What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RT-AC88U for secondary routing encountered DNS and VPN problems

M

mkjxrhfg

New Around Here
After activating the VPN activation for the secondary Routing, you can see in the primary Routing that the DNS for the secondary Routing is not tunneled through the VPN,I don't know how to fix it?
 

Attachments

  • Secondary Routing VPN Configuration.png
    Secondary Routing VPN Configuration.png
    34.8 KB · Views: 110
  • Secondary Routing WAN Configuration.png
    Secondary Routing WAN Configuration.png
    95.8 KB · Views: 112
  • As seen in the primary route (secondary route version 386.3.2).png
    As seen in the primary route (secondary route version 386.3.2).png
    31.2 KB · Views: 117
  • As seen in the primary route (secondary route version 386.4).png
    As seen in the primary route (secondary route version 386.4).png
    42.2 KB · Views: 109
You're probably right about 8.8.8.8 and 8.8.4.4 NOT being routed over the VPN, but you wouldn't know that from the netstat information. All it's showing is the destination IP and ports being used, but NOT which network interface is being used to route those DNS queries out to the internet. For that you'd need to use my DNS monitor utility.

www.snbforums.com

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...
www.snbforums.com www.snbforums.com

What you're likely to find is that 8.8.8.8 and 8.8.4.4 are in fact being routed out the WAN/ISP. And that's because starting w/ 386.4, ASUS now statically binds the WAN's DNS server's to the WAN (!) (presumably to ensure the integrity of the periodic WAN check). But given you're using DoT (aka Stubby @ 127.0.1.1), those custom servers aren't even necessary. Had you left them blank, there'd be nothing for the router to bind to the WAN. All the router could do is use Stubby for name resolution, which is a local process. And Stubby itself is bound to the VPN because of having "Route Internet traffic through tunnel" set to Yes (all).

In fact, perhaps an even better solution is what I explain in the following link regarding binding the router itself to DNSMasq (an idea that originated from @SomeWhereOverTheRainBow).

www.snbforums.com

Tutorial - How to monitor DNS traffic in real-time

Been following this thread. I recall many questions about leaving DNS Server 1/DNS Server 2 blank was answered moons ago. @RMerlin 's guidance was: "do not leave'm blank or NTP and other time dependent services (VPNs, ...) cannot start properly." What did I miss? We are concerned that the...
www.snbforums.com www.snbforums.com

One other point. Whether DoT needs to be routed over the VPN is an arguable point. Once DNS is encrypted, it doesn't really matter all that much which network interface is used. The only real (and limited) benefit of routing DoT over the VPN is so the ISP doesn't even know you're using DoT, and which servers, and perhaps in some extreme case, having the ISP block port 853. But for the most part, it just isn't necessary. In in your case, it just comes as a side-effect of having all your traffic routed over the VPN.
 
eibgrad said:
You're probably right about 8.8.8.8 and 8.8.4.4 NOT being routed over the VPN, but you wouldn't know that from the netstat information. All it's showing is the destination IP and ports being used, but NOT which network interface is being used to route those DNS queries out to the internet. For that you'd need to use my DNS monitor utility.

www.snbforums.com

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...
www.snbforums.com www.snbforums.com

What you're likely to find is that 8.8.8.8 and 8.8.4.4 are in fact being routed out the WAN/ISP. And that's because starting w/ 386.4, ASUS now statically binds the WAN's DNS server's to the WAN (!) (presumably to ensure the integrity of the periodic WAN check). But given you're using DoT (aka Stubby @ 127.0.1.1), those custom servers aren't even necessary. Had you left them blank, there'd be nothing for the router to bind to the WAN. All the router could do is use Stubby for name resolution, which is a local process. And Stubby itself is bound to the VPN because of having "Route Internet traffic through tunnel" set to Yes (all).

In fact, perhaps an even better solution is what I explain in the following link regarding binding the router itself to DNSMasq (an idea that originated from @SomeWhereOverTheRainBow).

www.snbforums.com

Tutorial - How to monitor DNS traffic in real-time

Been following this thread. I recall many questions about leaving DNS Server 1/DNS Server 2 blank was answered moons ago. @RMerlin 's guidance was: "do not leave'm blank or NTP and other time dependent services (VPNs, ...) cannot start properly." What did I miss? We are concerned that the...
www.snbforums.com www.snbforums.com

One other point. Whether DoT needs to be routed over the VPN is an arguable point. Once DNS is encrypted, it doesn't really matter all that much which network interface is used. The only real (and limited) benefit of routing DoT over the VPN is so the ISP doesn't even know you're using DoT, and which servers, and perhaps in some extreme case, having the ISP block port 853. But for the most part, it just isn't necessary. In in your case, it just comes as a side-effect of having all your traffic routed over the VPN.
Click to expand...
If the user performs a trace route to say for example

www.google.com, and has their dns solution going through the tunnel, it should show hops associated with whatever the vpn provider uses.

The opposite is true when dealing with dns pointed to WAN. You will see servers associated with ISP in the hops.
 
You must log in or register to reply here.

Similar threads

orudie
VPN does not auto connect after primary WAN disconnects and Secondary WAN becomes active. When primary WAN reconnects again then VPN auto reconnects
Replies
6
Views
402
ZebMcKayhan
Z
Z
Nord VPN and DNS Configuration options
Replies
2
Views
223
zillah
Z
storkinsj
DNS and internet dropping
Replies
3
Views
671
storkinsj
storkinsj
C
Weird client VPN problem that just started !
2 3
Replies
53
Views
2K
RMerlin
RMerlin
W
New Asus AXE-11000 VPN Director Problem
Replies
1
Views
243
lumia
L
Similar threads
Thread starter Title Forum Replies Date
J RT-AC88U drops the OpenVPN inbound ACCEPT iptables rule after a time Asuswrt-Merlin 14
dragon31337 Can't add AC88U as wired AI Mesh to AC5300 Asuswrt-Merlin 13
S [AC88U] How to connect 2 separated networks into 1 VLAN Asuswrt-Merlin 2
D RT-AC88U with firmware Merlin 386.12 reboots with most settings wiped Asuswrt-Merlin 13
Z RT-AC88U Link Aggregation Asuswrt-Merlin 0
StephanK RT-AC88U / Kill Switch Asuswrt-Merlin 18
W Latest firmware 388.7 for AX88U and AX11000 and 386.13 for AC88U Asuswrt-Merlin 3
orudie VPN does not auto connect after primary WAN disconnects and Secondary WAN becomes active. When primary WAN reconnects again then VPN auto reconnects Asuswrt-Merlin 6
U How to switch secondary WAN to Hot-Standby? Asuswrt-Merlin 9
SkierInAvon Very Strange WAN Login Entry…WAN Routing 192.168.1.20??? HUH? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 411 (members: 14, guests: 397)
Back
Top