Configure Adguard TLS DNS with Asuswrt-Merlin

[breathless]

Sorry for the newb question... I searched first but couldn't find a definitive answer. Also tried following this guide, but can't complete it due to the following...

So I recently set up Adguard DNS, added the "plain DNS server addresses" (94.140.14.49 and 94.140.14.59) to my RT-AX88U with Merlin firmware as the DNS Server, and verified that it works by going here. "You are using your private Adguard DNS Server" is the message that page gives me. Those plain addresses are of course unencrypted however, and I noticed that there is an option for DNS over TLS under the DNS Privacy Protocol setting in the Merlin firmware.

However, in the DNS over TLS drop down, the Merlin firmware forces you to give an IP address instead of just the TLS Hostname that Adguard gives me. From what I've read elsewhere, DoT doesn't use IP's like that, it just uses hostnames.

Also, the drop downs for Adguard under "preset servers" give you non-encrypted adguard ip addresses, 94.140.14.14 and 94.140.15.15, which means that they are not encrypted TLS addresses, which to me is strange why they would choose those for a DoT option.

So.... is there a way to get Adguard TLS set up properly with the settings available without having to do more "invasive" things like installing Adguard via entware, etc? Perhaps I'll go that route at some point, but it seems a bit above my depth for the time being.

 

[bbunge]

Here are your settings:
DNS-over-TLS
Default server
AdGuard DNS will block ads and trackers.

IPv4:
94.140.14.14 dns.adguard-dns.com
94.140.15.15 dns.adguard-dns.com
IPv6:
2a10:50c0::ad1:ff dns.adguard-dns.com
2a10:50c0::ad2:ff dns.adguard-dns.com

Non-filtering server
AdGuard DNS will not block ads, trackers, or any other DNS requests.

IPv4:
94.140.14.140 unfiltered.adguard-dns.com
94.140.14.141 unfiltered.adguard-dns.com
IPv6:
2a10:50c0::1:ff unfiltered.adguard-dns.com
2a10:50c0::2:ff unfiltered.adguard-dns.com

Family protection server
AdGuard DNS will block ads, trackers, adult content, and enable Safe Search and Safe Mode, where possible.

IPv4:
94.140.14.15 family.adguard-dns.com
94.140.15.16 family.adguard-dns.com
IPv6:
2a10:50c0::bad1:ff family.adguard-dns.com
2a10:50c0::bad2:ff family.adguard-dns.com

 

[breathless]

Thank you for your reply. So I've done what you've suggested and here are the results.

Those default IP addresses (that you referenced above, and that I changed the router to reflect) do not appear to be encrypted. Clearly I have very limited networking knowledge, but when I run a trace route on either 94.140.14.14 or 94.140.15.15, neither are encrypted IP's. When I run a trace route on dns.adguard-dns.com, the result also does not appear to be encrypted. I say that for two reasons:

A) I can see the detailed ping results when running trace route. This does not occur when I trace route the specific TLS hostname that Adguard DNS gives me to put into my router via the "router setup" on their website. When I trace route that TLS hostname, I can see it running the test, but it gives no data back on the different locations it's pinging, which indicates to me that the connection is encrypted.

B) When I do the Adguard DNS test with the settings as shown in the pic above, it tells me that I'm using my "private Adguard DNS Server", but the protocol is indicating that it's using the standard unencrypted protocol.

If it were using the encrypted TLS protocol, I would see it there (I assume). I can test this by enabling the Adguard premium app on my desktop and re-running the Adguard DNS test page. The protocol changes / corresponds with what I select in the Adguard Premium app. So for instance, If I choose DNS over QUIC in the Adguard Premium App, here are the results I get:

Likewise, if I change the setting in the app to DNS over TLS, the change reflects in the DNS test:

So, does this not prove that the DNS IP's given by the TLS preset in the Merlin firmware are not TLS IP's? If not, how else can I test to ensure I'm using TLS without having to use an app? I've tried Cloudflare's browser checker tool and the results seem inconclusive. Here's what I get regardless whether I have my Adguard Premium app enabled or disabled:

Clearly it shows that I'm using TLS 1.3, but I don't know if this checker is just checking my browsers capabilities or testing whether my connection is actually encrypted. Wouldn't "Secure DNS" and "Secure SNI" show a checkmark?

Thanks

 

[Tech9]

Those default IP addresses (that you referenced above, and that I changed the router to reflect) do not appear to be encrypted.

Your router will use AdGuard DNS with DoT for all clients. Cloudflare utility works with Cloudflare servers only. You don't need IPv6 DNS servers if you don't have IPv6 enabled on the router. Don't enable IPv6 if you don't need it.

 

[Volt]

I also do not understand why most instructions that describe how to configure DoT do not mention IP addresses, but we still need to specify them on the router's WAN page.
For example, currently I have two DoT Cloudfare DNS servers specified (1.1.1.1 and 1.0.0.1), but the DNS leak test shows only one Cloudfare server, and its IP address is neither 1.1.1.1 nor 1.0.0.1. What's the point of having two DNS servers specified then? No idea, to be honest.

 

[bbunge]

I also do not understand why most instructions that describe how to configure DoT do not mention IP addresses, but we still need to specify them on the router's WAN page.
For example, currently I have two DoT Cloudfare DNS servers specified (1.1.1.1 and 1.0.0.1), but DNS leak test shows only one Cloudfare server, and it's IP address is neither 1.1.1.1 nor 1.0.0.1. What's the point of having two DNS servers specified then? No idea, to be honest.

The instructions for DoT on this forum for routers has always included the IP addresses and TLS Hostname. This is for routers! Not tablets or phones.
The results you get with a leak test are a result of the Anycast system.
If you want to see the router working the DoT, log into a SSH session and run stubby -l

 

[cptnoblivious]

Just to add to what bbunge said, to see if you're using DoT you can also just run this. Should work on more than just the router (and whether stubby is used or something else) :
netstat -an | grep 853

Sample output from my Pi running Adguard:
netstat -an | grep 853
tcp 25 0 192.168.50.129:44632 9.9.9.9:853 CLOSE_WAIT
tcp 25 0 192.168.50.129:35558 9.9.9.9:853 CLOSE_WAIT

And just to close this out, on Adguard the DoT config is in fact a single url with no IP
"tls://dns.quad9.net"

 

[bluzfanmr1]

As another addition, you can watch DoT working using tcpdump:

tcpdump -ni eth0 -p port 853

 

[bbunge]

Just to add to what bbunge said, to see if you're using DoT you can also just run this. Should work on more than just the router (and whether stubby is used or something else) :
netstat -an | grep 853

Sample output from my Pi running Adguard:
netstat -an | grep 853
tcp 25 0 192.168.50.129:44632 9.9.9.9:853 CLOSE_WAIT
tcp 25 0 192.168.50.129:35558 9.9.9.9:853 CLOSE_WAIT

And just to close this out, on Adguard the DoT config is in fact a single url with no IP
"tls://dns.quad9.net"

No, with Stubby/GetDNS you need both the IP address and TLS Hostname.

 

[breathless]

So I just went over to my Windows 11 PC (with adguard premium disabled) and ran the same tests on the Adguard DNS test, and it actually shows "DNS over TLS" as it should!

So there is something about running that test from my Mac Mini that does not translate properly. All of my original tests were run from the Mac Mini.... Either the Adguard test page is not able to properly determine its encryption status, or its just not working. But at least I know its working properly on my Windows machines.

I can't figure out how to run the other tests suggested, Stubby, TCPDump, etc.

I guess the only thing left for me to figure out is how to make Adguard DNS recognize the connection from my router so that all the stats sync properly with Adguard DNS and therefore I could do manual blocking, etc.

Right now, according to Adguard DNS I'm only using standard DNS protocols (even though I know that I'm technically using DNS over TLS) because the connection was set up via the "plain dns server addresses" initially.

There doesn't seem to be an easy way to manipulate the settings here to make Adguard DNS connect to my new TLS IP addresses, unless I'm missing something...

 

[bbunge]

So I just went over to my Windows 11 PC (with adguard premium disabled) and ran the same tests on the Adguard DNS test, and it actually shows "DNS over TLS" as it should!

View attachment 47244


So there is something about running that test from my Mac Mini that does not translate properly. All of my original tests were run from the Mac Mini.... Either the Adguard test page is not able to properly determine its encryption status, or its just not working. But at least I know its working properly on my Windows machines.

I can't figure out how to run the other tests suggested, Stubby, TCPDump, etc.

I guess the only thing left for me to figure out is how to make Adguard DNS recognize the connection from my router so that all the stats sync properly with Adguard DNS and therefore I could do manual blocking, etc.

Right now, according to Adguard DNS I'm only using standard DNS protocols (even though I know that I'm technically using DNS over TLS) because the connection was set up via the "plain dns server addresses" initially.

View attachment 47247


There doesn't seem to be an easy way to manipulate the settings here to make Adguard DNS connect to my new TLS IP addresses, unless I'm missing something...

Well, if you are using the AdGuard app on the router there are other setup consideration you need to follow. The settings I gave are for using DoT to AdGuard with just the router DoT setup.
You may be better off resetting the router to factory and starting over. If you have a paid subscription to AdGuard you can use the TLS Hostname prepended with your code for AdGuard. Much simpler that fooling with an unpredictable app....

 

[breathless]

Well, if you are using the AdGuard app on the router there are other setup consideration you need to follow. The settings I gave are for using DoT to AdGuard with just the router DoT setup.
You may be better off resetting the router to factory and starting over. If you have a paid subscription to AdGuard you can use the TLS Hostname prepended with your code for AdGuard. Much simpler that fooling with an unpredictable app....

My AdGuard app is just the regular Adguard Premium app for desktop usage (its not installed on the router). I got 10 lifetime licenses for Adguard premium for like $20 several years ago, so I installed them on all my machines.

My router configuration is very simple. I barely have changed anything over stock... just wifi security settings, port forwarding, and now the DNS stuff.

I figured it out btw... Thank you for the bit about prepending my device ID to the TLS hostname. That was the final piece of the puzzle, but I couldn't use the 94.140.14.14 or 94.140.15.15 IP's, I had to use the Adguard "plain dns server addresses" instead along with my device ID and Adguard TLS hostname, but without the tls:// in the beginning.

So, for anyone trying to do what I was trying to do with this Asus Router / Merlin firmware and get it to sync with your Adguard DNS setup on https://adguard-dns.io, here it is:

It won't link up (at least as far as I can tell) with adguard-dns.io unless you use the Plain DNS Server Addresses that it gives you, which are 94.140.14.49 and 94.140.14.59. Then you take your "device ID" and prepend that to .d.adguard-dns.com as the TLS Hostname. So the "TLS Hostname" will look like this: (your device id).d.adguard-dns.com. IT WON'T WORK if you use the suggested hostname from adguard-dns.io as they show, so you can't do: tls://(your device id).d.adguard-dns.com. You just have to drop the TLS://


I knew that this should work because when I did a hostname lookup for d.adguard-dns.com, it showed 94.140.14.49, so I knew it was getting where it needed to go. Now it properly shows "DNS over TLS"!

Thanks for your help!

 

[scottyja]

My AdGuard app is just the regular Adguard Premium app for desktop usage (its not installed on the router). I got 10 lifetime licenses for Adguard premium for like $20 several years ago, so I installed them on all my machines.

My router configuration is very simple. I barely have changed anything over stock... just wifi security settings, port forwarding, and now the DNS stuff.

I figured it out btw... Thank you for the bit about prepending my device ID to the TLS hostname. That was the final piece of the puzzle, but I couldn't use the 94.140.14.14 or 94.140.15.15 IP's, I had to use the Adguard "plain dns server addresses" instead along with my device ID and Adguard TLS hostname, but without the tls:// in the beginning.

So, for anyone trying to do what I was trying to do with this Asus Router / Merlin firmware and get it to sync with your Adguard DNS setup on https://adguard-dns.io, here it is:

View attachment 47256

View attachment 47257


It won't link up (at least as far as I can tell) with adguard-dns.io unless you use the Plain DNS Server Addresses that it gives you, which are 94.140.14.49 and 94.140.14.59. Then you take your "device ID" and prepend that to .d.adguard-dns.com as the TLS Hostname. So the "TLS Hostname" will look like this: (your device id).d.adguard-dns.com. IT WON'T WORK if you use the suggested hostname from adguard-dns.io as they show, so you can't do: tls://(your device id).d.adguard-dns.com. You just have to drop the TLS://


I knew that this should work because when I did a hostname lookup for d.adguard-dns.com, it showed 94.140.14.49, so I knew it was getting where it needed to go. Now it properly shows "DNS over TLS"!

Thanks for your help!

Just want to say thanks. I was having trouble getting this working, and dropping 'tls://' did the trick. Appreciate you following up!

 

[breathless]

Glad it helped you!

 

[PCAreAmazing88]

My AdGuard app is just the regular Adguard Premium app for desktop usage (its not installed on the router). I got 10 lifetime licenses for Adguard premium for like $20 several years ago, so I installed them on all my machines.

My router configuration is very simple. I barely have changed anything over stock... just wifi security settings, port forwarding, and now the DNS stuff.

I figured it out btw... Thank you for the bit about prepending my device ID to the TLS hostname. That was the final piece of the puzzle, but I couldn't use the 94.140.14.14 or 94.140.15.15 IP's, I had to use the Adguard "plain dns server addresses" instead along with my device ID and Adguard TLS hostname, but without the tls:// in the beginning.

So, for anyone trying to do what I was trying to do with this Asus Router / Merlin firmware and get it to sync with your Adguard DNS setup on https://adguard-dns.io, here it is:

View attachment 47256

View attachment 47257


It won't link up (at least as far as I can tell) with adguard-dns.io unless you use the Plain DNS Server Addresses that it gives you, which are 94.140.14.49 and 94.140.14.59. Then you take your "device ID" and prepend that to .d.adguard-dns.com as the TLS Hostname. So the "TLS Hostname" will look like this: (your device id).d.adguard-dns.com. IT WON'T WORK if you use the suggested hostname from adguard-dns.io as they show, so you can't do: tls://(your device id).d.adguard-dns.com. You just have to drop the TLS://


I knew that this should work because when I did a hostname lookup for d.adguard-dns.com, it showed 94.140.14.49, so I knew it was getting where it needed to go. Now it properly shows "DNS over TLS"!

Thanks for your help!

Thanks for sharing but as a novice person in this, how do I find device ID? I too want to configure my Router to use Adguards DNS over TLS so every client connected to my router is able to automatically use DNS over TLS as its been setup on Router.

 

[breathless]

Thanks for sharing but as a novice person in this, how do I find device ID? I too want to configure my Router to use Adguards DNS over TLS so every client connected to my router is able to automatically use DNS over TLS as its been setup on Router.

You'll want / need to set up DDNS first.

Then, sign up for Adguard DNS and go through the setup process. https://adguard-dns.io/en/welcome.html

After setting up, go into the settings page for your router (on Adguard.dns.io, not your local router setup page), and you'll see your device ID. I hid mine in the above images, but that's the page where you'll find yours.

 

[PCAreAmazing88]

You'll want / need to set up DDNS first.

Then, sign up for Adguard DNS and go through the setup process. https://adguard-dns.io/en/welcome.html

After setting up, go into the settings page for your router (on Adguard.dns.io, not your local router setup page), and you'll see your device ID. I hid mine in the above images, but that's the page where you'll find yours.

thanks for the quick reply. Apologies for the inconvience but how do I setup DDNS? i heard this phrase before but never learnt what it is. Also, regaridng the device ID, does that mean for all my household devices i have to get them to make a account on Adguard.dns.io?

 

[Ellenswamy]

My AdGuard app is just the regular Adguard Premium app for desktop usage (its not installed on the router). I got 10 lifetime licenses for Adguard premium for like $20 several years ago, so I installed them on all my machines.

My router configuration is very simple. I barely have changed anything over stock... just wifi security settings, port forwarding, and now the DNS stuff.

I figured it out btw... Thank you for the bit about prepending my device ID to the TLS hostname. That was the final piece of the puzzle, but I couldn't use the 94.140.14.14 or 94.140.15.15 IP's, I had to use the Adguard "plain dns server addresses" instead along with my device ID and Adguard TLS hostname, but without the tls:// in the beginning.

So, for anyone trying to do what I was trying to do with this Asus Router / Merlin firmware and get it to sync with your Adguard DNS setup on https://adguard-dns.io, here it is:

View attachment 47256

View attachment 47257


It won't link up (at least as far as I can tell) with adguard-dns.io unless you use the Plain DNS Server Addresses that it gives you, which are 94.140.14.49 and 94.140.14.59. Then you take your "device ID" and prepend that to .d.adguard-dns.com as the TLS Hostname. So the "TLS Hostname" will look like this: (your device id).d.adguard-dns.com. IT WON'T WORK if you use the suggested hostname from adguard-dns.io as they show, so you can't do: tls://(your device id).d.adguard-dns.com. You just have to drop the TLS://


I knew that this should work because when I did a hostname lookup for d.adguard-dns.com, it showed 94.140.14.49, so I knew it was getting where it needed to go. Now it properly shows "DNS over TLS"!

Thanks for your help!

thanks for this, I have unbound installed but wanted something like this setup as a backup incase unbound ever stopped. I couldn't get DOT to work and this got me going