Menu
What's new
By:
Filters Better Search

DNS-over-TLS causes 'Disconnected' on reboot

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

blitzkrieg

blitzkrieg

Occasional Visitor
Hi all.
As per title, i'm on AC86U and 384.11_2.
Internet is somehow 'Disconnected' upon reboot if DoT is applied, doesn't matter Strict or Opportunistic. If DoT is applied after reboot, DNS queries resolves normally.
Is there any 'special' settings I'm missing?:confused: DNSSEC support is disabled by the way.
 
Turn off Network Monitoring.

Sent from my SM-T380 using Tapatalk
 
bbunge said:
Turn off Network Monitoring.

Sent from my SM-T380 using Tapatalk
Click to expand...
Oh, it wasn't even checked to begin with. Or is there 'another' Net mon?
netmon.PNG
 
Anything change if on the WAN page you set to No, tge setting Connect to DNS Server automatically, and insert the same 2 DoT DNS server IP addresses into DNS Server 1 and Server 2?
 
Hi, this could be another instance of the 'No WAN' connected up on reboot that was caused by starting of services too early and before ntp synchronyzation. I say so because one of the possible reported bypasses was to make sure a 'fast enough' dns to be configured (probably related to faster achieved ntpd synchronization at boot), and I assume that using DoT somehow makes name resolution a bit more slow at boot. You can also check if openvpn is configured and try to reboot without it started. (may also fix the problem)... Optionally and to verify this is the problem you can wait around 20 minutes to see if WAN connection suddently gets established after boot.

If this is the case then know that MERLIN has coded a 'fix' (i.e delay at boot to let time for this synchronization) that I think is already implemented in 384.12 alpha 2, or if you do not want to run alpha code, then just apply some delay into the post_mount script before starting openvpn service.
 
blitzkrieg said:
Hi all.
As per title, i'm on AC86U and 384.11_2.
Internet is somehow 'Disconnected' upon reboot if DoT is applied, doesn't matter Strict or Opportunistic. If DoT is applied after reboot, DNS queries resolves normally.
Is there any 'special' settings I'm missing?:confused: DNSSEC support is disabled by the way.
Click to expand...
It may be that u have the WAN: Use local caching DNS server as system resolver default to 'No' option in Other Settings set to 'Yes'? Change it No and monitor.
 
martinr said:
Anything change if on the WAN page you set to No, tge setting Connect to DNS Server automatically, and insert the same 2 DoT DNS server IP addresses into DNS Server 1 and Server 2?
Click to expand...
umm, it works for non-port443 DNS addresses, but for port 443 DNS' it'll spit out the same 'Disconnected'.
umm Maybe port 443 DNS' at fault here?

Kingp1n said:
It may be that u have the WAN: Use local caching DNS server as system resolver default to 'No' option in Other Settings set to 'Yes'? Change it No and monitor.
Click to expand...
It was already defaulted to 'Yes'..
advTweaks.PNG


FTC said:
Hi, this could be another instance of the 'No WAN' connected up on reboot that was caused by starting of services too early and before ntp synchronyzation. I say so because one of the possible reported bypasses was to make sure a 'fast enough' dns to be configured (probably related to faster achieved ntpd synchronization at boot), and I assume that using DoT somehow makes name resolution a bit more slow at boot. You can also check if openvpn is configured and try to reboot without it started. (may also fix the problem)... Optionally and to verify this is the problem you can wait around 20 minutes to see if WAN connection suddently gets established after boot.

If this is the case then know that MERLIN has coded a 'fix' (i.e delay at boot to let time for this synchronization) that I think is already implemented in 384.12 alpha 2, or if you do not want to run alpha code, then just apply some delay into the post_mount script before starting openvpn service.
Click to expand...
Ahh ok this make sense. Guess i'll wait for the next 'fix' before enabling DoT then.
 
dave14305 said:
Change it to No. That is the new default in the next version anyway. It allows your router to boot and start services without relying on DoT.
Click to expand...
Tried, nah still 'Disconnected' after reboot. Just noticed this only happens for port 443 DNS addresses.. doesn't matter Yes or No for 'WAN: Use local caching'
 
blitzkrieg said:
Tried, nah still 'Disconnected' after reboot. Just noticed this only happens for port 443 DNS addresses.. doesn't matter Yes or No for 'WAN: Use local caching'
Click to expand...
Do you mean DNS lookups for HTTPS domains?
 
Last edited:
blitzkrieg said:
Tried, nah still 'Disconnected' after reboot. Just noticed this only happens for port 443 DNS addresses.. doesn't matter Yes or No for 'WAN: Use local caching'
Click to expand...
If you mean one of the few DoT resolvers using port 443, it shouldn't come into play if you've really set the "Wan: Use local caching" to No. Please post the content of your /etc/resolv.conf file from the router.
 
Maybe a fallback resolver could solve this problem? A resolver used only during the boot phase until the router manage to reach an NTP-server. Since cryptography (DoT) is dependent on accurate time and accurate time require a resolver. It sounds like a Catch 22.
 
martinr said:
Do you mean DNS lookups for HTTPS domains?
Click to expand...
I meant port 443 DNS addresses:
443DNS.PNG


dave14305 said:
If you mean one of the few DoT resolvers using port 443, it shouldn't come into play if you've really set the "Wan: Use local caching" to No. Please post the content of your /etc/resolv.conf file from the router.
Click to expand...
and yep double checked it to No:
wanlocalcache.PNG

Code: 
cat /etc/resolv.conf
nameserver 127.0.1.1
 
blitzkrieg said:
ahh. Now DoT works after reboot. So we do have to specify a 'regular' DNS under Wan DNS Settings.
Click to expand...
I expect in your case if you had no WAN DNS servers setup, DoT/Stubby could not resolve the tls names associated with your chosen DoT servers because it points to WAN DNS (/tmp/resolv.conf) at that point since DoT is still initializing.

The router still needs old DNS during boot, so it has to point somewhere, even the ISP DNS via DHCP.
 
You must log in or register to reply here.

Similar threads

R
Would any of this make my browsing more secure? (WAN DNS settings)
2
Replies
20
Views
3K
aru
aru
P
Solved Router DHCP and DNS not responding to changes
2
Replies
35
Views
3K
PTS
P
iJorgen
Anyone using DOH3 or DOQ for DNS-queries on ASUS Merlin?
Replies
19
Views
5K
iJorgen
iJorgen
iJorgen
Is there a way to set DNS-server priority in Dnsmasq when using DoT?!
Replies
16
Views
3K
iJorgen
iJorgen
wordlesswind
DNS over TLS & EDNS Client Subnet
Replies
6
Views
2K
wordlesswind
wordlesswind
Similar threads
Thread starter Title Forum Replies Date
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
V Opera DNS-over tls Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
A DNS/TLS IPv6. Asuswrt-Merlin 18
W Solved [Disregard] DNS Director stopped working on 3004.388.8_4? Asuswrt-Merlin 2
D Solved Openvpn client dns Asuswrt-Merlin 2
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
Preskitt.man DNS Issue?? AX5800 Pro Issue?? Asuswrt-Merlin 2
H DNS-rebind attack detected: farm.plista.com. etc...?? Asuswrt-Merlin 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 606 (members: 28, guests: 578)
Top