What's new

DNS-over-TLS (DoT) - How do I know it's working?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

rugglebear

Occasional Visitor
Hello,

I used to use Stubby which I installed via Entware, but I believe that is now depreciated.

I now utilize the setting in Merlin within WAN > Internet Connection > DNS Privacy Protocol, set to 'DNS-over-TLS' (settings attached in a screenshot).

However, when I visit https://1.1.1.1/help it does not show DNS-over-TLS as active, whereas it used to with Stubby.
I also checked this page, which shows DoT as 'false', https://tenta.com/test/

Any assistance is appreciated. Thank you!
 

Attachments

  • false.png
    false.png
    307.5 KB · Views: 2,306
  • dot.png
    dot.png
    275.2 KB · Views: 2,422
Try to disable DNSSec in gui and test again
The 1.1.1.1 test can not handle DNSSec
Some extra info: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Privacy
Thanks, both!

If I were to disable DNSSec, would that leave me 'less secure' than having both DNSSec and DoT enabled?

I ran the test at the site listed, and got the 'thumbs up result'. Does this confirm DoT, or just DNSSec?
Additionally, when I tested sites labeled as "Sites With Bad DNSSEC Signatures", both sites failed to resolve. Is that the expected result?

Thanks again for the never-ending information.
 
Thanks, both!

If I were to disable DNSSec, would that leave me 'less secure' than having both DNSSec and DoT enabled?

I ran the test at the site listed, and got the 'thumbs up result'. Does this confirm DoT, or just DNSSec?
Additionally, when I tested sites labeled as "Sites With Bad DNSSEC Signatures", both sites failed to resolve. Is that the expected result?

Thanks again for the never-ending information.
From the wiki
NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.
 
If you want to test it on your router you can watch what port your router connects through. A secure DoT connection should only use port 853. Type the following at your routers SSH console:
Code:
tcpdump -ni eth0 -p port 53 or port 853
 
From the wiki
Ahhh, that makes much more sense in the context of this conversation, now that I have a better understanding of the features I'm trying to test.
I had read the Wiki before, but the "temporarily disabling validation", in my mind, didn't equate to "disable DNSSec in gui", but now I understand what it's saying, thank you.

Ok, so here are my results:

DNSSec Disabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - Yes
Using DNS over TLS (Dot) - Yes

DNSSec Enabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - No
Using DNS over TLS (Dot) - No

So it seems like that Cloudflare site bug is the culprit.

If you want to test it on your router you can watch what port your router connects through. A secure DoT connection should only use port 853. Type the following at your routers SSH console:
Code:
tcpdump -ni eth0 -p port 53 or port 853
Thanks, I executed the command, but this is all I got back:

admin@RT-AC68U-0988:/tmp/home/root# tcpdump -ni eth0 -p port 53 or port 853
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 
Thanks, I executed the command, but this is all I got back:

admin@RT-AC68U-0988:/tmp/home/root# tcpdump -ni eth0 -p port 53 or port 853
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
It's likely your WAN interface isn't eth0. Try using vlan2 or ppp0 instead.
 
Ahhh, that makes much more sense in the context of this conversation, now that I have a better understanding of the features I'm trying to test.
I had read the Wiki before, but the "temporarily disabling validation", in my mind, didn't equate to "disable DNSSec in gui", but now I understand what it's saying, thank you.

Ok, so here are my results:

DNSSec Disabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - Yes
Using DNS over TLS (Dot) - Yes

DNSSec Enabled:
1.1.1.1/help says -
Connection to 1.1.1.1 - No
Using DNS over TLS (Dot) - No

So it seems like that Cloudflare site bug is the culprit.


Thanks, I executed the command, but this is all I got back:

admin@RT-AC68U-0988:/tmp/home/root# tcpdump -ni eth0 -p port 53 or port 853
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
You have to wait about 30sec for the output to start. It should look something like that:
Code:
Secure:
12:56:03.030994 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], ack 321, win 66, length 0
12:56:03.031895 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], seq 1:1461, ack 321, win 66, length 1460
12:56:03.031953 IP Your.IP.Address.48008 > 1.0.0.1.853: Flags [.], ack 1461, win 251, length 0
12:56:03.031971 IP 1.0.0.1.853 > IP Your.IP.Address.48008: Flags [P.], seq 1461:2725, ack 321, win 66, length 1264

Not Secure:
12:56:21.204150 Your.IP.Address.54571 > 1.1.1.1.53: 52137+ A? api.db-ip.com. (31)
12:56:21.204202 Your.IP.Address.54571 > 1.1.1.1.53: 54185+ AAAA? api.db-ip.com. (31)
12:56:21.214474 IP 1.1.1.1.53 > Your.IP.Address.54571: 52137 3/0/0 A 104.26.5.15, A 104.26.4.15, A 172.67.75.166 (92)
12:56:21.219212 IP 1.1.1.1.53 > Your.IP.Address.54571: 54185 0/1/0 (99)
 
It's likely your WAN interface isn't eth0. Try using vlan2 or ppp0 instead.
Use command ifconfig to show your WAN interface. inet addr: should show your WAN IP
 
It's likely your WAN interface isn't eth0. Try using vlan2 or ppp0 instead.
You have to wait about 30sec for the output to start. It should look something like that:
Code:
Secure:
12:56:03.030994 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], ack 321, win 66, length 0
12:56:03.031895 IP 1.0.0.1.853 > Your.IP.Address.48008: Flags [.], seq 1:1461, ack 321, win 66, length 1460
12:56:03.031953 IP Your.IP.Address.48008 > 1.0.0.1.853: Flags [.], ack 1461, win 251, length 0
12:56:03.031971 IP 1.0.0.1.853 > IP Your.IP.Address.48008: Flags [P.], seq 1461:2725, ack 321, win 66, length 1264

Not Secure:
12:56:21.204150 Your.IP.Address.54571 > 1.1.1.1.53: 52137+ A? api.db-ip.com. (31)
12:56:21.204202 Your.IP.Address.54571 > 1.1.1.1.53: 54185+ AAAA? api.db-ip.com. (31)
12:56:21.214474 IP 1.1.1.1.53 > Your.IP.Address.54571: 52137 3/0/0 A 104.26.5.15, A 104.26.4.15, A 172.67.75.166 (92)
12:56:21.219212 IP 1.1.1.1.53 > Your.IP.Address.54571: 54185 0/1/0 (99)

Thanks, looks like it was vlan2 for me.

So, the vast majority of the output is like .853

However, there are a few outliers, below.
Is this typical, or could there be a reason for it?

18.218.53: 8119+ [1au] A? dealer.spotify.com. (47)
18.218.53: 35017+ [1au] A? datarouter.ol.epicgames.com. (56)
18.218.53: 22695+ [1au] A? audio-fa.scdn.co. (45)
18.218.53: 63361+ [1au] A? www.amazon.com. (43)

Then others that go to livetile.microsoft, and other Microsoft ones.
 
Last edited:
Thanks, looks like it was vlan2 for me.

So, the vast majority of the output is like .853

However, there are a few outliers, below.
Is this typical, or could there be a reason for it?

18.218.53: 8119+ [1au] A? dealer.spotify.com. (47)
18.218.53: 35017+ [1au] A? datarouter.ol.epicgames.com. (56)
18.218.53: 22695+ [1au] A? audio-fa.scdn.co. (45)
18.218.53: 63361+ [1au] A? www.amazon.com. (43)

Then others that go to livetile.microsoft, and other Microsoft ones.
Do you still have the router configured to handle all DNS requests?
 
I believe so, I have DNS Filter 'ON' with Global Filter Mode = 'Router'

And I have my VPN Client "Accept DNS Configuration" set to 'Strict'
What is your local DNS server set to, should be No? Tools - Other Settings - Wan: Use local caching DNS server as system resolver (default: No) x No
 
clear the DNS Server1 and DNS Server2 fields, leave them blank
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top