Quad 9 WAN DNS Settings

[GoldWing]

Hello,

Shouldn't I be able to use Quad 9 on an Asus RT-AX86U Pro via the WAN DNS Settings?

I'm located in midwestern USA. I've used a Cloudflare with similar settings, and was experimenting with new WAN DNS settings with Quad 9. Win11Pro Internet settings show an Internet connection, but apparently my browser (i.e. Firefox) will not connect with Quad 9? Hence the question above.

See Quad 9's DNS settings per the URL of https://docs.quad9.net/services/ and the image attached.

Thanks!

GoldWing

 

[Tech9]

Does Edge browser in your Windows 11 connect? Eliminate browser related issue first.

Is IPv6 enabled on your router? If not - IPv6 DNS servers in DoT are not needed, won't be used.

DNS Rebind Protection enabled may generate false Possible Rebind Attack messages in your System Log.

 

[OzarkEdge]

Shouldn't I be able to use Quad 9 on an Asus RT-AX86U Pro via the WAN DNS Settings?

I'd say yes... I had it working with 9.9.9.9, 149.112.112.112, dns.quad9.net as you have it configured, but not since AX86U and with Edge on Win10.

OE

 

[Ripshod]

RT-AX88U running the exact same quad9 configuration and Firefox connects fine on win11. What are your DNS Director settings?

 

[SkippyP]

OP, I had your exact setup (plus DNS Director’s Global Redirection set to “Router”) a few weeks ago and everything worked fine.

 

[Justinh]

"Works for me."
(And I'm not even a developer )

 

[GoldWing]

Does Edge browser in your Windows 11 connect? Eliminate browser related issue first.

Is IPv6 enabled on your router? If not - IPv6 DNS servers in DoT are not needed, won't be used.

DNS Rebind Protection enabled may generate false Possible Rebind Attack messages in your System Log.

Hello,

I've found my ealier problem with Quad9 setup was how Firefox settings were. I've reset Firfox's settings with the signficant change being "General" > "Network Settings" > set to "Use system proxy settings". After the changes I was able to browse the Internet with Firefox.

I've shut off IPv6 on my router because I've found out the OpenVPN on my router is not IPv6 capable. So it makes no sense to try to use IPv6 at this time. I do like the fact that all devices connected to the router are protected from malware via the DoT settings.

OpenVPN Client Settings: The "Accept DNS Configuration" is set to "Disabled". "Redirect Internet traffic through tunnel" set to "Yes (all)". "Killswitch - Block routed clients if tunnel goes down" set to "Yes".

I have not changed DNS Rebind connection at this time because I do like the protection provided to the LAN. I'll have to check System Log at a later time.

I now have Quad9 as my DNS Server, and using them for DoT queries. The DNS Leak tests provided some puzzling results. However after investigating them I believe the results are consistent with using Quad9. Why?
First, I found this old SnB Forums thead at https://www.snbforums.com/threads/cloud9-dns.56918/ which discusses WoodyNet,

Second, on Quad9's URL of https://quad9.net/news/blog/quad9-and-your-data/ they state they use Packet Clearing House (PCH).

Third, although the DNSLeakTest.com results are not consistently labeled with VPNtesting.com the one IP address does cross reference.

Fourth, I did do a tcpdump to verify DNS queries were running through port 853 except for a few lines. See Exception Example below.

Obviously I've removed my IP address and replaced it with "RmMyIP" for obvious reasons.

Exception Example:

Line 386 & 387:
19:52:04.162130 IP RmMyIP.37077 > 9.9.9.9.53: 38871+ A? dns.msftncsi.com. (34)
19:52:04.185184 IP 9.9.9.9.53 > RmMyIP.37077: 38871 1/0/0 A 131.107.255.255 (50)

On the "dns.msftncsi.com" I did find this SnBForums thread at https://www.snbforums.com/threads/network-flooded-by-dns-msftncsi-com-requests.61155/. Unless I'm missing something seems to verify router is connected to the Internet.

Is the second line with Microsoft's IP address releated to the first line? It appears to be per the URL of https://www.lookip.net/ip/131.107.255.255 where the Hostname is dns.msftncsi.com.

If your interested I've posted the images of DNSLeakTest.com, VPNtesting.com, and the "WAN DNS Setting" including "DNS-over-TLS Server List" via the "DNSleaktest_ExtdResults_Q9.jpg", "VPNtesting_Com_Results_Q9.jpg", and "Quad9_WAN_DNS_Setting_n_DoT.jpg" attached files.

Thanks for your help!


GoldWing

 

[GoldWing]

What are your DNS Director settings?

I'm not using the DNS Director settings.

Regards,

Goldwing

 

[Tech9]

protected from malware via the DoT settings.

DoT is just DNS encryption method, unrelated to your malware filtering.

dns.msftncsi.com

This is used by the router, WAN detection, goes unencrypted to whatever is set in your WAN DNS settings before DoT.

 

[SkippyP]

Hello,

I've found my ealier problem with Quad9 setup was how Firefox settings were. I've reset Firfox's settings with the signficant change being "General" > "Network Settings" > set to "Use system proxy settings". After the changes I was able to browse the Internet with Firefox.

I've shut off IPv6 on my router because I've found out the OpenVPN on my router is not IPv6 capable. So it makes no sense to try to use IPv6 at this time. I do like the fact that all devices connected to the router are protected from malware via the DoT settings.

OpenVPN Client Settings: The "Accept DNS Configuration" is set to "Disabled". "Redirect Internet traffic through tunnel" set to "Yes (all)". "Killswitch - Block routed clients if tunnel goes down" set to "Yes".

I have not changed DNS Rebind connection at this time because I do like the protection provided to the LAN. I'll have to check System Log at a later time.

I now have Quad9 as my DNS Server, and using them for DoT queries. The DNS Leak tests provided some puzzling results. However after investigating them I believe the results are consistent with using Quad9. Why?
First, I found this old SnB Forums thead at https://www.snbforums.com/threads/cloud9-dns.56918/ which discusses WoodyNet,

Second, on Quad9's URL of https://quad9.net/news/blog/quad9-and-your-data/ they state they use Packet Clearing House (PCH).

Third, although the DNSLeakTest.com results are not consistently labeled with VPNtesting.com the one IP address does cross reference.

Fourth, I did do a tcpdump to verify DNS queries were running through port 853 except for a few lines. See Exception Example below.

Obviously I've removed my IP address and replaced it with "RmMyIP" for obvious reasons.

Exception Example:

Line 386 & 387:
19:52:04.162130 IP RmMyIP.37077 > 9.9.9.9.53: 38871+ A? dns.msftncsi.com. (34)
19:52:04.185184 IP 9.9.9.9.53 > RmMyIP.37077: 38871 1/0/0 A 131.107.255.255 (50)

On the "dns.msftncsi.com" I did find this SnBForums thread at https://www.snbforums.com/threads/network-flooded-by-dns-msftncsi-com-requests.61155/. Unless I'm missing something seems to verify router is connected to the Internet.

Is the second line with Microsoft's IP address releated to the first line? It appears to be per the URL of https://www.lookip.net/ip/131.107.255.255 where the Hostname is dns.msftncsi.com.

If your interested I've posted the images of DNSLeakTest.com, VPNtesting.com, and the "WAN DNS Setting" including "DNS-over-TLS Server List" via the "DNSleaktest_ExtdResults_Q9.jpg", "VPNtesting_Com_Results_Q9.jpg", and "Quad9_WAN_DNS_Setting_n_DoT.jpg" attached files.

Thanks for your help!


GoldWing

Glad to hear you've sorted out your issue. Hopefully your experience with Quad9's performance is better than mine, and that your ISP is routing you to Quad9's closest resolver to you. I'm located in Toronto and while my ISP would route me to Quad9's Toronto POP most of the time, sometimes I would get bounced to New York and Virginia POPs. Similar problems with Cloudflare and Cleanbrowsing. One of the downsides to 3rd party resolvers using global AnyCast infrastructure. There was also the problem of Quad9 having a route leak in Asia last month, which caused me to get bounced to their resolver in Kyrgyzstan for a few days...that wreaked havoc on my latency. That last event led me to ditch 3rd party resolvers entirely and switch back to using my ISP's DNS. While I like the privacy of DoT, I prefer having the fastest performance with no chance of getting bounced to resolvers on the other side of the planet.

 

[GoldWing]

What are your DNS Director settings?

I did further testing with DNS Director on with Global Direction set to Router. One test with LAN > DHCP Server > DNS and WINS Server > DNS Server 1 or DNS Server 2 filled out with in 9.9.9.9 or 149.112.112.112 which wiped out port 853 in the TCPDump results negating the DoT settings on the WAN page.

If I left LAN > DHCP Server > DNS and WINS Server > DNS Server 1 or DNS Server 2 undefined (i.e. blank), then port 853 was the prevalent TCPdump port with only a few port 53 which was previously mentioned verifying use of DoT defined on the WAN page. This may be the same as not using the DNS Director at all. Not sure, but the TCPdump results were essentially the same.

Regards,

GoldWing