1

NextDNS issues with DoT on ASUS Merlin

Hello all,

Been having some issues for a while now when using the DoT functions natively supported in ASUS Merlin. Pages time out and often will sit with an "error not resolved" message for roughly 4-5 seconds before the page will refresh and load content.
(This happens with or without DNS Filter active; Model AX-88U)

I have done a complete reset of the router, and used the NextDNS CLI (which doesn't have errors, but resolves slower) but for whatever reason the NextDNS DoT implementation doesn't seem to like the ASUS Merlin firmware anymore, or there's a CDN issue with DoT for the Atlanta region.

I have since disabled any options within the Performance tab of the website, and still am having issues. To the point that many of the diagnostic services for NextDNS itself will not work or report well. Options on the router are minimal outside of factory defaults, with IPv6 and DoT setup being the only noteable changes.

My ISP is AT&T U-verse/Fiber.

I preferred the DoT implementation as hostnames from the CLI can flood the logs with various (blank) names, and the DoT doesn't have to be regularly updated.

57 replies

null
    • G_Mobley
    • 2 yrs ago
    • Reported - view

    Ditto. I cannot keep NextDNS engaged as the DNS DoT provider longer than about 12 hours since hitting Merlin 386.2 with a manual DoT setup.    I have been using "stubby -l" to watch it step down the listing from NextDNS to QUAD9 and Cloudflare in about a 12 hour window.  Sometime in there, DNSMASQ will "go bonkers" and I have to reboot the router usually to fully recover.  Sometimes just restarting DNSMASQ will recover but most times when I check the stubby window it's had some failures and is well  into using the other DNS providers.  

    I've been fighting with this for weeks now on a brand new AX86U, total greenfielded from ground up.   Please keep in touch.  Stay safe, stay alive.

    • orchid_spring
    • 2 yrs ago
    • Reported - view

    I feel like I'm chasing the same issue since updating to Merlin 386.2_0 and 386.2_2

    Any progress with this? I've disabled DoS under firewall at the moment and the issue hasn't returned, it's only been 17 hours since I disabled it though.

    • Qadhi
    • 2 yrs ago
    • Reported - view

    for asus-merlin its best to use the amtm utility and install dnscrpt and configure to use nextdns DoH

    works much better than the nextdns-cli and also supports asus dnsfilter which nextdns-cli does not.

      • olivier
      • 2 yrs ago
      • Reported - view

      Qadhi I would not advise running two dns filters concurrently. Using the CLI is the most recommended on Merlin with NextDNS.

      • Qadhi
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey I can understand that DNSFilter is not supported by nextdns-cli and thats why I am not using it.

      Any other reason for not running DNSfilter?

      • olivier
      • 2 yrs ago
      • Reported - view

      Qadhi it makes things pretty hard to debug and fix when false positives happen and give you a fragmented picture of you DNS traffic.

      • Qadhi
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey Agreed, it may happen with non-tech users and unmanaged networks.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey You should probably clarify this, as most are assuming they can use DNS Filter on ASUSMerlin to force devices to use NextDNS while also allowing other network devices to bypass the filtering... this is from the SNBForum which I know you're familiar with, but there are other sporadic reports of NextDNS DoT failing on ASUSMerlin there as well.

      http://www.snbforums.com/threads/asuswrt-merlin-386-2-is-now-available.71625/post-682974

      • orchid_spring
      • 2 yrs ago
      • Reported - view

      BS I have NextDNS setup as primary DNS, I do have DNSFilter setup to send Roku and a few other devices around NextDNS to other DNS like 8.8.8.8 or quad 9. I also have one VPN tunnel and route one pc over that tunnel that does not use NextDNS, the vpn tunnel goes down, that computer gets no internet.

      As for my Flooding issue, I was seeing 40k repeated request in about 3-4 hours time.. By the time I switch turned off DoS under Firewall in Merlin, I had wiped out 70-80k requests in less than 12 hours. 

      Since turning off DoS, I've been stable for 85 hours now, the longest since upgrading to firmware 386.2.2 on Merlin.. It seems the DoS service that prevents "denial-of-service" attacks is actually doing the thing it's supposed to prevent.

      As of now, I believe disabling DoS has solved my issue. will continue to monitor. I also don't have DNSSEC turned on. Only DoT DNS is on with my DNSFilters still setup.

      • orchid_spring
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey  I'll look into the CLI/addon for Merlin later, as mentioned above, it's been rock solid for 85 hours now, still monitoring though.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      JH I haven't enabled or used the DoS or DNSSEC services in ASUSMerlin before, but either there was a change or update to the NextDNS DoT or something adjusted in the resolution path, because now the issue seems to be gone, and my nearest server is Anycast and Ultralow at the same time, when previously it was Anycast only.

      I think there was an update to ASUSMerlin for some IPv6 related issues, which I did update to/for, but I was still originally having problems on IPv4 as well.

      Either way, it seems there was something adjusted on the backend that has solved most of my DoT issues, for now and I'm no longer using the CLI version of NextDNS on ASUSMerlin.  Cheers.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      BS Disregard, DoT error has returned, going back to CLI for now.

      • orchid_spring
      • 2 yrs ago
      • Reported - view

      BS starting late Thursday night I started to see some DNS failures, this time it wasn't flooding like it had previously, this was some webpages on first load failing, a refresh it would load the page. Last night I restarted DNSMASQ and it didn't help. I added back that Adguard DNS to the DoT list and the issue went away. Seems this issue was on NextDNS side, but I'm not 100% sure. Maybe this is why they recommend the cli method on Merlin.

      • orchid_spring
      • 2 yrs ago
      • Reported - view

      Just clarifying, at this time I have both Adguard and NextDNS working as DoT together.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      JH Likely a round-robin effect, as listing multiple DNS entries for ASUSMerlin DoT will cause it to cycle through them. I'm not sure if it's based on connectivity/failure, or TTL entries... probably why they're working together, whatever doesn't resolve on NextDNS is likely going through on Adguard.

      • orchid_spring
      • 2 yrs ago
      • Reported - view

      BS just wondering, when you said that you can't use DNS Filter with NextDNS, were you referring to the script version of NextDNS ? I'm thinking of trying it, but if I loose DNS Filter, then Hulu  won't work if it gets certain ads blocked.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      JH Yes, this is my understanding from Olivier Poitrey mentioned elsewhere in the thread. Likely due to how the script/CLI version handles name resolution and caching. It should be safe to use DNS Filter for the DoT implementation of NextDNS, assuming you don't have the issues I've mentioned in the OP.

    • olivier
    • 2 yrs ago
    • Reported - view
    BS said:
    I preferred the DoT implementation as hostnames from the CLI can flood the logs with various (blank) names, and the DoT doesn't have to be regularly updated.

     Why don't use disable query-logs to avoid the flood? CLI is pretty stable, you don't need to update it.

    For your dot issue, please submit a https://nextdns.io/diag

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey When I say "flood the logs" I mean the device & name options are not reliable after a period of time, and will often not report the correct name, OR will report the same device, but as different device types: ie reporting an iPhone as either the model "iPhone XR" or as "Apple, Inc."

      Please see the screenshot below... when on the Wi-Fi network with the CLI, it is reporting my cellphone as a "Apple, Inc." and when on cellular using the NextDNS app, it is reporting the correct device type/name. I have the NextDNS app set to ignore on my home Wi-Fi to prevent issues, as they're using the same DoH configuration. Also you can see * devices for those where the host name isn't being forwarded correctly, in this case Oculus VR devices.

      Otherwise, if disabling the name/devices on the CLI, everything shows up as "unknown device" in logs, which is jarring for the fact that I know where the queries are originating from, ie my ASUS router. I recently cleared the logs when doing an in-place update to the CLI, and already unknown devices are appearing, even though all host names should be discovered.

      I believe this is due to how device information is being reported on the official app, vs say DoH CLI... preferably, I'd rather just have the names of devices rather than just having the make/models attached, or at least an option to remove that.

      Either way, there's incidental issues with using DoT NextDNS, and the CLI name/reporting is more of a jumble of names/devices than the DoT implementation, where I can reliably determine inquiries coming from my named router without "unknown" devices.

    • maghuro
    • 2 yrs ago
    • Reported - view

    My problem with NEXTDNS CLI on Merlin is different.

    Everything starts ok, as the CLI retrieves the nearest (and with lowest ping) server.

    In fact, there are two servers here in Portugal which I have exactly the same ping on both, and it keeps switching from one to another. Nothing wrong.

    The problem is, after a couple of hours the CLI changes the server to anycast, which is getting me a server with the triple of the ping (on Spain), and it keeps there forever. In order to come back to the steering server, I have to manually restart nextdns CLI.

     

    Any thoughts?

    • teal_rabbit
    • 2 yrs ago
    • Reported - view

    Good morning/afternoon everyone.

    Sorry to bump this topic, but I think I may have figured out what's causing the issue (fingers crossed) regarding the ASUSMerlin DoT implementation, and NextDNS...

    I noticed after using the DoT method, that pages were failing to resolve with "ERR_NAME_NOT_RESOLVED" as the Chromium error message.

    What I've discovered (SO FAR) is there's an issue with handshake/authentication with NextDNS services for some reason when this option is set to STRICT. 

    I don't know if this is due to using a device name for the DoT resolution, "AX-88U-XXXXXX.dns.nextdns.io" or something else.

    I'm unsure if this is an authentication factor on NextDNS's behalf, or some handshake requirement of ASUSMerlin... but I can confirm (with optimistic hesitation) that setting to OPPORTUNISTIC has resolved my DoT issues so far.

    I will bump/update if the problem continues after this adjustment.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      BS Hey NextDNS could you please take a moment to see why this Strict/Opportunistic setting is resolving DoT issues for NextDNS on ASUSMerlin?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      BS this is possibly related to https://help.nextdns.io/t/x2hfcjj/next-dns-connectivity-issues.

      If you use dns2.nextdns.io only, does it work with strict mode?

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      NextDNS A quick update: So far it's working with dns2 and Strict setting.


      I should note that this is a bare-minimum setup for the router, no VPN or anything, just DoT NextDNS and using "DNSFilter" to force clients to resolve on the router DNS service, so no certificates are imported on the router.


      *IF* this does truly resolve the issue, what are the next steps?
      My understanding is that dns2 is a temporary workaround?

      Thank you for your help and suggestion(s)!

      • NextDNs
      • 2 yrs ago
      • Reported - view

      BS we will notify the maintainer of ASUS Merlin that the CA root store is outdated. I'm sure he will fix that in a future revision.

Content aside

  • Status Fixed
  • 1 Likes
  • 1 yr agoLast active
  • 57Replies
  • 2858Views
  • 11 Following