After 384.9 update internet shows disconnected....

[gilstrac]

Well I think I've gotten to the bottom of my issue, and perhaps found a bug in the process.

TLDR: DNSSEC + Strict Order + Open VPN Client (with DNS Servers that don't support DNSSEC) = "Disconnected" message.

Explanation:

Normally, my DNS Servers are 1.0.0.1 and 1.1.1.1. I have DNSSEC set. The DNS Servers can be seen in /tmp/resolv.dnsmasq.

When I start the VPN, the VPN provider adds two DNS Servers. I use Surfshark, and now resolv.dnsmasq looks like:
server=1.0.0.1
server=1.1.1.1
server=162.252.172.57
server=149.154.159.92

What I've found is setting strict order against the VPN actually sets strict order against DNSMasq. This can be seen in /etc/dnsmasq.conf, where there is a new parameter "strict-order". So strict order is being set for the whole router, not just the VPN connection.

The two additional DNS servers (162.252.172.57 and 149.154.159.92) do not work from the router (in other words, the router cannot resolve hosts using these DNS servers). This is because I have DNSSEC enabled. However, these DNS servers don't support DNSSEC, so any DNSMasq lookup fails.

When I have strict order set for the VPN "Accept DNS Configuration", I cannot resolve any hostnames on the router (I tried pinging various hostnames after logging into the router using ssh - all failed). This is because they try to resolve against the VPN servers first, but fail.

Switching the VPN "Accept DNS Configuration" to relaxed (which also switches DNSMasq to relaxed) allows the router to resolve hostnames again. I guess it then uses CloudFlare to resolve.

Also turning off DNSSEC fixes the problem.

A side effect of all this is that "Disconnected" shows against the status, as the DNS resolving doesn't work (and switching it to "Ping" doesn't work either, even just pinging an IP address).

@RMerlin does this sound feasible?

well done

 

[tomox]

Had same problem with WAN showing disconnected, able to ping with IP but not name. Would happen randomly once a day, twice a day, every two days... Only remedy was router reboot. Some clients on my LAN were able to resolve no problem, some where showing no internet at all. Started happening after the 384.10 update on RT-ac88u. Have 2 VPN clients running on it connected to asus routers elsewhere (one is ac1750 and ac1900). Tried to donwgrade firmware back to 384.5 with factory reset didn't help. What did help, and it's been good past 4 days fingers crossed is disabling the "WAN redirect notice". As soon as I turned that off WAN showed connected almost immediately. No router reboot needed. Has been working fine since. Weird. I have another RT-ac88u running in different location currently on 384.5 and it's no problems there. No VPN clients running on that one though.

 

[bitmonster]

Any downsides to setting DNS config to relaxed? Same issue, would seem to correlate with using VPN.

I really would rather not disable DNSEC.

Sent from my SM-G977B using Tapatalk

 

[RMerlin]

Any downsides to setting DNS config to relaxed? Same issue, would seem to correlate with using VPN.

I really would rather not disable DNSEC.

Some VPN providers will block the use of different DNS, also some of them might be pushing their own servers that would not work outside of the tunnel. So, it depends on how your VPN providers implemented their DNS support.

 

[bitmonster]

Some VPN providers will block the use of different DNS, also some of them might be pushing their own servers that would not work outside of the tunnel. So, it depends on how your VPN providers implemented their DNS support.

Thanks, good to know if I use an external provider.

For now I am referring to the in-built VPN provider. I use the Diversion and Skynet scripts to provide protection on-the-go - i.e. my mobile devices. It has been a literal God-send. Seeing all those blocked ads on my mobile device. My limited attention-span thanks thee.