DoT

[JPotter]

Your router needs to talk to an NTP server to set its clock before encryption can be used. So, no DoT without a working regular DNS to set that clock first.

Oh- good to know.

Thanks!

 

[Diamond67]

With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
View attachment 30808

Next set your DNSFilter in the LAN settings to router:
View attachment 30809

Now all of your traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.

My settings are exactly like yours.

However, when I check the traffic with

tcpdump -i eth0 port 53

in order to test that all the traffic would go thru port 853 instead of 53, for some reason several lines mainly like this start appearing:

09:21:51.501330 IP 12-34-56-78.bb.myinternetserviceprovider.XY.35264 > 1.1.1.2.domain: 2+ AAAA? dns.msftncsi.com. (34)

where IP 12-34-56-78 would contain the exact digits of my current IP 12.34.56.78, and .XY is my two-letter internet country code.

Is there something wrong with my setup? dns.msftncsi.com?

 

[chongnt]

My settings are exactly like yours.

However, when I check the traffic with

tcpdump -i eth0 port 53

in order to test that all the traffic would go thru port 853 instead of 53, for some reason several lines mainly like this start appearing:

09:21:51.501330 IP 12-34-56-78.bb.myinternetserviceprovider.XY.35264 > 1.1.1.2.domain: 2+ AAAA? dns.msftncsi.com. (34)

where IP 12-34-56-78 would contain the exact digits of my current IP 12.34.56.78, and .XY is my two-letter internet country code.

Is there something wrong with my setup? dns.msftncsi.com?

I did the tcpdump when I run dig command for subforums.com. The tcpdump output right after > is the DNS server. In my case is 9.9.9.9 (dns9.quad9.net). The right most snbforums.com is actually what trying to resolve the IP for. From your output, looks like your configured DNS is 1.1.1.2. Is this correct? It appears some device in your network is asking your DNS 1.1.1.2 to resolve the IP address for dns.msftncsci.com.

18:21:37.518927 PPPoE  [ses 0x67d0] IP <my_public_ip>.54122 > dns9.quad9.net.domain: 10713+ [1au] A? snbforums.com. (54)
18:21:37.534732 PPPoE  [ses 0x67d0] IP dns9.quad9.net.domain > <my_public_ip>.54122: 10713 3/0/1 A 104.26.9.66, A 172.67.69.81, A 104.26.8.66 (90)

By looking at the dig output, SERVER 9.9.9.9#53(9.9.9.9) shows this is using port 53:

admin@RT-AC86U-DBA8:/tmp/mnt/amtm/tmp# dig snbforums.com

; <<>> DiG 9.16.8 <<>> snbforums.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10713
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;snbforums.com.                 IN      A

;; ANSWER SECTION:
snbforums.com.          300     IN      A       104.26.9.66
snbforums.com.          300     IN      A       172.67.69.81
snbforums.com.          300     IN      A       104.26.8.66

;; Query time: 19 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Feb 16 18:21:37 MYT 2021
;; MSG SIZE  rcvd: 90

admin@RT-AC86U-DBA8:/tmp/mnt/amtm/tmp#

Other tcpdump output, I can see something like one.one.one.one.853, it shows port 853 is used. Do you see something like this?

18:42:09.461916 IP <my_public_ip>.44598 > one.one.one.one.853: Flags [.], ack 4262, win 636, length 0
18:42:09.471698 IP dns9.quad9.net.853 > <my_public_ip>.40518: Flags [P.], seq 2884:3123, ack 350, win 118, options [nop,nop,TS val 2463546271 ecr 7251271], length 239
18:42:09.471823 IP <my_public_ip>.40518 > dns9.quad9.net.853: Flags [P.], seq 350:502, ack 3123, win 589, options [nop,nop,TS val 7251273 ecr 2463546271], length 152
18:42:09.471712 IP dns9.quad9.net.853 > <my_public_ip>.40518: Flags [P.], seq 3123:3362, ack 350, win 118, options [nop,nop,TS val 2463546271 ecr 7251271], length 239
18:42:09.480189 IP dns9.quad9.net.853 > <my_public_ip>.40518: Flags [P.], seq 3362:3480, ack 502, win 122, options [nop,nop,TS val 2463546280 ecr 7251273], length 118
18:42:09.480400 IP <my_public_ip>.40518 > dns9.quad9.net.853: Flags [.], ack 3480, win 634, options [nop,nop,TS val 7251273 ecr 2463546271], length 0
18:42:18.491516 IP <my_public_ip>.44598 > one.one.one.one.853: Flags [P.], seq 659:683, ack 4262, win 636, length 24
18:42:18.491683 IP <my_public_ip>.44598 > one.one.one.one.853: Flags [F.], seq 683, ack 4262, win 636, length 0

 

[dave14305]

My settings are exactly like yours.

However, when I check the traffic with

tcpdump -i eth0 port 53

in order to test that all the traffic would go thru port 853 instead of 53, for some reason several lines mainly like this start appearing:

09:21:51.501330 IP 12-34-56-78.bb.myinternetserviceprovider.XY.35264 > 1.1.1.2.domain: 2+ AAAA? dns.msftncsi.com. (34)

where IP 12-34-56-78 would contain the exact digits of my current IP 12.34.56.78, and .XY is my two-letter internet country code.

Is there something wrong with my setup? dns.msftncsi.com?

Is Network Monitoring enabled on the Administration / System tab?

 

[Diamond67]

Is Network Monitoring enabled on the Administration / System tab?

Network Monitoring: DNS Query checked, Ping not checked.

Resolve Hostname: dns.msftncsi.com



Should I keep those settings intact? Or maybe change something?

 

[Diamond67]

It appears some device in your network is asking your DNS 1.1.1.2 to resolve the IP address for dns.msftncsci.com.

Seems like the smoking gun was already found...

 

[umrico]

Thank you all for your input I greatly appreciate it!!!

Also, should i turn on dnssec?

 

[bbunge]

DNS Server 1 1.1.1.3
DNS Server 2 1.0.0.3
Dot
Set the TLS Host name to cloudflare-dns.com for both 1.1.1.3 and 1.0.0.3

It is easiest when setting up DoT to select the Cloudflare servers 1.1.1.1 and 1.0.0.1 then change the last number. You may not need IPV6 resolvers as the Cloudflare IPV4 resolvers do resolve IPV6 addresses.

 

[bbunge]

Thank you all for your input I greatly appreciate it!!!

Also, should i turn on dnssec?

A good idea to do so.

 

[Mutzli]

You should be good to go with my earlier configuration posted minus the rebind protection as per @dave14305 explanation.

 

[JohnD5000]

With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
View attachment 30808

Next set your DNSFilter in the LAN settings to router:
View attachment 30809

Now all of your traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.

I was under the knowledge that the DNS Server 1 & 2 should be to a different company than DNS-over-TLS Server List since those are the fallback DNS if DNS-over-TLS Server List servers are down I.E. DNS-over-TLS Server List = Cloudflare then DNS Server 1 & 2 Quad 9. If Cloudflare is down, then Quad 9 would be used In your case, if Cloudflare is down, you have no DNS.....Or, am I wrong on my understanding on this?

 

[dave14305]

I was under the knowledge that the DNS Server 1 & 2 should be to a different company than DNS-over-TLS Server List since those are the fallback DNS if DNS-over-TLS Server List servers are down I.E. DNS-over-TLS Server List = Cloudflare then DNS Server 1 & 2 Quad 9. If Cloudflare is down, then Quad 9 would be used In your case, if Cloudflare is down, you have no DNS.....Or, am I wrong on my understanding on this?

I don't think there's any automatic failback to plain DNS if DoT servers are unresponsive. You would need to manually disable DNS Privacy on the WAN page. I may be wrong, since it's been a while since I bothered with DoT, but there is no inherent failover mechanism. The router will restart stubby if it dies, but that's about it.

Using multiple diverse services is a good practice for redundancy, but if you're using a service for filtering capability, you may not want to use Quad9 if your goal is to filter adult content with 1.1.1.3 for example.

 

[JohnD5000]

I don't think there's any automatic failback to plain DNS if DoT servers are unresponsive. You would need to manually disable DNS Privacy on the WAN page. I may be wrong, since it's been a while since I bothered with DoT, but there is no inherent failover mechanism. The router will restart stubby if it dies, but that's about it.

Using multiple diverse services is a good practice for redundancy, but if you're using a service for filtering capability, you may not want to use Quad9 if your goal is to filter adult content with 1.1.1.3 for example.

OK, I was not remembering correctly. According to this post, the DNS Servers 1 & 2 are used at startup. Having all the same would be confusing if performing leak testing (if I understand that correctly).

new to dns over tls

Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions. In...

www.snbforums.com

 

[umrico]

With above settings you'll have devices that will ignore the routers DNS settings, but you can force them to use the routers DNS.
Use these setting:
View attachment 30808

Next set your DNSFilter in the LAN settings to router:
View attachment 30809

Now all of your traffic should go through 1.0.0.2. You can check this by tracking the outgoing traffic. Connect to the router by SSH console and enter the following command:

tcpdump -ni eth0 -p port 53 or port 853

When you follow the log, you'll see the DNS request which all should now go through 1.0.0.2 or 1.1.1.2. You can also track the connection to see if they are secure on port 853 or unsecure on port 53.

Thanks again for all your help I have learned a lot today. The only thing I have not been able to do is confirm. If I SSH to router via putty and do tcpdump it says command not found. Not sure what I'm doing wrong :/

 

[dave14305]

Thanks again for all your help I have learned a lot today. The only thing I have not been able to do is confirm. If I SSH to router via putty and do tcpdump it says command not found. Not sure what I'm doing wrong :/

It comes from Entware. If you have Entware setup, you can install tcpdump:

opkg update
opkg install tcpdump
tcpdump -i $(nvram get wan0_ifname) -n port 53

 

[umrico]

It comes from Entware. If you have Entware setup, you can install tcpdump:

opkg update
opkg install tcpdump
tcpdump -i eth0 -n port 53

Ahhhh thank you. I will have to cross that bridge later this week!

 

[Diamond67]

Ahhhh thank you. I will have to cross that bridge later this week!

You don't have Entware installed yet?

No problem. You just need an empty usb stick (a few gigabytes of size may be enough, depends on your needs). Connect it to your router, run amtm and format your stick with Format disk of amtm (to ext something, just don't ask me which one is the best choice, ext2 or ext4 or whatever LUL) and create a swap file (2 gigabytes of size would be nice) with amtm swap file management tool as well. Then install Diversion, because it will automagically install Entware for you while you just sit and relax.

And that's it, pretty much. I think.

 

[umrico]

You don't have Entware installed yet?

No problem. You just need an empty usb stick (a few gigabytes of size may be enough, depends on your needs). Connect it to your router, run amtm and format your stick with Format disk of amtm (to ext something, just don't ask me which one is the best choice, ext2 or ext4 or whatever LUL) and create a swap file (2 gigabytes of size would be nice) with amtm swap file management tool as well. Then install Diversion, because it will automagically install Entware for you and you just sit and relax.

And that's it, pretty much. I think.

Funny you mention that. I have diversion installed. I wonder why it didn't work out of the box? I'll keep digging!

 

[Diamond67]

Funny you mention that. I have diversion installed. I wonder why it didn't work out of the box? I'll keep digging!

What happens if you

opkg install tcpdump

?

 

[umrico]

What happens if you

opkg install tcpdump

?

I will give this a try Thursday. Thanks!