Weird DNS(?) issues on 386_3_2

[HTBruceM]

There seems to be nothing quite like DNS issues... they're so random and transitory. I hate DNS issues.

• In the Aug/Sep timeframe I updated my pair of RT-AX86u AiMesh machines to 386_3_2 firmware (coming from 386_3). At that time I also enabled DNS Encryption in the router - using DNS-over-TLS via Cloudflare. It had seemed to be working just fine.
• I have (2) Win11 PCs, and one W10 PC. Numerous smart WiFi devices, Smart TV devices, and we "cut the cord" so all our TV viewing is via the internet (Netflix, YouTubeTV, etc..). Most of my testing was on a Win11 PC with Edge browser.
• After several weeks uptime, I started noticing that some websites just would not load in the browser. At random. Yet NO issues with the smart devices at all. Just websites on PC/Phone/tablet.
• Most websites would load fine, but I would run across certain sites that would not load; some might eventually load in "text" mode, without graphics after several minutes. The Edge browser would ususally indicate that it was waiting for the website to respond, and eventually I would get the error screen. Sometimes it would take MINUTES of waiting and the website MIGHT load. And if I waited hours or days later to try again, the "bad" website might load OK once again.
• BTW I could always successfully PING the "bad" website when it's page would not load.
• I tried flushing DNS cache on the PC, no change.
• At first I thought it was the uBlock Origin extension; so I disabled it, but that didn't change anything. I tried using a different browser (Chrome) but still had the same problem. I tried a Brave browser on the PC and it loaded immediately, although Brave was configured to use it's own DNS encryption via Cloudflare via DNS-over-HTTPS (DoH). Clue?
• I tried the "failed" website on my Android phone via WiFi and it would also hang; but turning off the phone's WiFi and using cellular internet the website would load correctly (and immediately).

So at this point I'm thinking the problem lies in the router, not my PCs.

• I tried rebooting the router and that would temporarily fix the "bad" website, but later a different website would start failing.
• I tried switching the router to use a different Secure DNS (Quad9) and that "seemed" to fix things, but it was only temporary. Eventually I ran into the same problems again.

Since the issue seemed to happen on different clients, but worked with Brave using DoH, and worked using cellular internet, I started to suspect something wrong with the Asus Router DNS Encryption DoT. So I disabled the encryption service in the router, but continued to use either Quad9 or Cloudflare as the DNS provider on the WAN side. I even tried having the router stop advertising itself as the DNS server, allowing my LAN clients to instead be configured with the DNS IPs I had configured in the WAN section. I also tried switching to my ISP's DNS servers.
Honestly I cannot recall how successful these attempts were, because I started to lose track of all my various debugging tracks.

In my latest debug attempt, I switched the Asus routers back to factory FW. Now I'm on the factory 3.0.0.4.386_45898-gfa90458 firmware, using the ISP's DNS servers, and allowing the router to advertise itself on my LAN as the DNS server (i.e. the default settings). So far everything seems to have resolved.

If anyone finds similar problems while using Secure DNS (DoT) configurations in the Asus router, please pipe up. I'd like to know if this is MY configuration problem vs. a leak or corruption in the router's DNS service.

BTW did I mention that I hate DNS issues.

 

[dave14305]

I haven't used DoT for a long time, but when I last tested it I would experience random lookup failures with Quad9, probably due to Stubby timeouts and round-robin behavior. Some people have good luck with Stubby, however.

There were some posts a while back about reducing stubby's idle_timeout depending on the behavior of the selected provider. Old post from 2019:

[Release] Asuswrt-Merlin 384.12 is now available

Indeed, the “noob blackbox” aproach isn’t helping anyone. It’s just a linuxpc, nothing magical about it. Just reset via the option in the backup/restore menu You”ll know your router is in virgin mode once you see the unprotected network and configuration assistant. Everything is back to default...

www.snbforums.com

 

[Wade Coxon]

There seems to be nothing quite like DNS issues... they're so random and transitory. I hate DNS issues.

If you can successfully ping the problematic websites, then it would suggest that the DNS lookups are working.

The problems you are seeing would be more symptomatic of a bad MTU value just based on similar issues I have had.

 

[Tomo]

I have also noticed a similar random problem in the last month. Dot enabled with cloudfire dns server, i have now switched to Quad9 for a week and it seems the problem has receded.

@dave14305 , if i may ask you, what system do you use to resolve dns?

 

[HTBruceM]

If you can successfully ping the problematic websites, then it would suggest that the DNS lookups are working.

The problems you are seeing would be more symptomatic of a bad MTU value just based on similar issues I have had.

Wade, can you please elaborate on your reasoning here? Seems to me that for a workload like website browsing, a non-optimized MTU value would have only a VERY minor performance impact. I cannot imagine how it would cause certain websites to either not load at all, or take MINUTES to load.

Not that it is relevant to my problem, but I have symetric gigabit fiber service.

 

[Wade Coxon]

Wade, can you please elaborate on your reasoning here? Seems to me that for a workload like website browsing, a non-optimized MTU value would have only a VERY minor performance impact. I cannot imagine how it would cause certain websites to either not load at all, or take MINUTES to load.

Not that it is relevant to my problem, but I have symetric gigabit fiber service.

Something along these lines

Path MTU Discovery (PMTUD) / Path MTU Black Holes - Fir3net

What is MTU ? When sending traffic across a network, computers use something called an MTU (Maximum Transmission Unit). This (network interface) setting

www.fir3net.com

Also worth considering ipv6 interactions too if you have that enabled.

 

[ColinTaylor]

Something along these lines

Path MTU Discovery (PMTUD) / Path MTU Black Holes - Fir3net

What is MTU ? When sending traffic across a network, computers use something called an MTU (Maximum Transmission Unit). This (network interface) setting

www.fir3net.com

That would seem to negate your theory of a bad MTU. In other words if he can successfully ping the site it's likely that PMTU would work. In which case MTU shouldn't be an issue.

My money would be on a non- or poorly- responding DoT server. But regarding testing that he said: "Honestly I cannot recall how successful these attempts were, because I started to lose track of all my various debugging tracks".

 

[lnViztor]

Good Morning in my ax88u i have same problems. I did numerous hard resets but sooner or later I lose the DNS again on the clients (pc, smartphones, tablets). I tried to ping domains and ip successfully from the router, but the clients did not resolve DNS.

The only way i found to fix it, is downgrade to 386.2_4. In this I get more stability with my build.

 

[Tomo]

.....The only way i found to fix it, is downgrade to 386.2_4. In this I get more stability with my build.

always with Dot enabled and Cloudfire ?

 

[Yo_2T]

Good Morning in my ax88u i have same problems. I did numerous hard resets but sooner or later I lose the DNS again on the clients (pc, smartphones, tablets). I tried to ping domains and ip successfully from the router, but the clients did not resolve DNS.

The only way i found to fix it, is downgrade to 386.2_4. In this I get more stability with my build.

Which DNS provider were you using?

FWIW, I've been using DoT with Google on 386.3_2 all this time and haven't had any issue whatsoever. CF and Quad9 have been unreliable for me in the past (even before 386.3) so I don't believe it's the code base.

 

[lnViztor]

always with Dot enabled and Cloudfire ?

Yes always Dot and Cloudflare

 

[donbru]

Same problem here. PC, iPad, and iPhone. Using DOT and Cloudflare. Going to try Quad9.

 

[Zoomingrocket]

Since you brought this up, I want to layout my problem, may be related, may be not

So i enabled DoT + DNSSEC last month with CloudFlare & Quad9 DNS entries with CloudFlare on top of the list and since then running into weird problems browsing different sites from Win10 Laptop:
Edge/Chrome Browser - Some links you click on a webpage will result into no action, just circling around, kind of loop but no page loads until it complains unresponsive tab

Firefox Browser- Same links on webpage if you click will result into Immediate Timeout Error page, Hitting Try Again once or twice will eventually load the page

So my current workaround is to use Firefox but never got to figure out root cause. No issues noticed on browsing via IPhone, Macbook or any smart TV streaming. No errors in router sys log when this happens.

I have verified by disabling entire DoT & DNSSEC setup and fall back to default WAN DNS served via CloudFlare and no issues, works smoothly but in interest of privacy i have switched DoT on again and living with Firefox workaround!

 

[HTBruceM]

Update:
I've been on the stock ASUS FW (3.0.0.4.386_45898-gfa90458) now for the past 4 days, using my ISP's DNS servers, DOT disabled, router acting as local LAN DNS server (no DNS servers specified in the LAN section). Everything working nicely.

I feel like the issue has something to do with DoT. Either in the router's DoT implementation, or the DNS provider themselves. Since I had issues with both CloudFlare and Quad9 DoT servers, it seems more likely that the problem lies with the DoT implementation in the router. It's just a hunch though, I have no other proof.

It's one of those issues that takes a while to manifest itself. I don't think it's a Merlin FW problem though. I'm pretty sure that if/when I go back to Merlin, I still won't have issues as long as I use the same non-secure DNS configuration that I'm using currently. Feels like something in the DoT support code, wherever that comes from.

I hate troubleshooting DNS issues. Did I say that already?

 

[HTBruceM]

Update:
I've been on the stock ASUS FW (3.0.0.4.386_45898-gfa90458) now for the past 4 days, using my ISP's DNS servers, DOT disabled, router acting as local LAN DNS server (no DNS servers specified in the LAN section). Everything working nicely.

I feel like the issue has something to do with DoT. Either in the router's DoT implementation, or the DNS provider themselves. Since I had issues with both CloudFlare and Quad9 DoT servers, it seems more likely that the problem lies with the DoT implementation in the router. It's just a hunch though, I have no other proof.

It's one of those issues that takes a while to manifest itself. I don't think it's a Merlin FW problem though. I'm pretty sure that if/when I go back to Merlin, I still won't have issues as long as I use the same non-secure DNS configuration that I'm using currently. Feels like something in the DoT support code, wherever that comes from.

I hate troubleshooting DNS issues. Did I say that already?

Still no issues after another week of usage.

 

[rexbinary]

Since you brought this up, I want to layout my problem, may be related, may be not

So i enabled DoT + DNSSEC last month with CloudFlare & Quad9 DNS entries with CloudFlare on top of the list and since then running into weird problems browsing different sites from Win10 Laptop:
Edge/Chrome Browser - Some links you click on a webpage will result into no action, just circling around, kind of loop but no page loads until it complains unresponsive tab

Firefox Browser- Same links on webpage if you click will result into Immediate Timeout Error page, Hitting Try Again once or twice will eventually load the page

So my current workaround is to use Firefox but never got to figure out root cause. No issues noticed on browsing via IPhone, Macbook or any smart TV streaming. No errors in router sys log when this happens.

I have verified by disabling entire DoT & DNSSEC setup and fall back to default WAN DNS served via CloudFlare and no issues, works smoothly but in interest of privacy i have switched DoT on again and living with Firefox workaround!

I'm having this same issue on my GT-AC2900 as well when using Quad9 DoT and DNSSEC. Merlin 386.3.2