Menu
What's new
By:
Filters Better Search

ControlD with Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

tnpapa

Regular Contributor
I have been testing ControlD DNS with encryption. I have been entering the server settings directly into the Merlin interface for DOT. Results have been unstable. One of the developers at ControlD says I should use DOH by installing their daemon onto the router. Their reasoning for wanting me to use DOH is and I qoute:

"DOH is prone to fewer issues than DOT, and native DOT performance on Asus is pretty wonky to begin with"

Seems like a pretty bold and unqualified statement. I prefer DOT because I can see its presence and activity on my network.

So any validity to their statement?
 
Not to me. What are they smoking?
 
DoT is easy to identify and block by network operators due to its unique port 853/tcp. DoH blends in with other HTTPS traffic. However, I would not race to install a bloated app written in Go on an embedded device (e.g. NextDNS, AGH, ControlD).
 
FWIW, both Controld & Quad9 are 1600+ km from me.

I’ve used Controld in both DoH + DoT modes, no difference here in apparent speed/stability. Quad9 ‘feels’ much quicker/snappier to me, works well.

I think your issue might be Controld, rather than the encryption used?
 
Same thing I noticed. Even though ControlD is only 25ms ping away, page loads seem slow and do stall sometimes. Cloudflare and OpenDNS are much much faster but they don't support ECS and my streaming apps and my Channels DVR system really work much better when routed to the proper CDN.
 
I have one AIO router in use and it's set to local ISP DNS. It's not only fast as latency, but also send to right places. Google and OpenDNS show the same latency, but page loading is noticeably slower. Exactly the same experience as @tnpapa above. If you trust your ISP - better use their DNS for best Internet experience.
 
ISP has two DNS servers, one is flaking out and only responds to about 30% of the pings sent to it. Neither supports ECS. Google DNS does support ECS and page loads are very fast. Only problem is, well it's Google. To some ECS might not matter, but I get most of my TV channels as TVE feeds on Channels DVR servers, and without ECS it takes forever for the various TVE feeds to authorize.
 
Try Cloudflare - they're pretty good... and they're not google...

They do both DoT and DoH, and support DNSSEC
 
nope not concerned. When security is needed I have a VPN.
 
Tech9 said:
I have one AIO router in use and it's set to local ISP DNS. It's not only fast as latency, but also send to right places. Google and OpenDNS show the same latency, but page loading is noticeably slower. Exactly the same experience as @tnpapa above. If you trust your ISP - better use their DNS for best Internet experience.
Click to expand...
My ISP does not run their own DNS resolvers or email servers for that matter. The resolvers they assign are three times farther away than Cloudflare or Quad9 and have lousy latency. My neighbors with the same FIOS service plan complain about slow page loading. Could be their ISP provided router as well as the DHCP assigned DNS.
 
sfx2000 said:
ECS can be problematic if one is concerned about privacy...
Click to expand...
But lack of ECS can also be problematic to performance as you will end up using the wrong CDN POPs.

Typical ECS will be a /24, which will only point at the ISP, not at the end user.

Personally I prefer to have working ECS.
 
RMerlin said:
But lack of ECS can also be problematic to performance as you will end up using the wrong CDN POPs.
Click to expand...

I agree that this could be a contentious topic - that being said, the major CDN's (Google, Amazon, Akamai, Cloudflare) typically have POP's inside the carrier network, so ECS and CDN POP selection may not be an issue.

A couple of the concerns raised about ECS, and Cloudflare's CEO specically stated this is that ECS can expose network topology that is behind the IPV4 NAT, and the risk of DNS cache poisoning by bad actors - that alone was enough to keep Cloudflare from implementing ECS on their platform.

Google, while supporting ECS, it pretty clear on the risks of a misconfigured resolver upstream that can cause issues...

developers.google.com

EDNS Client Subnet (ECS) Guidelines | Public DNS | Google for Developers

developers.google.com developers.google.com

ECS can be a boon for some - and a bane for others - one of the risks is potential VPN leakage for those that want privacy (either as a want or a need)...

pfSense handles this well, as they have a number of options within both DNSMASQ and unbound configurations that can enable/disable based on the admin's decision.

I'm with you - if ECS is desired and implemented correctly, it can help...
 
I do see an immediate performance improvement with streaming services(Netflix etc) when ECS is on and using DNS servers not provided by my ISP. My ISP (ATT Fiber) has the fastest DNS servers(expected) but they are not the most stable. I am sure that ATT has many CDN providers servers inside their network. So the quandary of sharing all my DNS records with ATT, or using encrypted DNS with ECS to off network servers.
 
tnpapa said:
So the quandary of sharing all my DNS records with ATT, or using encrypted DNS with ECS to off network servers.
Click to expand...

ECS and ENDS have nothing to do with encryption...

Let's not go down the rat-hole of DNSCrypt, that discussion won't end well...
 
sfx2000 said:
ECS and ENDS have nothing to do with encryption...

Let's not go down the rat-hole of DNSCrypt, that discussion won't end well...
Click to expand...
I know but the only way I will connect to off network DNS servers is using DOT or DOH.
 
tnpapa said:
I know but the only way I will connect to off network DNS servers is using DOT or DOH.
Click to expand...

DoT or DoH is fine - I know some have concerns with DoH due to malware concerns, but there's little one can do except whitelist known/good servers there.

Something to note - just because one sets the DNS to 8.8.8.8 (google) or 1.1.1.1 (cloudflare) - the DNS server that provides the response likely won't come from that server...

Fun/Informative Link...

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more
dnscheck.tools dnscheck.tools

Screenshot 2024-04-10 at 5.45.28 PM.png
 
tnpapa said:
I know but the only way I will connect to off network DNS servers is using DOT or DOH.
Click to expand...

AT&T is redirecting port 53 to own servers?
 
Last edited:
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
H RT-AX88U Merlin Parental Control not working Asuswrt-Merlin 3
A Duckdns on Asus merlin router Asuswrt-Merlin 1
P Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware Asuswrt-Merlin 9
M RT-AX86U Pro - Merlin: can't get p2p cameras available to wan. Asuswrt-Merlin 3
RMerlin Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices Asuswrt-Merlin 28
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
sthornington Latest (Oct 2024) "best" recommended router for Merlin? Asuswrt-Merlin 19
S Merlin firmware and 2.4GHz band drops on AX88u and BE88u Asuswrt-Merlin 4
H Asus RT-AX58U v2 Merlin: Route all traffic to Pi-hole (running directly on router itself) Asuswrt-Merlin 12
L How can I monitor all Ip traffic from my wyze camera in Merlin? Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 851 (members: 28, guests: 823)
Top