What's new

[Release] Asuswrt-Merlin 384.11 is available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Is it this simple? I enabled dnssec support, changed protocol to tls, added the preset and applied the changes.

Yep, although I had trouble with 9.9.9.9 failing to resolve pages about 1 in every 10-20. 1.1.1.1 has no problems, but no filtering.
 
I was looking to install dnscrypt or stubby, but does this version's new feature "dns-over-tls" do the same thing and eliminate the need to install those?
yes it runs stubby built into the firmware using DNS PRIVACY option
 
Is there any need for Dns server 1 and 2.? I just left them empty and is working fine.
In LAN settings leave them blank, In WAN settings set them to what ever you want things (that start early in the boot up process), to use for DNS. Enable DNSFilter and set to Router, if you don't want devices getting around your DoT.
 
In LAN settings leave them blank, In WAN settings set them to what ever you want things (that start early in the boot up process), to use for DNS. Enable DNSFilter and set to Router, if you don't want devices getting around your DoT.

Thanks for the heads up! I have them empty at LAN and WAN as well. The rest is as stated. Just wondering why i need DNS server 1 and 2 on WAN side as Dot is is set.
 
Thanks for the heads up! I have them empty at LAN and WAN as well. The rest is as stated. Just wondering why i need DNS server 1 and 2 on WAN side as Dot is is set.
Just like asking Maps for directions. Can you say "Send me there" without stating where? :)
You need to give DoT where you want your TLS DNS domain queries to be processed.
 
Just like asking Maps for directions. Can you say "Send me there" without stating where? :)
You need to give DoT where you want your TLS DNS domain queries to be processed.

I get that, but the internet works without setting any dns number in the fields 1 and 2 as DoT is set to 1.1.1.1. Any cons? i have set Connect to DNS Server automatically to NO.
 
Thanks for the heads up! I have them empty at LAN and WAN as well. The rest is as stated. Just wondering why i need DNS server 1 and 2 on WAN side as Dot is is set.
The WAN DNS Server entries can be set to auto (using your ISP DNS) or hard coded as anything you want. You configure this so that NTP update has some way to complete it's task. NTP being time. In early boot processes.
 
I get that, but the internet works without setting any dns number in the fields 1 and 2 as DoT is set to 1.1.1.1. Any cons? i have set Connect to DNS Server automatically to NO.
If you enabled DoT after the router has already been up and running with regular DNS, you might not see the effects yet. If you reboot without any WAN DNS 1 or 2 servers populated, things might not work as well after the reboot. Better to have WAN DNS explicitly set to something so the router, NTP and DoT can bootstrap themselves before DoT(stubby) is started.
 
Last edited:
If you enabled DoT after the router has already been up and running with regular DNS, you might not see the effects yet. If you reboot without any WAN DNS 1 or 2 servers populated, things might not work as well after the reboot. Better to have WAN DNS explicitly set to something so the router, NTP and DoT can bootstrap themselves before DoT(stubby) is started.

Thanks, i will set them. :)
 
Just like asking Maps for directions. Can you say "Send me there" without stating where? :)
You need to give DoT where you want your TLS DNS domain queries to be processed.
Maybe the question is: if DoT is enabled and the DNS server is specified in the DNS-over-TLS Server List at the bottom of the page, does there really need to be an entry in the DNS Servers 1 and 2 slots further up the page or can they be left blank? The entry in DNS Server 1 will no doubt be identical to the DoT server selected from the list at the bottom. But suppose a different server were defined as DNS Server 1; would that perhaps act as a fallback server if DoT fell over?

Edit: Dave14305, above, has, as usual, answered the question thoroughly
 
I edited my post to strike the word "explicitly." You can use automatic DNS servers from your ISP or your own preferred servers. Something is better than nothing.
Thanks again. i just asked because i couldn't find anything strange when i powered on after a upgrade and later found out that i had forgot to set these dns numers at wan side all was working.
 
In LAN settings leave them blank, In WAN settings set them to what ever you want things (that start early in the boot up process), to use for DNS. Enable DNSFilter and set to Router, if you don't want devices getting around your DoT.
Enabling dnsfilter and choosing "router" bypasses dot? I thought that forced everything, including hard coded devices, to use dot. I may have misunderstood your post as I refer to choosing router under the global menu.
 
I edited my post to strike the word "explicitly." You can use automatic DNS servers from your ISP or your own preferred servers. Something is better than nothing.
This all makes sense to me now, including why the option Connect to DNS Server automatically is still there and valid. Having said that, if Connect to DNS Server automatically is set to Yes, is there not a case for hiding from view the options for DNS Server 1 and 2? Or perhaps, similarly, specifying those 2 servers still allows DNS resolution if there’s a problem with the ISP’s DNS server?
 
This all makes sense to me now, including why the option Connect to DNS Server automatically is still there and valid. Having said that, if Connect to DNS Server automatically is set to Yes, is there not a case for hiding from view the options for DNS Server 1 and 2?
The fields do toggle on or off depending on the setting, at least on my router/browser. :)
Or perhaps, similarly, specifying those 2 servers still allows DNS resolution if there’s a problem with the ISP’s DNS server?
I started thinking about whether a failsafe is possible if Stubby fails to start for any reason, and if dnsmasq would continue to resolve using the WAN DNS servers (I don't believe it will). That's not the same as the question you pose above, but I think in general, the world already solved the redundancy of old-style DNS. Yet I still remember the day I vowed never to use Comcast's DNS servers after they had multiple outages several years ago. :mad:
 
Enabling dnsfilter and choosing "router" bypasses dot? I thought that forced everything, including hard coded devices, to use dot. I may have misunderstood your post as I refer to choosing router under the global menu.
I think you misunderstood what he said he means the opposite of what you said.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top