Asus XT8 DNS madness

[tournakos]

Hi all I have a (network of 3) Asus XT8 connected through the WAN port to my ISP's router that doesnt support bridge mode so apparently I am behind double NAT but that isnt an issue for me.
I was generally able to access asusrouter.com but recently I noticed that asusrouter.com is not resolvable and digging a bit more I realised that the asus router maybe does not resolve anything as a DNS server from any client:

C:\Users\tourn>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.50.1

Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4017:805::200e
142.251.140.14

Any DNS settings on the router page do not take any effect at all, and when checking my DNS on websites online I do see my ISPs DNS as expected.

Any ideas as to how I can make the router work again as a DNS server and then also enforce DNS settings (ie the asus router to use 8.8.8.8 regardless of it getting an IP from my ISPs router which uses the ISP DNS.

Thank you

 

[tournakos]

The nslookup above is from my pc, nslookup from the network tools on the router page works fine as it uses my ISPs router dns

 

[ColinTaylor]

Post screenshots of your WAN - Internet Connection and LAN - DHCP Server pages.

 

[tournakos]

here

 

[Tech9]

ie the asus router to use 8.8.8.8 regardless of it getting an IP from my ISPs router which uses the ISP DNS

Enable DNS Privacy Protocol in WAN settings page, select Strict, select Google 8.8.8.8 and 8.8.4.4 servers from the drop down menu, don't forget Apply at the bottom of the page. There are other preset choices there for free public DNS services. Try again.

 

[tournakos]

Made no difference I am afraid. Do I need to reboot?

 

[Tech9]

Reboot - No.
What is this test showing for DNS servers?

DNS Leak Test

The DNS Leak Test is a tool used to determine which DNS servers your browser is using to resolve domain names. This test attempts to resolve 50 randomly generated domain names, of which 25 are IPv4-only and 25 are IPv6-only.

browserleaks.com

 

[tournakos]

The ISP ones as set in the isp router

 

[Tech9]

Did you click Apply at the bottom of the WAN settings page?
And this device is for sure connected to your Asus router and not the ISP provided gateway?

 

[tournakos]

And this device is for sure connected to your Asus router and not the ISP provided gateway?

Yes, the same happens on any device. Also asusrouter.com not resolvable from any device either.

 

[Tech9]

Okay, reboot the Asus router, double check WAN settings page, make sure the device you test with is on the Client List with 192.168.50.x IP address, try again.

 

[tournakos]

Still the same. Should I go for a reset?

 

[Tech9]

This is weird behavior because what you find not working is one of the basic functions. Before you do the reset make sure your Asus router is really connected to the ISP gateway with the WAN port. Sometimes simple mistakes are hard to spot.

 

[tournakos]

Well to be precise its connected on lan1 because wan is reserved for the ONT device

 

[Tech9]

ISP gateway LAN -> Asus Main router WAN

If your nodes are wired: Asus Main router LAN -> Nodes WAN

 

[tournakos]

Well nothing that a restore cant fix.. Assigning DNS in wan settings still doesnt work, but your DNS privacy setting suggestion did the trick. Can you explain why it only works this way in my case?

 

[Tech9]

Some ISPs have the practice to intercept and redirect DNS standard non-encrypted queries on port 53 to own DNS servers. Perhaps the case with yours. When you encrypt the queries and use different 853 port it goes through to the upstream public DNS servers you prefer. If the ISP wants to they can still prevent this from happening, at least for DoT.

 

[OzarkEdge]

If the ISP wants to they can still prevent this from happening, at least for DoT.

By prevent, do you mean the ISP can break the DNS query, but not redirect it?

OE

 

[Tech9]

They can simply block port 853 and DoT won’t work. DoH is Plan B in this case, but not an option in Asuswrt.

 

[OzarkEdge]

They can simply block port 853 and DoT won’t work. DoH is Plan B in this case, but not an option in Asuswrt.

Perhaps a use for a commercial VPN to get past a difficult ISP(?)... although I'm not likely to layer up for just that.

OE