that is wrong as well even though they get away with it sometimes. YOU NEED A VALID UPSTREAM RESOLVER ANYCAST ADDRESS IN WAN/DNS SERVER 1 AND 2!Not according to the GUI.
Well, what is correct-
On router boot the WAN DNS Server1 or 2 will be active and used to set the router time. As the boot, or start up, progresses and DoT is enabled, the upstream resolvers, or DNS Servers, chosen in DNS-over-TLS Server List will become active.
I don't doubt your experience, but I can prove my own point.If the router is set to be the clients DNS server, which it is by default, the client DNS queries will be collected by DNSMASQ then passed to Stubby/GetDNS to be encrypted and forwarded to the servers in the DNS-over-TLS Server List. Those servers are used in turn in a process called round robin. Replies use the reverse path to get to the client.
By not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.
I've been unable to recreate the GUI advice from when I first setup DoT, but I have a clear recollection of being advised that having DNS in WAN 1and/or 2 would negate DoT settings further down.
I don't doubt your experience, but I can prove my own point.
Having no DNS in the WAN while using DoT works just fine.
View attachment 43416View attachment 43415
Also kinda dumb to alternate a filtered DNS service with a non-filtered DNS service. You would be better off using 1.1.1.2 and 1.0.0.2 security.cloudflare-dns.comBy not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.
I've been unable to recreate the GUI advice from when I first setup DoT, but I have a clear recollection of being advised that having DNS in WAN 1and/or 2 would negate DoT settings further down.
I don't doubt your experience, but I can prove my own point.
Having no DNS in the WAN while using DoT works just fine.
View attachment 43416View attachment 43415
By not having any DNS servers there (Wan 1&2), or pointing the touter to itself, you avoid any DNS requests being sent out that are not DoT protected.
One computer professional, a retired computer professional, me, and another very knowledgeable computer hobbyist
Was not referring to you as a hobbyist. Guess I should not try to influence dummies who will not listen to reason and experience. I have enough stress in my life and need no more bloody spots on the head. Also need to leave the folks having issues with Merlin alone.I'm sorry... who's the computer hobbyist?
Can you revive a board like this from no boot condition? Because I can and just did it.
View attachment 43419
Have you tried the AX86U 388 Beta?
The setings work just fine, so "wrong" is a point of view.Your settings are wrong. What you need to protect so much? The queries to pool.ntp.org or to dns.msftncsi.com?
DoT to Quad9 filtered and Cloudflare non-filtered doesn't make sense. And you better set Prevent Client Auto DoH to Yes.
That directly conflicts with what the GUI implies.Having no DNS server in wan 1 and 2 the router will use your ISP DNS severs you need some kinda of non tls server for the time to set on the router at boot up.
Router time is always correct, and I have set local NTP.org pool servers in the admin - system panel and also have the router intercept client NTP requests.Also kinda dumb to alternate a filtered DNS service with a non-filtered DNS service. You would be better off using 1.1.1.2 and 1.0.0.2 security.cloudflare-dns.com
And I bet the router does not have the right time.
They are "wrong" in your original post, and your description of what is happening in it and your subsequent post is incorrect.The setings work just fine, so "wrong" is a point of view.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!