What's new

Help configuring and testing DNS-over-TLS on 384.13

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

djphilosophy

Occasional Visitor
I'm trying to setup DNS over TLS on 384.13. Both the Cloudflare help page and the Tenta test page report that TLS over DNS is not enabled (DNSSEC currently disabled).

Is this a configuration problem? A shortcoming of the testing pages? Might I need to do a factory reset (didn't do one after recent upgrade to 384.13)?

Here are my current WAN DNS settings (DNSFilter is set to "Router"):

hcpEzdP.jpg


I've spent an hour doing searches for solutions, followed one thread here which got me to where I am (the settings above). Any help is much appreciated.
 
I'm trying to setup DNS over TLS on 384.13. Both the Cloudflare help page and the Tenta test page report that TLS over DNS is not enabled (DNSSEC currently disabled).

Is this a configuration problem? A shortcoming of the testing pages? Might I need to do a factory reset (didn't do one after recent upgrade to 384.13)?

Here are my current WAN DNS settings (DNSFilter is set to "Router"):

hcpEzdP.jpg


I've spent an hour doing searches for solutions, followed one thread here which got me to where I am (the settings above). Any help is much appreciated.
Have you tried this thread?
https://www.snbforums.com/threads/how-to-set-up-dns-over-tls-384-13.59461/
 
Cloudflare test doesn't work dnssec enabled. Their issue.

Tenta's test works only when using their public dns.

Your config is fine.
 
Your configuration looks good and it probably works, but the online tests are flawed. You can do a DNS over TLS check from your SSH console with the following command:
tcpdump -ni eth0 -p port 53 or port 853

Watch the traffic and you should see DNS requests being routed through port 853 to quad9 or cloudflare deepening on your configuration. It will look something like this:
15:59:18.936390 IP your.ip.address.43711 > 1.0.0.1.853: Flags [.], ack 1, win 229, length 0

If you see port 53 instead then you have it not working correctly.
 
Your configuration looks good and it probably works, but the online tests are flawed. You can do a DNS over TLS check from your SSH console with the following command:
tcpdump -ni eth0 -p port 53 or port 853

Watch the traffic and you should see DNS requests being routed through port 853 to quad9 or cloudflare deepening on your configuration. It will look something like this:
15:59:18.936390 IP your.ip.address.43711 > 1.0.0.1.853: Flags [.], ack 1, win 229, length 0

If you see port 53 instead then you have it not working correctly.

Connecting via SSH to the router I get "-sh: tcpdump: not found". I'm guessing I have to install it via package manager?
 
Connecting via SSH to the router I get "-sh: tcpdump: not found". I'm guessing I have to install it via package manager?
Yes, sorry forgot that little info.
Run: At a ssh prompt.

opkg update
opkg install tcpdump
 
Do you have any reason to think it's not working? It looks right as rain to me. If it were "broken" you would be having trouble getting to the Internet at all.

You can switch your DNS Privacy servers from Quad9 to Cloudflare and retest their 1.1.1.1/help site if it makes it any better. If it still comes back as WoodyNet it means it's using your WAN DNS servers, and DoT is not working.

Using tcpdump from Entware requires a USB drive attached to your router.
 
Do you have any reason to think it's not working? It looks right as rain to me. If it were "broken" you would be having trouble getting to the Internet at all.

You can switch your DNS Privacy servers from Quad9 to Cloudflare and retest their 1.1.1.1/help site if it makes it any better. If it still comes back as WoodyNet it means it's using your WAN DNS servers, and DoT is not working.

Using tcpdump from Entware requires a USB drive attached to your router.

I don't have any reason to think it's not working, I just figured that there was a way to reliably test that it is. If I switch the DNS servers in the DNS-over-TLS Server List to Cloudflare's, I do see Cloudflare instead of WoodyNet on Cloudflare's test site. I guess that means it's working?
 
If I switch the DNS servers in the DNS-over-TLS Server List to Cloudflare's, I do see Cloudflare instead of WoodyNet on Cloudflare's test site. I guess that means it's working?
Does it show connected with TLS in that help page? Or still No?
 
You can try going to the Network Tools menu -> Netstat Tab and click Diagnose. You should see under the Foreign Address something like
Code:
one.one.one.one:853
when using Cloudflare or perhaps
Code:
9.9.9.9:853
if using Quad9.
 
Set cloudflare as your dot dns

1.1.1.1/help will show DOT enabled when you turn off dnssec it will break this test. Well known issue at their end.

Already told you this on 3rd post.

Assuming you mean that DNSSEC should be disabled in the WAN DNS settings, as you can see from my screenshot in post #1, it already is disabled.
 
You can try going to the Network Tools menu -> Netstat Tab and click Diagnose. You should see under the Foreign Address something like
Code:
one.one.one.one:853
when using Cloudflare or perhaps
Code:
9.9.9.9:853
if using Quad9.

Doing this, I do see "one.one.one.one:853", preceded by and address connected to my local ISP. Changed it to Quad9 and I see "dns9.quad9.net:853". This confirms it's working?
 
Doing this, I do see "one.one.one.one:853", preceded by and address connected to my local ISP. Changed it to Quad9 and I see "dns9.quad9.net:853". This confirms it's working?

Yes. 853 is the port used by DNS over TLS.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top