Asus XT8 DNS madness

[Digilog]

Well nothing that a restore cant fix.. Assigning DNS in wan settings still doesnt work, but your DNS privacy setting suggestion did the trick. Can you explain why it only works this way in my case?

DOH from clients is rejected (or should be if auto) when DNSSec is established.

I would set DOH reject from auto to yes, and enable DNSSEC when running your own DNS resolver (not forwarding) like what is configured in post #6

 

[Tech9]

I would set

None of this applies to the Asus router discussed in this thread.

 

[Tech9]

Perhaps a use for a commercial VPN

This comes with different type of issues. And if the ISP wants to they can prevent VPN use as well including on port 443.

 

[Digilog]

None of this applies to the Asus router discussed in this thread.

Its what the setting should be no matter who makes it
Obviously you no nothing about routers.

 

[Tech9]

I'm using ChatGPT...

 

[tournakos]

Its what the setting should be no matter who makes it
Obviously you no nothing about routers.

At the moment the DNS server has changed and it is working as expected with the settings as shown (the issue was resolved after a hard reset). Why would it be more beneficial to switch “Prevent client auto DoH” and “Enable DNSSEC support” to Yes? And would that mean that then I could disable the Dns over Tls as it would honour the wan dns settings? Or I got that wrong??

 

[ColinTaylor]

Any DNS settings on the router page do not take any effect at all, and when checking my DNS on websites online I do see my ISPs DNS as expected.

To be clear, are you saying that if you go to the router's WAN DNS Setting and click on Assign... then select Google and click Save... when it returns to the WAN - Internet Connection page the WAN DNS Setting is still showing your ISP's DNS and not Google's?

Have you tried your nslookup on other PCs?

 

[tournakos]

To be clear, are you saying that if you go to the router's WAN DNS Setting and click on Assign... then select Google and click Save... when it returns to the WAN - Internet Connection page the WAN DNS Setting is still showing your ISP's DNS and not Google's?

Have you tried your nslookup on other PCs?

The issue was resolved after a hard reset and following a suggestion about activating dns over tls as per my post above

 

[ColinTaylor]

The issue was resolved after a hard reset and following a suggestion about activating dns over tls as per my post above

Yes I read that you used DoT as a workaround, but my question still stands. Did/do you have a problem with the router not allowing you to change the WAN DNS settings?

 

[tournakos]

Yes I read that you used DoT as a workaround, but my question still stands. Did/do you have a problem with the router not allowing you to change the WAN DNS settings?

If I change the DNS settings in WAN DNS to Google or something with the dns over tls disabled the selection seems active and ok in the gui but dns leak tests etc show that I am under my ISP dns instead. So not a matter of router not allowing me to do so, it just has no effect.

 

[ColinTaylor]

If I change the DNS settings in WAN DNS to Google or something with the dns over tls disabled the selection seems active and ok in the gui but dns leak tests etc show that I am under my ISP dns instead. So not a matter of router not allowing me to do so, it just has no effect.

Thanks for the clarification. Very strange. Sounds like a bug in the firmware to me. I've never seen any other Asus router behave like this.

 

[tournakos]

Thanks for the clarification. Very strange. Sounds like a bug in the firmware to me. I've never seen any other Asus router behave like this.

Just tried it again. Picked Quad9 in Wan Dns Setting/Dns Server and disabled DoT but I got my ISPs DNS. I need the DoT option on for it to work. I havent tried with the other settings like DoH.

 

[OzarkEdge]

Just tried it again. Picked Quad9 in Wan Dns Setting/Dns Server and disabled DoT but I got my ISPs DNS. I need the DoT option on for it to work.

Is this your ISP redirecting your Quad9 DNS query to its own DNS unless you hide it with DoT?

OE

 

[ColinTaylor]

Just tried it again. Picked Quad9 in Wan Dns Setting/Dns Server and disabled DoT but I got my ISPs DNS. I need the DoT option on for it to work. I havent tried with the other settings like DoH.

The "tell" is that whenever the router is not using DoT your PC cannot resolve local host names (like asusrouter.com or it's own name) even though the PC is using the router as it's DNS server. That suggests that something on the router is bypassing the local resolver and forwarding DNS requests directly to the resolver on your ISP router (192.168.2.1).

 

[tournakos]

Is this your ISP redirecting your Quad9 DNS query to its own DNS unless you hide it with DoT?

OE

Thats what users above have suggested. No clue, and dont expect the Vodafone guys on the phone to know the answer. I have the same setup (asus xt8 behind isp router) at my summer house with a different provider, generally a bit more high-tech (Cosmote). I ll perform the exact same steps and see how it behaves there.

To be frank, I could always change the DNS entries in my ISP router, its allowed

 

[tournakos]

The "tell" is that whenever the router is not using DoT your PC cannot resolve local host names (like asusrouter.com or it's own name) even though the PC is using the router as it's DNS server. That suggests that something on the router is bypassing the local resolver and forwarding DNS requests directly to the resolver on your ISP router (192.168.2.1).

No asusrouter.com is resolving after the hard reset regardless of the dns settings we are discussing

 

[ColinTaylor]

No asusrouter.com is resolving after the hard reset regardless of the dns settings we are discussing

Ah, OK. That's different than before then.

Then it's possible that your ISP (or ISP router) is hijacking plain DNS requests and redirecting to their own servers.

 

[OzarkEdge]

To be frank, I could always change the DNS entries in my ISP router, its allowed

To be clear, I'm suggesting the ISP might be redirecting your unsecured DNS query after it leaves your location... beyond their router.

OE

 

[tournakos]

To be clear, I'm suggesting the ISP might be redirecting your unsecured DNS query after it leaves your location... beyond their router.

OE

Surprisingly it works fine when changing the dns entries of the providers router. Just tried cloudflare

 

[OzarkEdge]

Surprisingly it works fine when changing the dns entries of the providers router. Just tried cloudflare

Maybe the ISP router default is to redirect until told not to(?) I'm just guessing!

OE