Dnsleaktest puzzle

dave14305 · Feb 12, 2025

Zarrow said:
How's that looking?

The 3 MAINFH and MAINBH entries explain the 3 RETURN rules from the iptables command. @RMerlin made a fix last year to address the issue with the first DEFAULT entry in the list:

rc: skip default SDN when configuring dns_filter rules · RMerl/asuswrt-merlin.ng@f38a9a3

Otherwise, br0 (regular LAN) clients will all be set to Unfiltered, and the global rule will never be applied.

github.com

I don’t know if these other entries are supposed to be there if you’re not using AiMesh.

SkippyP · Feb 12, 2025

Looks like there might be a problem with DNS Director in Merlin’s latest 3.0.0.4.388 firmware.

I have Cloudflare DoT configured on my router in strict mode with DNS Director enabled and Global Redirection set to “Router”. User defined fields and client list are all empty. DNS Server fields under the LAN tab are also empty. Everything works fine…all DNS leak tests show Cloudflare and Cloudflare only.

Now, if I hard code 8.8.8.8 into my laptop and run another leak test, it shows Google. Director is NOT redirecting to the router.

dave14305 · Feb 12, 2025

SkippyP said:
Now, if I hard code 8.8.8.8 into my laptop and run another leak test, it shows Google. Director is NOT redirecting to the router.

Which browser? Chrome, for example, will see you using 8.8.8.8 at the OS level and auto-upgrade to DoH to 8.8.8.8. DNS Director doesn’t block DoH (port 443).

SkippyP · Feb 12, 2025

dave14305 said:
Which browser? Chrome, for example, will see you using 8.8.8.8 at the OS level and auto-upgrade to DoH to 8.8.8.8. DNS Director doesn’t block DoH (port 443).

Ah I didn’t know that. I tested with Edge, which I’m assuming is the same as Chrome…

Which browser do you suggest is best to test with?

EDIT: I just tested on my iPhone (manually entered 8.8.8.8) and ran leak test from Safari…returned all Cloudflare

So, looks like Director is working, and Edge (like Chrome) also auto updates to DoH.

Zarrow · Feb 12, 2025

dave14305 said:
The 3 MAINFH and MAINBH entries explain the 3 RETURN rules from the iptables command. @RMerlin made a fix last year to address the issue with the first DEFAULT entry in the list:

rc: skip default SDN when configuring dns_filter rules · RMerl/asuswrt-merlin.ng@f38a9a3

Otherwise, br0 (regular LAN) clients will all be set to Unfiltered, and the global rule will never be applied.

github.com

I don’t know if these other entries are supposed to be there if you’re not using AiMesh.

AiMesh is definitely not enabled.

You concluded in post #37 that DNS Director is not working on my RT-BE86U. Has what you wrote in the quoted post changed that conclusion? Any further tests needed?

If It's truly not working, should I post something in the appropriate FW release thread?

dave14305 · Feb 12, 2025

Zarrow said:
You concluded in post #37 that DNS Director is not working on my RT-BE86U. Has what you wrote in the quoted post changed that conclusion? Any further tests needed?

No, it’s broken due to those MAINBH and MAINFH network entries from get_mtlan confusing DNS Director. My recommendation would be to factory reset once, enable DNS Director, then run the iptables and get_mtlan commands again. If it looks the same, go ahead and report it in the release thread. You can take and restore a backup to get back to the current state after this test.

dave14305 · Feb 12, 2025

Zarrow said:
Any further tests needed?

Assuming it won’t get fixed for a while, you can create a /jffs/scripts/nat-start script to remove the unwanted rules.

Code:

#!/bin/sh

iptables -t nat -D DNSFILTER -i br0 -j RETURN
iptables -t nat -D DNSFILTER -i br0 -j RETURN
iptables -t nat -D DNSFILTER -i br0 -j RETURN

Zarrow · Feb 12, 2025

dave14305 said:
No, it’s broken due to those MAINBH and MAINFH network entries from get_mtlan confusing DNS Director. My recommendation would be to factory reset once, enable DNS Director, then run the iptables and get_mtlan commands again. If it looks the same, go ahead and report it in the release thread. You can take and restore a backup to get back to the current state after this test.

dave14305 · Feb 12, 2025

Zarrow said:
DNS Director still broken?

Yes. Create the script in my previous post then restart the firewall with service restart_firewall and test again.

Zarrow · Feb 12, 2025

dave14305 said:
Yes. Create the script in my previous post then restart the firewall with service restart_firewall and test again.

Search

Search

Dnsleaktest puzzle

dave14305

Part of the Furniture

rc: skip default SDN when configuring dns_filter rules · RMerl/asuswrt-merlin.ng@f38a9a3

SkippyP

Regular Contributor

dave14305

Part of the Furniture

SkippyP

Regular Contributor

Zarrow

Occasional Visitor

rc: skip default SDN when configuring dns_filter rules · RMerl/asuswrt-merlin.ng@f38a9a3

dave14305

Part of the Furniture

dave14305

Part of the Furniture

Zarrow

Occasional Visitor

dave14305

Part of the Furniture

Zarrow

Occasional Visitor

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online