DNS-over-TLS Asus Router Setup (Please Help)
I cannot get my head around the setup of dns-over-tls on my router AX56U and would just like some confirmation with the setup please. So when I navigate to the WAN section should I be selecting 'other' option and leaving DNS Server1 and DNS Server2 blank or should I be entering the assigned NextDNS IP addresses from my configuration page in those fields?
Lastly, when entering details in the DNS-over-TLS Server List, should I be using the NextDNS IP Addresses from the Linked IP section of my configuration page or from the pfSense section under router configuration? As both sets of IP addresses are different so not really sure which ones to use, does it matter?
Just to clarify I'm not using IPv4 with linked IP. But I'm currently using the Linked IP DNS server addresses in my router in both sections using DNS-over-TLS and I'm getting 100% Encrypted DNS traffic, just not sure of it's blocking everything from my configuration.
If someone could please clear this up I would greatly appreciate it. Thanks in advance..
36 replies
-
Logs are your friend
-
Honestly it is SOOOO much easier to just use the router CLI and not bother with any of those settings. As long as you are using the Asus-Merlin firmware on your router you can do this.
-
It would be helpful if the instructions were a little more clear for the newbie
-
If you can use IPv6 or DOT or DOH, you don't have to worry about linked IP. Linked IP is pretty much the last resort if none of the other methods are available. You should try to use any of the other methods shown on https://my.nextdns.io rather than Linked IP
I personally recommend installing a NextDNS client on your local device rather than router to get started. Once you have used it for awhile and get comfortable with how everything works, then consider using it on your router if you want to use NextDNS network wide. Installing it on your device has the additional advantage of being able to use the service when you're away from your home network (particularly with mobile devices and/or laptop computer). You can even install it for just a single browser such as Chrome or Firefox or any of their derivatives. Router configuration can get confusing, depending on the router. I'm not familiar with your particular model router. Installing on the OS or browser is much more straightforward.
Also, when it's on your local device you can more easily disable/enable blocking if you run into something that doesn't work right. It takes a bit of time to figure out what lists and options work for you and what things you might need to manually add to your allow list. A good starting point for configuring your lists and options is here: https://github.com/yokoffing/NextDNS-Config
If you happen to be using a Mac, disable iCloud private relay...it doesn't always play well with NextDNS.
-
thanks for the detailed information. I already have all the above setup correctly on my other devices, no problems there. This is my router configuration that I'm taking about. I don't use Linked IP in my router but instead setup DNS-overTLS. My only question is which IP addresses provided by NextDNS do I use in my router configuration. The ones allocated to me which are located next to the Linked IP section on my NextDNS configuration page or the ones listed for pfSense which are located under setup guide when you select router installation method. Both sets of IP addresses (DNS servers) are different. The hostname I have no problems with, I know what to use. If someone could just please clarify this for me I would really appreciate it. Also when assigning a DNS server on the router do you just leave DNS Server1 & DNS Server2 blank and then add the DNS server IP addresses under the DNS-overTLS Server list section or do you input the same in both sections? Please see attached screenshots..
Thanks again..
-
I’m not familiar with that router. However you don’t really need to configure it for NextDNS if your endpoints are already configured. They will use NextDNS directly.. Some people use the router instead of configuring the endpoints.
-
all good thanks mate, I understand your point but I'd also like to secure my router separately as i have other devices that don't use endpoints like our TV's and gaming consoles. Hopefully someone else can answer my question. Thanks anyway
-
-
You do not need to put anything in the DNS Server section at the top of the section. Those settings are just for the routers own communication and not for any of your devices. But if you want you can put your NextDNS server IP's there or any other DNS servers. In this example Quad9 is used.
Navigate down to DNS Privacy in that sectionDNS Privacy Protocol: DNS-over-TLS (DOT), Preset servers: (ignore, leave at "Please select")
DNS Server List: (leave the other columns blank)
IP AddressTLS Hostname
Your assigned NextDNS IP #1 here [Your NextDNS ID here].dns.nextdns.io Your assigned NextDNS IP #2 here [Your NextDNS ID here].dns.nextdns.io -
thank you, this is the answer I was looking for. If you don't mind can you please clarify the following.
[You do not need to put anything in the DNS Server section at the top of the section. Those settings are just for the routers own communication and not for any of your devices.] If I leave this section blank will it just fall back onto NextDNS Server List I assign below or will it default to my ISP's servers? Otherwise if I decide to put in say Cloudflare dns in the top section, will the below DNS Server1 & Server2 still pickup my NextDNS configuration to block trackers and Add etc on my TV's & consoles etc... So the top section is really like a fallback should NextDNS go down or encounter a problem??
Lastly so my assigned NextDNS IP addresses are the ones on the configuration page just below where is says Linked IP as seen in the screenshot below? Can you confirm please. Much appreciated
-
Once you enter the DoT servers the DNS servers that are at the very top of that section of the webpage are only for the routers use, they will have no effect what so ever on the DNS that your devices use. DoT overrides those settings, but the router itself will use them for its own internal needs.
Yes the two Ip addresses that start with 45.xx.xx.xx are the ones you will use when entering an IP in the DoT section.
Are you also running IPv6 on your system? If your ISP supports IPv6 and you want to use it then there are some other settings that you will need to enter. -
thanks, my router and ISP support IPv6 but why use DOT and IPv6 won't that be an overkill will it slow things down? The two IP addresses that start with 45.xx.xx.xx show up under two different sections on the NextDNS configuration page. There are x2 assigned DNS Servers at the top under Linked IP as I've shown in the above screenshot but if I select the drop down on the setup guide and select routers under pfSense configuration those IP Addresses are just the standard DNS Servers 45.90.30.0 and 45.28.90.0 so you are saying not to use the standard ones but to use the assigned ones instead??
And the ones you've entered at the top of the Router page WAN DNS Settings DNS Servers where you showed Quad9 as an example I can either also put my assigned NextDNS servers in there or I can just use something like Cloudflare, Quad9, Adguard etc.. and it won't affect my DOT servers below am I understanding you correctly? Sorry if I don't seen to be grasping this but I do want to make sure I've set up right and appreciate all your help.
Thanks again
-
Use the ones listed under linked IP. Don't confuse yourself with any of the other pages. Put those two 45.xx.x..xx servers in the DoT section.
As for the other DNS Servers above the Dot Section you can use anything or nothing at all. If you enter nothing then the router will use your ISP DNS servers. Again these have nothing to do with your computers, phones or any other devices once you enable DoT.
Yes if you have IPv6 enabled then you DO need to enter the NextDNS servers or your IPv6 look ups will go to your ISP servers. They work in tandem and most times IPv6 is faster than IPv4.In the IPv6 settings you have to go to where it says "Connect to DNS Server automatically" and set that to Disable, and then you enter both of the IPv6 servers that NextDNS gives you on the setup page.
-
awesome, really appreciate your detailed explanation and appreciate the effort you've give to explain things. Later today I'll make all the necessary changes if I run into any problems, would you mind if I contacted you again? Lastly, do you have any recommendations as to which servers to use above the DOT section on the router or should I just use either the standard nextdns servers or the assigned ones? Also something came to mind regarding the iPV6 configuration, when I enable IPV6 do I also put those addresses in the DOT server section where the other two NEXTDNS assigned ones are?
Cheers
-
The IPv6 addresses go on the IPv6 page, not on the WAN page.
You can put your 45.xx.xx.xx servers in the top section on the WAN page, or any other servers. I use 1.1.1.1 and 1.0.0.1 (Cloudflare servers) just to have something else there. The only thing using those servers is the router itself for its own lookups your devices will not use them unless you turn off DoT.
If you ever get around to it, change your router to use the Asus-Merlin operating system and then you can install the NextDNS CLI and it self configures everything and you don't do a thing.
https://www.snbforums.com/threads/about-asuswrt-merlin-custom-firmware-for-asus-routers.7846/
-
perfect! Thanks and regarding the Merlin software unfortunately my router is no longer supported :-( I have the Asus RT-AX56U
I'll consider Merlin with my next router upgrade :-)
Cheers buddy, you're a gentlemen and a scholar!
-
sorry regarding ipv6 do I enable router advertisement as suggested by the ISP?
-
-
great, thnx! This should be the last question, sorry.. I noticed I have the option to customise the IPv6 reverse DNS on my account with my ISP, is this something I should do, if so what should I put in that field?
-
I have never seen that option here in the US, but instinct tells me that you should just let your ISP handle that.
-
no problem and thanks again. Enjoy the rest of your night mate, appreciate all your help!
Cheers
-
Hi there, I have followed all your instructions above but have run into a problem since I've enabled IPv6 my NBN speed into the gateway has reduced by almost 50% not sure what the issue is. Any ideas as to what may be the problem? Cheers
-
-
Another words since I enabled IPv6 in my Asus router and setup as you instructed my internet download speed has slowed down by 50%
Content aside
-
1
Likes
- 11 hrs agoLast active
- 36Replies
- 173Views
-
2
Following