NextDNS issues with DoT on ASUS Merlin
Hello all,
Been having some issues for a while now when using the DoT functions natively supported in ASUS Merlin. Pages time out and often will sit with an "error not resolved" message for roughly 4-5 seconds before the page will refresh and load content.
(This happens with or without DNS Filter active; Model AX-88U)
I have done a complete reset of the router, and used the NextDNS CLI (which doesn't have errors, but resolves slower) but for whatever reason the NextDNS DoT implementation doesn't seem to like the ASUS Merlin firmware anymore, or there's a CDN issue with DoT for the Atlanta region.
I have since disabled any options within the Performance tab of the website, and still am having issues. To the point that many of the diagnostic services for NextDNS itself will not work or report well. Options on the router are minimal outside of factory defaults, with IPv6 and DoT setup being the only noteable changes.
My ISP is AT&T U-verse/Fiber.
I preferred the DoT implementation as hostnames from the CLI can flood the logs with various (blank) names, and the DoT doesn't have to be regularly updated.
-
Ditto. I cannot keep NextDNS engaged as the DNS DoT provider longer than about 12 hours since hitting Merlin 386.2 with a manual DoT setup. I have been using "stubby -l" to watch it step down the listing from NextDNS to QUAD9 and Cloudflare in about a 12 hour window. Sometime in there, DNSMASQ will "go bonkers" and I have to reboot the router usually to fully recover. Sometimes just restarting DNSMASQ will recover but most times when I check the stubby window it's had some failures and is well into using the other DNS providers.
I've been fighting with this for weeks now on a brand new AX86U, total greenfielded from ground up. Please keep in touch. Stay safe, stay alive.
-
I feel like I'm chasing the same issue since updating to Merlin 386.2_0 and 386.2_2
Any progress with this? I've disabled DoS under firewall at the moment and the issue hasn't returned, it's only been 17 hours since I disabled it though. -
for asus-merlin its best to use the amtm utility and install dnscrpt and configure to use nextdns DoH
works much better than the nextdns-cli and also supports asus dnsfilter which nextdns-cli does not.
-
Qadhi I would not advise running two dns filters concurrently. Using the CLI is the most recommended on Merlin with NextDNS.
-
Olivier Poitrey I can understand that DNSFilter is not supported by nextdns-cli and thats why I am not using it.
Any other reason for not running DNSfilter?
-
Qadhi it makes things pretty hard to debug and fix when false positives happen and give you a fragmented picture of you DNS traffic.
-
Olivier Poitrey Agreed, it may happen with non-tech users and unmanaged networks.
-
Olivier Poitrey You should probably clarify this, as most are assuming they can use DNS Filter on ASUSMerlin to force devices to use NextDNS while also allowing other network devices to bypass the filtering... this is from the SNBForum which I know you're familiar with, but there are other sporadic reports of NextDNS DoT failing on ASUSMerlin there as well.
http://www.snbforums.com/threads/asuswrt-merlin-386-2-is-now-available.71625/post-682974 -
BS I have NextDNS setup as primary DNS, I do have DNSFilter setup to send Roku and a few other devices around NextDNS to other DNS like 8.8.8.8 or quad 9. I also have one VPN tunnel and route one pc over that tunnel that does not use NextDNS, the vpn tunnel goes down, that computer gets no internet.
As for my Flooding issue, I was seeing 40k repeated request in about 3-4 hours time.. By the time I switch turned off DoS under Firewall in Merlin, I had wiped out 70-80k requests in less than 12 hours.Since turning off DoS, I've been stable for 85 hours now, the longest since upgrading to firmware 386.2.2 on Merlin.. It seems the DoS service that prevents "denial-of-service" attacks is actually doing the thing it's supposed to prevent.
As of now, I believe disabling DoS has solved my issue. will continue to monitor. I also don't have DNSSEC turned on. Only DoT DNS is on with my DNSFilters still setup.
-
Olivier Poitrey I'll look into the CLI/addon for Merlin later, as mentioned above, it's been rock solid for 85 hours now, still monitoring though.
-
JH I haven't enabled or used the DoS or DNSSEC services in ASUSMerlin before, but either there was a change or update to the NextDNS DoT or something adjusted in the resolution path, because now the issue seems to be gone, and my nearest server is Anycast and Ultralow at the same time, when previously it was Anycast only.
I think there was an update to ASUSMerlin for some IPv6 related issues, which I did update to/for, but I was still originally having problems on IPv4 as well.
Either way, it seems there was something adjusted on the backend that has solved most of my DoT issues, for now and I'm no longer using the CLI version of NextDNS on ASUSMerlin. Cheers. -
BS Disregard, DoT error has returned, going back to CLI for now.
-
BS starting late Thursday night I started to see some DNS failures, this time it wasn't flooding like it had previously, this was some webpages on first load failing, a refresh it would load the page. Last night I restarted DNSMASQ and it didn't help. I added back that Adguard DNS to the DoT list and the issue went away. Seems this issue was on NextDNS side, but I'm not 100% sure. Maybe this is why they recommend the cli method on Merlin.
-
Just clarifying, at this time I have both Adguard and NextDNS working as DoT together.
-
JH Likely a round-robin effect, as listing multiple DNS entries for ASUSMerlin DoT will cause it to cycle through them. I'm not sure if it's based on connectivity/failure, or TTL entries... probably why they're working together, whatever doesn't resolve on NextDNS is likely going through on Adguard.
-
BS just wondering, when you said that you can't use DNS Filter with NextDNS, were you referring to the script version of NextDNS ? I'm thinking of trying it, but if I loose DNS Filter, then Hulu won't work if it gets certain ads blocked.
-
JH Yes, this is my understanding from Olivier Poitrey mentioned elsewhere in the thread. Likely due to how the script/CLI version handles name resolution and caching. It should be safe to use DNS Filter for the DoT implementation of NextDNS, assuming you don't have the issues I've mentioned in the OP.
-
-
BS said:
I preferred the DoT implementation as hostnames from the CLI can flood the logs with various (blank) names, and the DoT doesn't have to be regularly updated.Why don't use disable query-logs to avoid the flood? CLI is pretty stable, you don't need to update it.
For your dot issue, please submit a https://nextdns.io/diag
-
Olivier Poitrey When I say "flood the logs" I mean the device & name options are not reliable after a period of time, and will often not report the correct name, OR will report the same device, but as different device types: ie reporting an iPhone as either the model "iPhone XR" or as "Apple, Inc."
Please see the screenshot below... when on the Wi-Fi network with the CLI, it is reporting my cellphone as a "Apple, Inc." and when on cellular using the NextDNS app, it is reporting the correct device type/name. I have the NextDNS app set to ignore on my home Wi-Fi to prevent issues, as they're using the same DoH configuration. Also you can see * devices for those where the host name isn't being forwarded correctly, in this case Oculus VR devices.
Otherwise, if disabling the name/devices on the CLI, everything shows up as "unknown device" in logs, which is jarring for the fact that I know where the queries are originating from, ie my ASUS router. I recently cleared the logs when doing an in-place update to the CLI, and already unknown devices are appearing, even though all host names should be discovered.I believe this is due to how device information is being reported on the official app, vs say DoH CLI... preferably, I'd rather just have the names of devices rather than just having the make/models attached, or at least an option to remove that.
Either way, there's incidental issues with using DoT NextDNS, and the CLI name/reporting is more of a jumble of names/devices than the DoT implementation, where I can reliably determine inquiries coming from my named router without "unknown" devices.
-
-
My problem with NEXTDNS CLI on Merlin is different.
Everything starts ok, as the CLI retrieves the nearest (and with lowest ping) server.
In fact, there are two servers here in Portugal which I have exactly the same ping on both, and it keeps switching from one to another. Nothing wrong.
The problem is, after a couple of hours the CLI changes the server to anycast, which is getting me a server with the triple of the ping (on Spain), and it keeps there forever. In order to come back to the steering server, I have to manually restart nextdns CLI.
Any thoughts?
-
Maghuro Should the NextDNS client on Merlin be showing a router log entry every 1-2 minutes to say which dns server it has connected to? It’s not always the same one, it swaps around a bit. But every 1-2 minutes seems excessive.
-
-
Good morning/afternoon everyone.
Sorry to bump this topic, but I think I may have figured out what's causing the issue (fingers crossed) regarding the ASUSMerlin DoT implementation, and NextDNS...
I noticed after using the DoT method, that pages were failing to resolve with "ERR_NAME_NOT_RESOLVED" as the Chromium error message.
What I've discovered (SO FAR) is there's an issue with handshake/authentication with NextDNS services for some reason when this option is set to STRICT.I don't know if this is due to using a device name for the DoT resolution, "AX-88U-XXXXXX.dns.nextdns.io" or something else.
I'm unsure if this is an authentication factor on NextDNS's behalf, or some handshake requirement of ASUSMerlin... but I can confirm (with optimistic hesitation) that setting to OPPORTUNISTIC has resolved my DoT issues so far.
I will bump/update if the problem continues after this adjustment.-
BS Hey NextDNS could you please take a moment to see why this Strict/Opportunistic setting is resolving DoT issues for NextDNS on ASUSMerlin?
-
BS this is possibly related to https://help.nextdns.io/t/x2hfcjj/next-dns-connectivity-issues.
If you use dns2.nextdns.io only, does it work with strict mode?
-
NextDNS A quick update: So far it's working with dns2 and Strict setting.
I should note that this is a bare-minimum setup for the router, no VPN or anything, just DoT NextDNS and using "DNSFilter" to force clients to resolve on the router DNS service, so no certificates are imported on the router.
*IF* this does truly resolve the issue, what are the next steps?
My understanding is that dns2 is a temporary workaround?Thank you for your help and suggestion(s)!
-
BS we will notify the maintainer of ASUS Merlin that the CA root store is outdated. I'm sure he will fix that in a future revision.
-
NextDNS Thank you again so much for the help!
I'll continue to keep an eye on it, and update if for some reason it starts to fail again... in the past the DoT would work fine until after some period (24-hrs) and then start misbehaving again.Also, would any of these options help at all?
ASUSMerlin is currently in an Alpha state for a new build, so this may be a good chance for this to be updated/fixed.
-
BS none of those options would help. The fix is to add ISRG Root X1 to the trust store (which has been the case for years in all other OS).
-
BS another workaround will be to use our CLI. We will embed the ISRG Root X1 in the next rev to make sure we do not depend on system's.
-
NextDNS I have had moderate success with the CLI, but an important issue is I cannot exclude devices from using it.
I have a WFH machine that doesn't like to resolve properly with NextDNS services, so having DoT is better because I can use DNSFilter for all devices, and exclude the WFH machine. -
NextDNS Thank you for reaching out!
-
BS Providing an update for you NextDNS that my problems have resurfaced using the Strict option with dns2.
-
-
After some time of testing NextDNS I can confirm that Strict or Opportunistic, or dns1 vs dns2, the issues will still arise. It SEEMS to be related to something with IPV6, which had previously not given me any issues. I am on ATT U-verse which does support native IPV6 dual-stack, and from what I can tell, anytime I start having the issues with connectivity, then the NextDNS status page indicates that my network does not have IPV6 capability.
It's possible this is ISP related, but that may be difficult to confirm... moving to another DNS resolver (Quad9/Cloudflare) works well, so I don't know if it's a service pipeline issue from ATT to NextDNS in Atlanta, or if there's something else going on with the IPV6 service for NextDNS in Atlanta.
Thank you for all your time and help, for now, I have disabled IPV6 and will continue testing.-
BS I'm not sure what else I can do NextDNS as I've gone through lengths to fix this, even created a new configuration and deleted my old one to troubleshoot this. Something is VERY wrong with the DoT service for my area. Sites (even the NextDNS ping) were failing to load while running a Diag test which is posted here: NextDNS Network Diagnostic
-
-
Hate to bump an old thread but I am seeing this issue as well. Exact same behavior as @BS except I am using stock asus firmware which now supports DoT, and I am IPv4 only. I have used Cloudflare DoT successfully for a while. About 12 hours after setting up nextdns I am unable to resolve any domains on my network. @NextDNS Can you guys take another look into this please? @BS do you have any updates? Thanks in advance!
-
Austin Clamon Update for anyone who looks: test.nextdns.io shows UDP as the protocol when things go sideways. Restarting the router or changing config fixes it for about 20 minutes.
-
JCVR Any idea what the issue is? This seems to be an issue folks have been dealing with for a while.
-
We deployed some DoT changes trying to see if it addresses this issue 2 days ago (note that we can't reproduce, so it makes it hard to debug). Can you please confirm you are still experiencing this issue?
-
NextDNS I was experiencing the issue less than 12 hours ago. I imagine it would be quite easy to reproduce. Just grab an ac-68u with stock firmware and set up DoT under WAN settings in the UI. Do you guys have something in mind that might be the issue?
-
JCVR That is a fair point. I too hate having to work again as soon as I get home. Hopefully this gets resolved this time around.
-
NextDNS Here's a recent diag from me, the OP who STILL has this issue, as of today.
https://nextdns.io/diag/85c4c3b0-7b14-11ec-b17f-f767c0dc044c
I've basically given up on trying to get this fixed with anything I can do on my side, because there's nothing I can change/do to fix it.
-
Austin Clamon I replied a lil further down, makes me kinda sigh in frustration that folks are STILL having this issue, including myself. But no update to say that it's "fixed" permanently. There was a thread a while back here on NextDNS about there being some fixed that -did- work temporarily, and also a ticket opened up on the Stubby GitHub, which does the DoT for ASUS Merlin firmware... but I'm not sure what's used for 'stock' ASUS.
Here's some links if you wanna see the previous discussions around NextDNS and DoT on the forums here and Stubby GitHub here:
TLS Connection Failures - Stubby - Bug Reports - NextDNS Help Center
Short-term outages with DoT - Bug Reports - NextDNS Help Center
https://github.com/getdnsapi/stubby/issues/297 -
NextDNS do you have any update for us? Im sure many of us would be willing to test any changes.
-
-
I finally had to revert to using non-NextDNS resolves about a week ago. The family kept complaining about unresolved DNS issues on Merlin manual setup with DOT. I've been doing this a while and had issues at first...but something's been escalating. I was rebooting the router about every 48 hours just to keep the family happy (DNS would just stop working)... No, I do not use the "agent" and have been using manual setups for 2 years.
-
G Mobley Same story here. There is definitely some kind of configuration issue with @NextDNS DoT
-
-
I've given up using NextDNS DoT with Merlin. I'm using DoH without issue.
-
Techno Did you use DOH via the NextDNS CLI, or just implement it via your browser?
-
BS Until these issues are resolved I'm using AdguardHome with nextdns DoH as my upstream server. I was also having problems with the cli on Merlin firmware.
-
-
Just an update: I've not had any complaints in the past week to the "home IT department" about DNS not working and sites not resolving since I removed the NextDNS configuration from my ASUS Merlin setup (386.3_2) - which I've been running for ~ 9+ months. (I've not upgraded to the latest 386.4 b/c of known issues...) I've also not had to reboot the router to recover DNS stability not once after I reconfigured the main router to a DOT/Quad9 configuration. That delivered stability but sadly none of the NextDNS benefits. I'm monitoring this thread and others for further progress by the NextDNS team on the issues being reported here. Stay safe, stay warm. Thanks! Peace.
-
Any updates to this issue yet @NextDNS
-
@NextDNS can we please get an update? Its kind of hard to justify paying for a service that doesn't work properly on my devices.
-
The DoT issue has been fix months ago. If you have an issue it is probably a different one. Do not hesitate to open a new discussion.
-
Actually, I disabled NextDNS on my ASUS RT-AX86 router ~ month ago. The family was howling quite loudly about "things not resolving and timing out". I was seeing far too many timeouts myself - refreshing pages several times - not pretty. :(
I also had to restart the router ~ 7-10 days for stability. (No it had not been upgraded in months and months). Monitoring the transactions (stubby -l), I saw a lot of "Fails" in that workstream. My https://ping.nextdns.io showed ranges from 25-50+ ms with most times hovering > 30ms! Resolutions were getting painful and even the wife was complaining and many know that saying.... ;)
I've been using QUAD9 and/or Cloudflare since then as alternatives. Complaints stopped and I've not seen a single timeout myself. I was waiting to retry reconfiguring NextDNS again after I install the latest FW 386.5 beta which I did last weekend. I want this change to settle a week or two "as-is" before I reconfigure the main router to use NextDNS - just to separate those changes/events clearly.
I've always used a manual NextDNS integration and never the NextDNS agent.
YMMV. Stay safe, stay alive. Peace. G. Mobley
-
Hello,
I am not entirely sure if my current issue is the same as being reported here in this thread but it am running AsusMerlin 386.5 on my Asus AC86U router with NextDNS configured through SSH as recommended in the NextDNS setup guide for that router model. I have noticed that after 12-18 hours I am losing web browsing functionality, it seems that external websites are not loading. I have included my router log file below, this is what was being captured just before the problem occurs.
Once I perform a router restart, everything works fine again. What would be the current workaround to keep using NextDNS on the router without having to go through a restart?
Apr 18 12:59:56 nextdns[6036]: Connected 116.204.183.61:443 (con=0ms tls=0ms, TCP, )
Apr 18 13:00:37 nextdns[6036]: Connected 43.229.79.19:443 (con=6ms tls=9ms, TCP, TLS13)
Apr 18 13:01:56 nextdns[6036]: Connected 43.229.79.19:443 (con=7ms tls=10ms, TCP, TLS13)
Apr 18 13:02:36 nextdns[6036]: Connected 116.204.183.61:443 (con=4ms tls=0ms, TCP, )
Apr 18 13:03:33 nextdns[6036]: Connected 43.229.79.19:443 (con=4ms tls=0ms, TCP, )
Apr 18 13:04:43 nextdns[6036]: Connected 116.204.183.61:443 (con=4ms tls=12ms, TCP, TLS13)
Apr 18 13:09:03 nextdns[6036]: Connected 43.229.79.19:443 (con=2ms tls=9ms, TCP, TLS13)
Apr 18 13:13:29 nextdns[6036]: Connected 43.229.79.19:443 (con=5ms tls=11ms, TCP, TLS13)
Apr 18 13:15:18 nextdns[6036]: Connected 43.229.79.19:443 (con=2ms tls=9ms, TCP, TLS13)
Apr 18 13:17:53 nextdns[6036]: Connected 116.204.183.61:443 (con=19ms tls=14ms, TCP, TLS13)
Apr 18 13:18:40 nextdns[6036]: Connected 43.229.79.19:443 (con=3ms tls=13ms, TCP, TLS13)
Apr 18 13:20:56 nextdns[6036]: Connected 43.229.79.19:443 (con=2ms tls=394ms, TCP, TLS13)
Apr 18 13:20:56 nextdns[6036]: Switching endpoint: https://dns.nextdns.io#116.204.183.61,43.229.79.19
Apr 18 13:23:01 nextdns[6036]: Connected 43.229.79.19:443 (con=3ms tls=9ms, TCP, TLS13)
Apr 18 13:23:51 nextdns[6036]: Connected 43.229.79.19:443 (con=3ms tls=9ms, TCP, TLS13)
Apr 18 13:25:25 nextdns[6036]: Connected 43.229.79.19:443 (con=7ms tls=12ms, TCP, TLS13)
Apr 18 13:32:54 wlceventd: wlceventd_proc_event(508): eth6: Disassoc 36:CD:DC:2B:52:B9, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Apr 18 13:32:55 wlceventd: wlceventd_proc_event(527): eth6: Auth 36:CD:DC:2B:52:B9, status: Successful (0), rssi:0
Apr 18 13:32:55 wlceventd: wlceventd_proc_event(556): eth6: Assoc 36:CD:DC:2B:52:B9, status: Successful (0), rssi:0
Apr 18 13:32:55 dnsmasq-dhcp[11800]: DHCPREQUEST(br0) 192.168.1.126 36:cd:dc:2b:52:b9
Apr 18 13:32:55 dnsmasq-dhcp[11800]: DHCPACK(br0) 192.168.1.126 36:cd:dc:2b:52:b9
Apr 18 13:35:26 kernel: httpd (1246): drop_caches: 1
Apr 18 13:35:30 kernel: httpds (1245): drop_caches: 1 -
Hi, The behavior you report is similar to my early 2022 experiences. I do not use the client but a manual NextDNS setup for ASUS/Merlin. My setup ran suitable for ~ 1-1.5 years as I was an early adopter. Sometime ~ Jan/Feb 2022, I finally had to revert my setup to Quad9/Cloudflare b/c of symptoms similar to what you describe. The router's DNS would behave for 1-3 days and then DNS resolution would start failing and keep failing which set the family screaming as we WAH. This continued for a few weeks until I was forced to switch off NextDNS b/c of failing DNS. The only solution I found was to reboot the router every 1-2 days which would fix it BUT that's not really a viable solution.
I have not retried to reconfigure NextDNS since Feb 2022 b/c things have been working so well - no screaming, "The internet is broken again..." I continue monitoring this threads for answers.
Thanks!
-
@NextDNS I will be testing this again tonight. Based on the info from other users it appears that this has not been fixed at all as stated on Feb,28th. What specifically has been done to correct the issues? I don't think anyone in this forum would mind reading a more technical overview of what has been tried.
-
Austin Clamon the bug in feb was fixed and confirmed fixed. This is most likely as different issue, probably unrelated to DoT.
-
