1

NextDNS issues with DoT on ASUS Merlin

Hello all,

Been having some issues for a while now when using the DoT functions natively supported in ASUS Merlin. Pages time out and often will sit with an "error not resolved" message for roughly 4-5 seconds before the page will refresh and load content.
(This happens with or without DNS Filter active; Model AX-88U)

I have done a complete reset of the router, and used the NextDNS CLI (which doesn't have errors, but resolves slower) but for whatever reason the NextDNS DoT implementation doesn't seem to like the ASUS Merlin firmware anymore, or there's a CDN issue with DoT for the Atlanta region.

I have since disabled any options within the Performance tab of the website, and still am having issues. To the point that many of the diagnostic services for NextDNS itself will not work or report well. Options on the router are minimal outside of factory defaults, with IPv6 and DoT setup being the only noteable changes.

My ISP is AT&T U-verse/Fiber.

I preferred the DoT implementation as hostnames from the CLI can flood the logs with various (blank) names, and the DoT doesn't have to be regularly updated.

57 replies

null
    • teal_rabbit
    • 2 yrs ago
    • Reported - view

    Good morning/afternoon everyone.

    Sorry to bump this topic, but I think I may have figured out what's causing the issue (fingers crossed) regarding the ASUSMerlin DoT implementation, and NextDNS...

    I noticed after using the DoT method, that pages were failing to resolve with "ERR_NAME_NOT_RESOLVED" as the Chromium error message.

    What I've discovered (SO FAR) is there's an issue with handshake/authentication with NextDNS services for some reason when this option is set to STRICT. 

    I don't know if this is due to using a device name for the DoT resolution, "AX-88U-XXXXXX.dns.nextdns.io" or something else.

    I'm unsure if this is an authentication factor on NextDNS's behalf, or some handshake requirement of ASUSMerlin... but I can confirm (with optimistic hesitation) that setting to OPPORTUNISTIC has resolved my DoT issues so far.

    I will bump/update if the problem continues after this adjustment.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      NextDNS Thank you again so much for the help!
      I'll continue to keep an eye on it, and update if for some reason it starts to fail again... in the past the DoT would work fine until after some period (24-hrs) and then start misbehaving again.

      Also, would any of these options help at all?
      ASUSMerlin is currently in an Alpha state for a new build, so this may be a good chance for this to be updated/fixed. 🤞 

      • NextDNs
      • 2 yrs ago
      • Reported - view

      BS none of those options would help. The fix is to add ISRG Root X1 to the trust store (which has been the case for years in all other OS).

      • NextDNs
      • 2 yrs ago
      • Reported - view
      • NextDNs
      • 2 yrs ago
      • Reported - view

      BS another workaround will be to use our CLI. We will embed the ISRG Root X1 in the next rev to make sure we do not depend on system's.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      NextDNS I have had moderate success with the CLI, but an important issue is I cannot exclude devices from using it.
      I have a WFH machine that doesn't like to resolve properly with NextDNS services, so having DoT is better because I can use DNSFilter for all devices, and exclude the WFH machine.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      NextDNS Thank you for reaching out!

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      BS Providing an update for you NextDNS that my problems have resurfaced using the Strict option with dns2.

    • teal_rabbit
    • 2 yrs ago
    • Reported - view

    After some time of testing NextDNS I can confirm that Strict or Opportunistic, or dns1 vs dns2, the issues will still arise. It SEEMS to be related to something with IPV6, which had previously not given me any issues. I am on ATT U-verse which does support native IPV6 dual-stack, and from what I can tell, anytime I start having the issues with connectivity, then the NextDNS status page indicates that my network does not have IPV6 capability.

    It's possible this is ISP related, but that may be difficult to confirm... moving to another DNS resolver (Quad9/Cloudflare) works well, so I don't know if it's a service pipeline issue from ATT to NextDNS in Atlanta, or if there's something else going on with the IPV6 service for NextDNS in Atlanta.

    Thank you for all your time and help, for now, I have disabled IPV6 and will continue testing.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      BS  I'm not sure what else I can do NextDNS as I've gone through lengths to fix this, even created a new configuration and deleted my old one to troubleshoot this. Something is VERY wrong with the DoT service for my area. Sites (even the NextDNS ping) were failing to load while running a Diag test which is posted here: NextDNS Network Diagnostic 

    • Austin_Clamon
    • 2 yrs ago
    • Reported - view

    Hate to bump an old thread but I am seeing this issue as well. Exact same behavior as @BS except I am using stock asus firmware which now supports DoT, and I am IPv4 only. I have used Cloudflare DoT successfully for a while. About 12 hours after setting up nextdns I am unable to resolve any domains on my network. @NextDNS Can you guys take another look into this please? @BS do you have any updates? Thanks in advance!

      • Austin_Clamon
      • 2 yrs ago
      • Reported - view

      Austin Clamon Update for anyone who looks: test.nextdns.io shows UDP as the protocol when things go sideways. Restarting the router or changing config fixes it for about 20 minutes.

      • Austin_Clamon
      • 2 yrs ago
      • Reported - view

      JCVR Any idea what the issue is? This seems to be an issue folks have been dealing with for a while.

      • NextDNs
      • 2 yrs ago
      • Reported - view

      We deployed some DoT changes trying to see if it addresses this issue 2 days ago (note that we can't reproduce, so it makes it hard to debug). Can you please confirm you are still experiencing this issue?

      • Austin_Clamon
      • 2 yrs ago
      • Reported - view

      NextDNS I was experiencing the issue less than 12 hours ago. I imagine it would be quite easy to reproduce. Just grab an ac-68u with stock firmware and set up DoT under WAN settings in the UI. Do you guys have something in mind that might be the issue?

      • Austin_Clamon
      • 2 yrs ago
      • Reported - view

      JCVR That is a fair point. I too hate having to work again as soon as I get home. Hopefully this gets resolved this time around.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      NextDNS Here's a recent diag from me, the OP who STILL has this issue, as of today.
      https://nextdns.io/diag/85c4c3b0-7b14-11ec-b17f-f767c0dc044c

      I've basically given up on trying to get this fixed with anything I can do on my side, because there's nothing I can change/do to fix it.
       

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      Austin Clamon I replied a lil further down, makes me kinda sigh in frustration that folks are STILL having this issue, including myself. But no update to say that it's "fixed" permanently. There was a thread a while back here on NextDNS about there being some fixed that -did- work temporarily, and also a ticket opened up on the Stubby GitHub, which does the DoT for ASUS Merlin firmware... but I'm not sure what's used for 'stock' ASUS. 

      Here's some links if you wanna see the previous discussions around NextDNS and DoT on the forums here and Stubby GitHub here:
      TLS Connection Failures - Stubby - Bug Reports - NextDNS Help Center
      Short-term outages with DoT - Bug Reports - NextDNS Help Center
      https://github.com/getdnsapi/stubby/issues/297

      • Austin_Clamon
      • 2 yrs ago
      • Reported - view

       NextDNS do you have any update for us? Im sure many of us would be willing to test any changes.

    • G_Mobley
    • 2 yrs ago
    • Reported - view

    I finally had to revert to using non-NextDNS resolves about a week ago.  The family kept complaining about unresolved DNS issues on Merlin manual setup with DOT.  I've been doing this a while and had issues at first...but something's been escalating.  I was rebooting the router about every 48 hours just to keep the family happy  (DNS would just stop working)...    No, I do not use the "agent" and have been using manual setups for 2 years. 

      • Austin_Clamon
      • 2 yrs ago
      • Reported - view

      G Mobley Same story here. There is definitely some kind of configuration issue with @NextDNS DoT

    • Techno
    • 2 yrs ago
    • Reported - view

    I've given up using NextDNS  DoT with Merlin.  I'm using DoH  without issue.

      • teal_rabbit
      • 2 yrs ago
      • Reported - view

      Techno Did you use DOH via the NextDNS CLI, or just implement it via your browser?

      • Techno
      • 2 yrs ago
      • Reported - view

      BS Until these issues are resolved I'm using AdguardHome with nextdns DoH as my upstream server. I was also having problems with the cli on Merlin firmware.

    • G_Mobley
    • 2 yrs ago
    • Reported - view

    Just an update:   I've not had any complaints in the past week to the "home IT department" about DNS not working and sites not resolving since I removed the NextDNS configuration from my ASUS Merlin setup (386.3_2) - which I've been running for ~ 9+ months.  (I've not upgraded to  the latest 386.4 b/c of known issues...)   I've also not had to reboot the router to recover DNS stability not once after I reconfigured the main router to a DOT/Quad9 configuration.  That  delivered stability but sadly none of the NextDNS benefits.   I'm monitoring this thread and others for further progress by the NextDNS team on the issues being reported here.    Stay safe, stay warm.  Thanks!  Peace. 

    • Techno
    • 2 yrs ago
    • Reported - view

    Any updates to this issue yet @NextDNS

Content aside

  • Status Fixed
  • 1 Likes
  • 1 yr agoLast active
  • 57Replies
  • 2859Views
  • 11 Following