Diversion Odd DNS issues

[colourofsound]

Hi All,

First time poster after buying an ASUS DSL-AX82U and installing Diversion. I was using a PiHole previously which so far I've found is easier to use but not not necessarily more effective.

Anyway, I've come across behaviour that I can't seem to pin down to any one part of the router. When using the standard DNS that I've configured:

and with Diversion on, certain sites don't load. The best example is a comic on Penny-Arcade.com - the comics themselves are fed from assets.penny-arcade.com and won't load - the rest of the site does, however.

I've added both penny-arcade.com and assets.penny-arcade.com to the whitelist, but it hasn't made a difference.

I've disabled Diversion altogether; didn't make a difference.

I've also disabled DNS-over-TLS in case it was one of the HTTPS DNS servers; but even when WAN DNS is set to Cloudflare, devices still cannot resolve assets.penny-arcade.com. I've also done this in combination with disabling Diversion.

The only way I can get it to work is by bypassing DNS on the LAN side using the DNS Director, which is also uses Cloudflare:

This is obviously puzzling, as I'd expect that by turning off Diversion and disabling DNS-Over-TLS on the WAN would have the same effect and using the user-defined DNS in the LAN DNS Director...but it doesn't.

Finally, I can't seem to obtain logs from the device. Logging is enabled, but when I try and grab logs from DNSMASQ it says logging is disabled.

What am I missing? I am a network/Azure engineer by trade and this is making me feel very dumb...

Thanks in advance!

 

[ColinTaylor]

What DNS settings do you have at LAN - DHCP Server ?

 

[colourofsound]

Empty, as per Diversion guide

 

[ColinTaylor]

And you don't have any DNS servers set in the Manually Assigned.. part at the bottom of that page?

 

[colourofsound]

Nope, any devices that I have assigned an IP to in Manually Assigned are using 'Default' for DNS. And, the effected devices haven't had an IP reserved in any case.

 

[ColinTaylor]

What firmware version are you running? Your WAN DNS page looks like an old version.

If you do an nslookup assets.penny-arcade.com from your PC's command line what do you get?

Are you using IPv6? Have you tried a different browser or PC?

 

[colourofsound]

Firmware: 388.2_2_0-gnuton1
Diversion 4.3.3. standard

nslookup can't resolve assets.penny-arcade.com at all.

IPv6 is disabled.

I have tried it on my iPhone and on my 2015 Macbook Pro; neither work unless I add them to User-Defined DNS in the Director. Tried both Firefox and Safari.

I have a work Windows 10 laptop which has a device-level always-on VPN, and assets.penny-arcade.com resolves via my work DNS server; implying it can't resolve locally. The VPN is split-tunnelled; internet traffic shouldn't go over it.

 

[ColinTaylor]

nslookup can't resolve assets.penny-arcade.com at all.

Can you post the complete output returned by nslookup as that may provide clues to where the problem is.

 

[colourofsound]

Here's from my Plex Server:

[B]nslookup assets.penny-arcade.com[/B]
Server:  DSL-AX82U-4B38
Address:  192.168.0.1


Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  ::
          0.0.0.0

[B]nslookup penny-arcade.com[/B]
Server:  DSL-AX82U-4B38
Address:  192.168.0.1

Non-authoritative answer:
Name:    penny-arcade.com
Address:  34.98.75.234

 

[ColinTaylor]

Thanks. Can you confirm that DoT was disabled when you did this test. I note that your first DoT server is blocking assets.penny-arcade.com.

C:\>nslookup assets.penny-arcade.com 76.76.2.2
Server:  p2.freedns.controld.com
Address:  76.76.2.2

Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  ::
          0.0.0.0

P.S. Your firmware is over a year out of date so it might be worth updating that to 388.4_0.

 

[colourofsound]

That was with DoT enabled; I get the same result when it is disabled. I've flushed and re-register DNS on the PC; but I'm wondering whether I need router reboots between these changes?

Regarding the firmware, I have the DSL version of the AX82U which needs a gnuton fork of the main firmware to work (from here: https://gnuton.github.io/asuswrt-merlin.ng/) I havent been able to find anything newer. I'm in the UK and don't have FTTP; so I needed a DSL router (or have loads of boxes in the living room, which I didn't want!)

 

[ColinTaylor]

There might something odd about gnuton's firmware that requires a reboot. I don't know as I don't use it. It might also be some sort of bug that's fixed in a later firmware. The latest version for the DSL-AX82U that I can see is here:

Release Stable: 3004.388.4_0-gnuton1 · gnuton/asuswrt-merlin.ng

GNUton's Asus Merlin changelog Date: October 25, 2023 Release: 3004.388.4_0-gnuton1 NEW: Support for RT-AX82U v2 UPDATE: Merged with GPL 388_23588.

github.com

 

[colourofsound]

Weird; I've only had the router for 3 months so I don't understand how I've managed to put a year old firmware on it. I'll update it and report back. Thanks for all your help!

 

[colourofsound]

Thanks. Can you confirm that DoT was disabled when you did this test. I note that your first DoT server is blocking assets.penny-arcade.com.

C:\>nslookup assets.penny-arcade.com 76.76.2.2
Server:  p2.freedns.controld.com
Address:  76.76.2.2

Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  ::
          0.0.0.0

P.S. Your firmware is over a year out of date so it might be worth updating that to 388.4_0.

Interestingly I don't get that result on my work PC

nslookup assets.penny-arcade.com 76.76.2.1
Server:  p1.freedns.controld.com
Address:  76.76.2.1

Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  2606:4700:3030::6815:40df
          2606:4700:3036::ac43:9c27
          104.21.64.223
          172.67.156.39

 

[ColinTaylor]

Interestingly I don't get that result on my work PC

nslookup assets.penny-arcade.com 76.76.2.1
Server:  p1.freedns.controld.com
Address:  76.76.2.1

Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  2606:4700:3030::6815:40df
          2606:4700:3036::ac43:9c27
          104.21.64.223
          172.67.156.39

You're using a different DNS server. Try 76.76.2.2

 

[colourofsound]

You're using a different DNS server. Try 76.76.2.2

 nslookup assets.penny-arcade.com 76.76.2.2
Server:  p2.freedns.controld.com
Address:  76.76.2.2

Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  2606:4700:3030::6815:40df
          2606:4700:3036::ac43:9c27
          172.67.156.39
          104.21.64.223

nslookup assets.penny-arcade.com 76.76.2.1
Server:  p1.freedns.controld.com
Address:  76.76.2.1

Non-authoritative answer:
Name:    assets.penny-arcade.com
Addresses:  2606:4700:3030::6815:40df
          2606:4700:3036::ac43:9c27
          104.21.64.223
          172.67.156.39

 

[ColinTaylor]

That's strange. I'm still getting it blocked on 76.76.2.2. I even tried the same using my mobile phone over 5G to eliminate my home network and got the same result.

Maybe your work VPN connection is doing DNS hijacking similar to what DNS Director does.

 

[colourofsound]

Maybe your work VPN connection is doing DNS hijacking similar to what DNS Director does.

Yeah quite possibly.

I've removed freedns from the DoT config and that *seems* to have fixed it. However that doesn't really explain why it wasn't working when DoT was disabled; I guess its possible that DoT was never properly being disabled...

(Router upgrade and reboot made no difference)

 

[colourofsound]

Nope, I spoke too soon. It doesn't work

 

[colourofsound]

Disabled DoT and rebooted the router; so it should be using Cloudflare now on the WAN DNS; but its not working. Very weird.