Menu
What's new
By:
Filters Better Search

Quad 9 WAN DNS Settings

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

G

GoldWing

Regular Contributor
Hello,

Shouldn't I be able to use Quad 9 on an Asus RT-AX86U Pro via the WAN DNS Settings?

I'm located in midwestern USA. I've used a Cloudflare with similar settings, and was experimenting with new WAN DNS settings with Quad 9. Win11Pro Internet settings show an Internet connection, but apparently my browser (i.e. Firefox) will not connect with Quad 9? Hence the question above.

See Quad 9's DNS settings per the URL of https://docs.quad9.net/services/ and the image attached.

Thanks!

GoldWing
 

Attachments

  • WAN_DNS_Settings_Quad9.jpeg
    WAN_DNS_Settings_Quad9.jpeg
    81.1 KB · Views: 300
Does Edge browser in your Windows 11 connect? Eliminate browser related issue first.

Is IPv6 enabled on your router? If not - IPv6 DNS servers in DoT are not needed, won't be used.

DNS Rebind Protection enabled may generate false Possible Rebind Attack messages in your System Log.
 
GoldWing said:
Shouldn't I be able to use Quad 9 on an Asus RT-AX86U Pro via the WAN DNS Settings?
Click to expand...

I'd say yes... I had it working with 9.9.9.9, 149.112.112.112, dns.quad9.net as you have it configured, but not since AX86U and with Edge on Win10.

OE
 
RT-AX88U running the exact same quad9 configuration and Firefox connects fine on win11. What are your DNS Director settings?
 

Attachments

  • Screenshot_2024-06-17-07-08-08-19_3aea4af51f236e4932235fdada7d1643.jpg
    Screenshot_2024-06-17-07-08-08-19_3aea4af51f236e4932235fdada7d1643.jpg
    78 KB · Views: 279
  • Screenshot_2024-06-17-07-08-41-09_3aea4af51f236e4932235fdada7d1643.jpg
    Screenshot_2024-06-17-07-08-41-09_3aea4af51f236e4932235fdada7d1643.jpg
    71.8 KB · Views: 238
OP, I had your exact setup (plus DNS Director’s Global Redirection set to “Router”) a few weeks ago and everything worked fine.
 
Last edited:
Tech9 said:
Does Edge browser in your Windows 11 connect? Eliminate browser related issue first.

Is IPv6 enabled on your router? If not - IPv6 DNS servers in DoT are not needed, won't be used.

DNS Rebind Protection enabled may generate false Possible Rebind Attack messages in your System Log.
Click to expand...


Hello,

I've found my ealier problem with Quad9 setup was how Firefox settings were. I've reset Firfox's settings with the signficant change being "General" > "Network Settings" > set to "Use system proxy settings". After the changes I was able to browse the Internet with Firefox.

I've shut off IPv6 on my router because I've found out the OpenVPN on my router is not IPv6 capable. So it makes no sense to try to use IPv6 at this time. I do like the fact that all devices connected to the router are protected from malware via the DoT settings.

OpenVPN Client Settings: The "Accept DNS Configuration" is set to "Disabled". "Redirect Internet traffic through tunnel" set to "Yes (all)". "Killswitch - Block routed clients if tunnel goes down" set to "Yes".

I have not changed DNS Rebind connection at this time because I do like the protection provided to the LAN. I'll have to check System Log at a later time.

I now have Quad9 as my DNS Server, and using them for DoT queries. The DNS Leak tests provided some puzzling results. However after investigating them I believe the results are consistent with using Quad9. Why?
First, I found this old SnB Forums thead at https://www.snbforums.com/threads/cloud9-dns.56918/ which discusses WoodyNet,

Second, on Quad9's URL of https://quad9.net/news/blog/quad9-and-your-data/ they state they use Packet Clearing House (PCH).

Third, although the DNSLeakTest.com results are not consistently labeled with VPNtesting.com the one IP address does cross reference.

Fourth, I did do a tcpdump to verify DNS queries were running through port 853 except for a few lines. See Exception Example below.

Obviously I've removed my IP address and replaced it with "RmMyIP" for obvious reasons.

Exception Example:

Line 386 & 387:
19:52:04.162130 IP RmMyIP.37077 > 9.9.9.9.53: 38871+ A? dns.msftncsi.com. (34)
19:52:04.185184 IP 9.9.9.9.53 > RmMyIP.37077: 38871 1/0/0 A 131.107.255.255 (50)

On the "dns.msftncsi.com" I did find this SnBForums thread at https://www.snbforums.com/threads/network-flooded-by-dns-msftncsi-com-requests.61155/. Unless I'm missing something seems to verify router is connected to the Internet.

Is the second line with Microsoft's IP address releated to the first line? It appears to be per the URL of https://www.lookip.net/ip/131.107.255.255 where the Hostname is dns.msftncsi.com.

If your interested I've posted the images of DNSLeakTest.com, VPNtesting.com, and the "WAN DNS Setting" including "DNS-over-TLS Server List" via the "DNSleaktest_ExtdResults_Q9.jpg", "VPNtesting_Com_Results_Q9.jpg", and "Quad9_WAN_DNS_Setting_n_DoT.jpg" attached files.

Thanks for your help!


GoldWing
 

Attachments

  • Quad9_WAN_DNS_Setting_n_DoT.jpg
    Quad9_WAN_DNS_Setting_n_DoT.jpg
    107.8 KB · Views: 143
  • VPNtesting_Com_Results_Q9.jpg
    VPNtesting_Com_Results_Q9.jpg
    66.5 KB · Views: 112
  • DNSleaktest_ExtdResults_Q9.jpg
    DNSleaktest_ExtdResults_Q9.jpg
    71.6 KB · Views: 169
GoldWing said:
Hello,

I've found my ealier problem with Quad9 setup was how Firefox settings were. I've reset Firfox's settings with the signficant change being "General" > "Network Settings" > set to "Use system proxy settings". After the changes I was able to browse the Internet with Firefox.

I've shut off IPv6 on my router because I've found out the OpenVPN on my router is not IPv6 capable. So it makes no sense to try to use IPv6 at this time. I do like the fact that all devices connected to the router are protected from malware via the DoT settings.

OpenVPN Client Settings: The "Accept DNS Configuration" is set to "Disabled". "Redirect Internet traffic through tunnel" set to "Yes (all)". "Killswitch - Block routed clients if tunnel goes down" set to "Yes".

I have not changed DNS Rebind connection at this time because I do like the protection provided to the LAN. I'll have to check System Log at a later time.

I now have Quad9 as my DNS Server, and using them for DoT queries. The DNS Leak tests provided some puzzling results. However after investigating them I believe the results are consistent with using Quad9. Why?
First, I found this old SnB Forums thead at https://www.snbforums.com/threads/cloud9-dns.56918/ which discusses WoodyNet,

Second, on Quad9's URL of https://quad9.net/news/blog/quad9-and-your-data/ they state they use Packet Clearing House (PCH).

Third, although the DNSLeakTest.com results are not consistently labeled with VPNtesting.com the one IP address does cross reference.

Fourth, I did do a tcpdump to verify DNS queries were running through port 853 except for a few lines. See Exception Example below.

Obviously I've removed my IP address and replaced it with "RmMyIP" for obvious reasons.

Exception Example:

Line 386 & 387:
19:52:04.162130 IP RmMyIP.37077 > 9.9.9.9.53: 38871+ A? dns.msftncsi.com. (34)
19:52:04.185184 IP 9.9.9.9.53 > RmMyIP.37077: 38871 1/0/0 A 131.107.255.255 (50)

On the "dns.msftncsi.com" I did find this SnBForums thread at https://www.snbforums.com/threads/network-flooded-by-dns-msftncsi-com-requests.61155/. Unless I'm missing something seems to verify router is connected to the Internet.

Is the second line with Microsoft's IP address releated to the first line? It appears to be per the URL of https://www.lookip.net/ip/131.107.255.255 where the Hostname is dns.msftncsi.com.

If your interested I've posted the images of DNSLeakTest.com, VPNtesting.com, and the "WAN DNS Setting" including "DNS-over-TLS Server List" via the "DNSleaktest_ExtdResults_Q9.jpg", "VPNtesting_Com_Results_Q9.jpg", and "Quad9_WAN_DNS_Setting_n_DoT.jpg" attached files.

Thanks for your help!


GoldWing
Click to expand...

Glad to hear you've sorted out your issue. Hopefully your experience with Quad9's performance is better than mine, and that your ISP is routing you to Quad9's closest resolver to you. I'm located in Toronto and while my ISP would route me to Quad9's Toronto POP most of the time, sometimes I would get bounced to New York and Virginia POPs. Similar problems with Cloudflare and Cleanbrowsing. One of the downsides to 3rd party resolvers using global AnyCast infrastructure. There was also the problem of Quad9 having a route leak in Asia last month, which caused me to get bounced to their resolver in Kyrgyzstan for a few days...that wreaked havoc on my latency. That last event led me to ditch 3rd party resolvers entirely and switch back to using my ISP's DNS. While I like the privacy of DoT, I prefer having the fastest performance with no chance of getting bounced to resolvers on the other side of the planet.
 
Last edited:
Ripshod said:
What are your DNS Director settings?
Click to expand...

I did further testing with DNS Director on with Global Direction set to Router. One test with LAN > DHCP Server > DNS and WINS Server > DNS Server 1 or DNS Server 2 filled out with in 9.9.9.9 or 149.112.112.112 which wiped out port 853 in the TCPDump results negating the DoT settings on the WAN page.

If I left LAN > DHCP Server > DNS and WINS Server > DNS Server 1 or DNS Server 2 undefined (i.e. blank), then port 853 was the prevalent TCPdump port with only a few port 53 which was previously mentioned verifying use of DoT defined on the WAN page. This may be the same as not using the DNS Director at all. Not sure, but the TCPdump results were essentially the same.

Regards,

GoldWing
 
You must log in or register to reply here.

Similar threads

G
DNS Hijack?
Replies
2
Views
827
GoldWing
G
S
Moving DHCP to Pi-Hole
Replies
2
Views
1K
Scott Kaforey
S
storkinsj
DNS and internet dropping
Replies
3
Views
637
storkinsj
storkinsj
S
Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf
Replies
1
Views
261
stilltravelling
S
S
Solved DNS resolution works for devices, but not router itself?
Replies
10
Views
1K
spindrift
S
Similar threads
Thread starter Title Forum Replies Date
TexasDave WAN Setting - WAN Connection Type Asuswrt-Merlin 2
D Delay Wan connection at restart Asuswrt-Merlin 2
orudie VPN does not auto connect after primary WAN disconnects and Secondary WAN becomes active. When primary WAN reconnects again then VPN auto reconnects Asuswrt-Merlin 6
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
Z Dual WAN + Dual Firewall Asuswrt-Merlin 11
M RT-AX86U Pro - Merlin: can't get p2p cameras available to wan. Asuswrt-Merlin 4
ollimoe RT-BE88U and Dynamic WAN Port MAC? Asuswrt-Merlin 0
M 802.1q VLAN tagging menu missing for WAN interface (Asus RT-AX86U Pro) Asuswrt-Merlin 4
U How to switch secondary WAN to Hot-Standby? Asuswrt-Merlin 2
zquestz Dual WAN IPv6 Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 862 (members: 35, guests: 827)
Top