Menu
What's new
By:
Filters Better Search

Solved DNS-over-TLS and chroot (NextDNS DOT issue)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

papypaprika

Occasional Visitor
Hi Merlin community,

I'm a longtime user of Merlin, initially on RT-AC66u, and now RT-AX86u running Merlin 386.3_2.

I'm trying to improve security of my setup and I'm since recently using DNS over TLS. I've opted for NextDNS, though I'm not using their cli client, I prefer to use manually their DNS addresses tied to my fixed IP address.

I have been using a chrooted debian on my router (based on instruction from hqt.ro) without any issue in the past (before using DoT).

I have now an issue getting my chrooted debian accessing internet when using DNS over TLS. A simple apt update says:
Code: 
 "Err:1 http://deb.debian.org/debian stable InRelease. Temporary failure resolving 'deb.debian.org'"

I attach a screenshot of my Wan page setup, in case you see anything suspicious.

When not using DNS over TLS, I have no issue having my chrooted debian accessing internet.

Any ideas what could be the issue?

Note that:
LAN -> DNS servers are empty.
"Wan: Use local caching DNS server as system resolver (default: No)" on Tools -> Other settings is set to No.

Thank you for your help !!
 

Attachments

  • Screen Shot 2021-08-28 at 14.46.55.png
    Screen Shot 2021-08-28 at 14.46.55.png
    496.6 KB · Views: 296
Last edited:
Plenty of reading out on the web about issues with NextDNS and DoT. Especially if you do not do things their way and use their clients. You may do just as well using NextDNS with DNSSEC enabled. Or dumping NextDNS for Quad9 or Cloudflare Secure. I am currently running Quad9 with DNSSEC on my router and a Pi-Hole (running just malware blocking lists). I am getting a bit better performance this way resolving hosts than running DoT on the router.
If you are interested you can run DoT (Stubby) as a front end to Pi-Hole. You can also enable Stubby to do DNSSEC on the Pi or Merlin.
As a final shot - DNS filtering is not what it is cracked up to be and can never be as secure as other means. IP based filtering is much better but almost impossible to implement on consumer grade routers.
 
Thank you @bbunge.

Will try another DoT provider.

As a temporary solution for those interested, a not so elegant solution is to copy /etc/resolv.conf to /opt/debian/etc/resolv.conf
 
I can confirm that changing the DoT DNS provider (to Quad9 here rather than NextDNS) solves my connectivity issue.

I renamed the title of the post in case the NextDNS team keeps an eye on this forum.

Thank you very much @bbunge for taking the time to answer and propose a solution.
 
You must log in or register to reply here.

Similar threads

L
Suggestion: DNS Director, add optional compatibility with DOT
Replies
2
Views
327
Linuxer
L
Preskitt.man
DNS Issue?? AX5800 Pro Issue??
Replies
2
Views
276
bbunge
bbunge
B
IPv6 and NextDNS Configuration Assistance Request
Replies
19
Views
966
easyriider
easyriider
D
WAN DNS Setting: Using different DoT servers
Replies
19
Views
2K
drinkingbird
drinkingbird
B
Configure Adguard TLS DNS with Asuswrt-Merlin
Replies
17
Views
8K
Ellenswamy
E
Similar threads
Thread starter Title Forum Replies Date
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
V Opera DNS-over tls Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
A DNS/TLS IPv6. Asuswrt-Merlin 18
D Openvpn client dns Asuswrt-Merlin 2
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
Preskitt.man DNS Issue?? AX5800 Pro Issue?? Asuswrt-Merlin 2
H DNS-rebind attack detected: farm.plista.com. etc...?? Asuswrt-Merlin 3
plapic DNS Director Asuswrt-Merlin 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 891 (members: 23, guests: 868)
Top