Dnsleaktest puzzle

[Zarrow]

I've been using Merlin builds for several years on my simple home network, with great satisfaction. Just got an RT-BE86U and I'm trying to stop my ISP being able to see my DNS queries. This is the first time that I've attempted to use DoH, so please bear with me if I've made some simple mistakes. Here are my WAN DNS settings (FW 3006.102.3):

In addition, in the Privacy and Security settings of all my browsers (Chrome, Brave, Firefox) on Ubuntu 24.04.1 LTS and Android 14 I've set DoH to Quad9. When I test with https://on.quad9.net/ I get the response "Yes, you are using Quad9" in all cases. BUT when I do an extended test at dnsleaktest.com it always shows just a single server belonging to my ISP, which implies to me that my ISP can still inspect my DNS queries. (A little wrinkle is if I select Cloudflare in the DoH section of the browser settings, then the leaktest shows Cloudflare as the server.) I have a USB stick plugged into the router with Entware and Diversion plus swap file installed.

UPDATE: Previously DNS Director was off. Now I've set it to Global Redirection, Quad9, no exceptions, no user defined servers set on that page. Saved and rebooted. Flushed the Ubuntu DNS cache. Dnsleaktest still shows my ISP's server.

What am I doing wrong, or have I simply misunderstood the result of the leaktest?

 

[Caesar the Dictator]

Select strict instead of opportunistic (DNS-over-TLS Profile), and set global redirection to router instead of Quad9 (DNS Director).

 

[Zarrow]

Select strict instead of opportunistic (DNS-over-TLS Profile), and set global redirection to router instead of Quad9 (DNS Director).

I've made those steps, but dnsleaktest still shows my ISP's server. I also set the DNS Server to "Default status : Get the DNS IP from your ISP automatically" in case that was compromising the DoH Strict setting below. And I set the DoH in the browsers to "off" so that they will use the router setting. Still getting "Yes you are using Quad9". Here are my latest settings:

 

[Caesar the Dictator]

There must be no DNS defined in the DHCP Server settings. Note that in this scenario, the DNS-over-TLS addresses you have defined in the Private DNS on your Android devices will also be prevented.

 

[Zarrow]

There must be no DNS defined in the DHCP Server settings. Note that in this scenario, the DNS-over-TLS addresses you have defined in the Private DNS on your Android devices will also be prevented.

Yes, under LAN > DHCP Server > DNS and WINS Server Setting all of the boxes are blank.

 

[Caesar the Dictator]

Try testing with other similar tools. https://mullvad.net/en/check https://browserleaks.com/dns

Also check your DNS queries using the method in this post. All clients on your network (except those set to use DNS-over-HTTPS) should be querying DNS using port (9.9.9.9,149.112.112.112:853) (dns.quad9.net):853, not :53 (:domain).

 

[Tech9]

BUT when I do an extended test at dnsleaktest.com it always shows just a single server belonging to my ISP

Is this single server your own WAN IP? Do you have Unbound installed?

which implies to me that my ISP can still inspect my DNS queries

They can still recreate your browsing history quite accurately by IP addresses you connect to.

 

[dave14305]

or have I simply misunderstood the result of the leaktest?

Post a screenshot of the results. Quad9 will usually show up as WoodyNet in leak tests.

 

[Zarrow]

Try testing with other similar tools. https://mullvad.net/en/check https://browserleaks.com/dns

Also check your DNS queries using the method in this post. All clients on your network (except those set to use DNS-over-HTTPS) should be querying DNS using port (9.9.9.9,149.112.112.112:853) (dns.quad9.net):853, not :53 (:domain).

Thanks for your patience. Mullvad shows my ISP server only. Browserleaks shows two servers, one belonging to my ISP and the other is WoodyNet, presumably Quad9.

I've never used Netstat-NAT before, but I had a go. Couldn't see any instances of :853 after browsing for a while. I set IP filter Source to this PC's local IP, Destination empty. Do I need to check any of the Options? And I assume you meant to change the DoH settings in the browser to something other than Quad9 (I chose Cloudflare)?

 

[Zarrow]

Is this single server your own WAN IP? Do you have Unbound installed?



They can still recreate your browsing history quite accurately by IP addresses you connect to.

No it's definitely a server belonging to my ISP. I won't post a screenshot because it would give away my location. I don't have Unbound installed.

 

[dave14305]

Do you have IPv6 enabled on the router?

 

[Zarrow]

Do you have IPv6 enabled on the router?

No

 

[Caesar the Dictator]

Thanks for your patience. Mullvad shows my ISP server only. Browserleaks shows two servers, one belonging to my ISP and the other is WoodyNet, presumably Quad9.

I've never used Netstat-NAT before, but I had a go. Couldn't see any instances of :853 after browsing for a while. I set IP filter Source to this PC's local IP, Destination empty. Do I need to check any of the Options? And I assume you meant to change the DoH settings in the browser to something other than Quad9 (I chose Cloudflare)?

Uh, no problem. If you want to monitor the activity of other clients connected to the same network, you don't need to define any private IP address. Other than that, you don't need to do anything else. Maybe if you check the “don't resolve names” option you will get a output in a short time. If you temporarily disable the browser's secure DNS setting and run one of the tests, you will only see port 853. Or you should see the same if you run one of these two commands (nslookup snbforums.com, dig snbforums.com) via the Ubuntu terminal. This should be the case if Ubuntu does not have a DNS-over-HTTPS (maybe your ISP's DoH) address that you have defined through programs like dnscrypt-proxy to run system-wide. In fact, if I'm not mistaken, any DoH/DNSCrypt domain name you set on any client will need to be resolved via the Quad9 DNS-over-TLS on your router first. So in any case you should see port 853 there for a while.

To make sure that the DNS Director is doing its job, set, for example, the DNS address of Google in the Ubuntu NetworkManager GUI and repeat the domain name resolution process via the terminal. You should see the router redirecting those queries to the Quad9 DoT you defined in the WAN/DNS Privacy Protocol setting. If you set another DoT address in systemd-resolved, you will see that you cannot query any domain name because the DNS Director blocks different DoT addresses. Or, even easier, you can set a different private DNS address on your Android phone.

 

[dave14305]

have a USB stick plugged into the router with Entware and Diversion plus swap file installed.

Install tcpdump from Entware and watch the DNS traffic on the WAN interface. Look for any plain port 53 DNS and then DoT over port 853 during your leak tests.

opkg update
opkg install tcpdump
tcpdump -i $(nvram get wan0_ifname) -pnv dst port 53
tcpdump -i $(nvram get wan0_ifname) -pnv tcp and dst port 853

 

[bbunge]

First, disable DoH on your clients browser and system and make sure the clients DNS only points to the router IP address (192.168.50.1 is the default). Some IoT clients may have hard coded DNS servers but the router DNS Director should catch them.
I would suspect the DNS Leak tests. I ran the Browserleaks.com DNS Leak test and it correctly reported Cloudflare IPV4 DNS resolvers but it also gave me IPV6 Cloudflare resolvers and I do not have IPV6 enabled.
Make sure the WAN DNS Setting/DNS Server are set to the same as your DoT servers. I use Cloudflare Security (1.1.1.2 and 1.0.0.2 security.cloudflare-dns.com).
Try https://dnsleaktest.com/ and see what that gives you.

 

[Zarrow]

Uh, no problem. If you want to monitor the activity of other clients connected to the same network, you don't need to define any private IP address. Other than that, you don't need to do anything else. Maybe if you check the “don't resolve names” option you will get a output in a short time. If you temporarily disable the browser's secure DNS setting and run one of the tests, you will only see port 853. Or you should see the same if you run one of these two commands (nslookup snbforums.com, dig snbforums.com) via the Ubuntu terminal. This should be the case if Ubuntu does not have a DNS-over-HTTPS (maybe your ISP's DoH) address that you have defined through programs like dnscrypt-proxy to run system-wide. In fact, if I'm not mistaken, any DoH/DNSCrypt domain name you set on any client will need to be resolved via the Quad9 DNS-over-TLS on your router first. So in any case you should see port 853 there for a while.

To make sure that the DNS Director is doing its job, set, for example, the DNS address of Google in the Ubuntu NetworkManager GUI and repeat the domain name resolution process via the terminal. You should see the router redirecting those queries to the Quad9 DoT you defined in the WAN/DNS Privacy Protocol setting. If you set another DoT address in systemd-resolved, you will see that you cannot query any domain name because the DNS Director blocks different DoT addresses. Or, even easier, you can set a different private DNS address on your Android phone.

When I run dnsleaktest in a browser with DoH off I get no 853's at all, but masses of 443's in Netstat. Same if I run nslookup or dig snbforums.com in Ubuntu terminal.

I ran dnsleaktest on my Android phone with dns.google as the private DNS and again, loads of 443's, no 853's at all. The leaktest result showed Google's DNS servers in that case.

From this I deduce that the problem lies in the router, not the clients. I think the best course of action is to do a full reset of the router and reconfigure everything from scratch, when I have time (after the weekend).

Thanks to all for your inputs.

 

[SkippyP]

What results do you get from this?:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

 

[Zarrow]

What results do you get from this?:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

Results: Two DNS resolvers, my ISP and WoodyNet.

Hmm... There was an issue checking your DNS security:

	ECDSA P-256	ECDSA P-384	Ed25519
Good signature	✕	✕	✕
Bad signature	✓	✓	✓
Expired signature	✓	✓	✓
Missing signature	✓	✓	✓

 

[NoLight]

I think a factory reset and reconfigure is the way to go. Here is my config with Cloudflare that works. I don't have DNS configured anywhere else currently.

I think something to try is to set Quad9 as both DNS Server and DoT. Then check the Log - Routing table to see if your ISP DNS is showing there.

Also if you were meaning to use the ECS version of Quad9 like one of your pictures showed, you have to modify Stubby as by default it has ECS disabled for DoT. There is a script here that you can search for. That's actually why I'm using Cloudflare since it's local because currently I'm on stock and can't use the ECS with Quad9.

 

[Zarrow]

I think a factory reset and reconfigure is the way to go. Here is my config with Cloudflare that works. I don't have DNS configured anywhere else currently.

I think something to try is to set Quad9 as both DNS Server and DoT. Then check the Log - Routing table to see if your ISP DNS is showing there.

Also if you were meaning to use the ECS version of Quad9 like one of your pictures showed, you have to modify Stubby as by default it has ECS disabled for DoT. There is a script here that you can search for. That's actually why I'm using Cloudflare since it's local because currently I'm on stock and can't use the ECS with Quad9.

Thank you, I'll try that. However in your last paragraph, I don't see any toggle for ECS in the router GUI screenshots I posted and I don't remember (nor have any intention of) enabling it?