That used to be the case but Asus made an upstream change which necessitated the new behaviour in 386.4.
This was EYE-OPENING, @eibgrad! Thank you so much for this script. This definitely helped me shore things up and tighten up my settings. Also, thanks for the hint on that "screen" function... I never even knew that was a possibility -- that right there is worth it's weight in gold!
Apologies in advance for foolish questions, but this is currently way over my head. I am using unbound for DNS and also have ipv6 enabled, native with DHCP-PD
I only use VPNs for a couple of connections and the VPN is set to exclusive so I would expect to see a lot of red for the rest of the traffic, however i see mostly green and all of it is IPv6 (and the devices using the VPN tunnel have IPv6 disabled). Looking at the IPv6 queries they are mostly going to/from the WAN ipv6 address - also I do not see this address in the WAN/LAN IP/: header.
All the DNS queries I can see are over udp, in your example you also have tcp - is this a result of using unbound?
Sometimes on a page refresh I can see a whole list of green IPv4 queries, some LAN clients to router and some LAN clients to VPN tunnel. I then see a whole batch of red WAN to external lookups - is there a way to know whether any of these relate to the VPN rather than the queries that should be going out via the WAN?
thanks! any changes to the install instructions?
When you download from Pastebin you get file with double .sh ( merlin-dns-monitoring.sh.sh) on download button.
Thank you for your script.
Ok thanks.PasteBin is barely adequate and not all that smart. I always name my scripts w/ the .sh extension on their system. And since it's identified to their system specifically as a Bash file (that's why it uses the proper color coding), it automatically adds .sh to the file as part of the download, *even* if the file name already ends in .sh! What can I say. It's dumb. Ever use its ZIP download feature? All the contained files have the '-' removed (presumably because they need it to separate the file name from their unique identifier), so if you had to use the ZIP file to reconstruct your files, you'd have to do so MANUALLY!
View attachment 39241
Honestly, how dumb is that.
udp src=<WAN-IP> dst=<WAN-DNSServer1-IP> dport=53  src=<WAN-DNSServer1-IP> dst=<WAN-IP>The script disables the router dns lookup for wan connection tracking on startup but the connection tracking keeps the connection for acouple of minutes. For me it takes 3-4 minutes for the red line to dissappear. Have you tried to wait that long with the script running? It enables it again on exit so you need to run it for some time.+1 this is great, thank you!
For my setup, all lines are green or yellow (DNS over TLS to Cloudflare), except one red line that looks like this, and has several duplicates:
udp src=<WAN-IP> dst=<WAN-DNSServer1-IP> dport=53 src=<WAN-DNSServer1-IP> dst=<WAN-IP>
Reading this thread, I think this one red line is router traffic to the DNS server - perhaps keep alive, or pinging. I did try routing all traffic to the <WAN-DNS1Server1-IP> through a VPN connection, but the red line continued to be appear. I'm not so worried about this, as I'm think the LAN client DNS traffic is encrypted with DoT. Still bit curious.
Thank you again!
The script disables the router dns lookup for wan connection tracking on startup ...
Really? When I run the script it started up with wan check disabled... funny...It actually does NOT disable the dns lookup on startup. YOU have to use the [w] menu option to toggle the wan connectivity check between disable/enable.
I pressed w and waited, and the red line disappeared: all else are yellow and green. Nice.
egrep 'dport=(53|853) ' /proc/net/nf_conntrack in the first post, the 5th column of the output is "aging timer" of that tracked entry. This egrep 'dport=(53|853) ' /proc/net/nf_conntrack | grep $(nvram get wan_ipaddr) | awk '{print $5}' | sort -rn | head -1 will just show WAN IP entry with the highest "aging timer". I use this to see how long to wait for the red line to disappear. curl -kLs pastebin.com/raw/AGNF8cC8 | tr -d '\r' | sh
Hi @eibgrad
May I know if the instructions in your 1st post, can be used for Stock Firmware environment or it only supports Merlin's Firmware.
Code:curl -kLs pastebin.com/raw/AGNF8cC8 | tr -d '\r' | sh
During your first release, the above works in my Stock Firmware environment (RT_AX88U_3.0.0.4_386_46065). However, I get "No Data" after your latest update. Did I missed some steps.
Thanks. I look forward to use your handy work to track DNS leakages

Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
