NextDNS issues with DoT on ASUS Merlin
Hello all,
Been having some issues for a while now when using the DoT functions natively supported in ASUS Merlin. Pages time out and often will sit with an "error not resolved" message for roughly 4-5 seconds before the page will refresh and load content.
(This happens with or without DNS Filter active; Model AX-88U)
I have done a complete reset of the router, and used the NextDNS CLI (which doesn't have errors, but resolves slower) but for whatever reason the NextDNS DoT implementation doesn't seem to like the ASUS Merlin firmware anymore, or there's a CDN issue with DoT for the Atlanta region.
I have since disabled any options within the Performance tab of the website, and still am having issues. To the point that many of the diagnostic services for NextDNS itself will not work or report well. Options on the router are minimal outside of factory defaults, with IPv6 and DoT setup being the only noteable changes.
My ISP is AT&T U-verse/Fiber.
I preferred the DoT implementation as hostnames from the CLI can flood the logs with various (blank) names, and the DoT doesn't have to be regularly updated.
57 replies
-
Good morning/afternoon everyone.
Sorry to bump this topic, but I think I may have figured out what's causing the issue (fingers crossed) regarding the ASUSMerlin DoT implementation, and NextDNS...
I noticed after using the DoT method, that pages were failing to resolve with "ERR_NAME_NOT_RESOLVED" as the Chromium error message.
What I've discovered (SO FAR) is there's an issue with handshake/authentication with NextDNS services for some reason when this option is set to STRICT.I don't know if this is due to using a device name for the DoT resolution, "AX-88U-XXXXXX.dns.nextdns.io" or something else.
I'm unsure if this is an authentication factor on NextDNS's behalf, or some handshake requirement of ASUSMerlin... but I can confirm (with optimistic hesitation) that setting to OPPORTUNISTIC has resolved my DoT issues so far.
I will bump/update if the problem continues after this adjustment.-
NextDNS Thank you again so much for the help!
I'll continue to keep an eye on it, and update if for some reason it starts to fail again... in the past the DoT would work fine until after some period (24-hrs) and then start misbehaving again.Also, would any of these options help at all?
ASUSMerlin is currently in an Alpha state for a new build, so this may be a good chance for this to be updated/fixed.
-
BS none of those options would help. The fix is to add ISRG Root X1 to the trust store (which has been the case for years in all other OS).
-
BS another workaround will be to use our CLI. We will embed the ISRG Root X1 in the next rev to make sure we do not depend on system's.
-
NextDNS I have had moderate success with the CLI, but an important issue is I cannot exclude devices from using it.
I have a WFH machine that doesn't like to resolve properly with NextDNS services, so having DoT is better because I can use DNSFilter for all devices, and exclude the WFH machine. -
NextDNS Thank you for reaching out!
-
BS Providing an update for you NextDNS that my problems have resurfaced using the Strict option with dns2.
-
-
After some time of testing NextDNS I can confirm that Strict or Opportunistic, or dns1 vs dns2, the issues will still arise. It SEEMS to be related to something with IPV6, which had previously not given me any issues. I am on ATT U-verse which does support native IPV6 dual-stack, and from what I can tell, anytime I start having the issues with connectivity, then the NextDNS status page indicates that my network does not have IPV6 capability.
It's possible this is ISP related, but that may be difficult to confirm... moving to another DNS resolver (Quad9/Cloudflare) works well, so I don't know if it's a service pipeline issue from ATT to NextDNS in Atlanta, or if there's something else going on with the IPV6 service for NextDNS in Atlanta.
Thank you for all your time and help, for now, I have disabled IPV6 and will continue testing.-
BS I'm not sure what else I can do NextDNS as I've gone through lengths to fix this, even created a new configuration and deleted my old one to troubleshoot this. Something is VERY wrong with the DoT service for my area. Sites (even the NextDNS ping) were failing to load while running a Diag test which is posted here: NextDNS Network Diagnostic
-
-
Hate to bump an old thread but I am seeing this issue as well. Exact same behavior as @BS except I am using stock asus firmware which now supports DoT, and I am IPv4 only. I have used Cloudflare DoT successfully for a while. About 12 hours after setting up nextdns I am unable to resolve any domains on my network. @NextDNS Can you guys take another look into this please? @BS do you have any updates? Thanks in advance!
-
Austin Clamon Update for anyone who looks: test.nextdns.io shows UDP as the protocol when things go sideways. Restarting the router or changing config fixes it for about 20 minutes.
-
JCVR Any idea what the issue is? This seems to be an issue folks have been dealing with for a while.
-
We deployed some DoT changes trying to see if it addresses this issue 2 days ago (note that we can't reproduce, so it makes it hard to debug). Can you please confirm you are still experiencing this issue?
-
NextDNS I was experiencing the issue less than 12 hours ago. I imagine it would be quite easy to reproduce. Just grab an ac-68u with stock firmware and set up DoT under WAN settings in the UI. Do you guys have something in mind that might be the issue?
-
JCVR That is a fair point. I too hate having to work again as soon as I get home. Hopefully this gets resolved this time around.
-
NextDNS Here's a recent diag from me, the OP who STILL has this issue, as of today.
https://nextdns.io/diag/85c4c3b0-7b14-11ec-b17f-f767c0dc044c
I've basically given up on trying to get this fixed with anything I can do on my side, because there's nothing I can change/do to fix it.
-
Austin Clamon I replied a lil further down, makes me kinda sigh in frustration that folks are STILL having this issue, including myself. But no update to say that it's "fixed" permanently. There was a thread a while back here on NextDNS about there being some fixed that -did- work temporarily, and also a ticket opened up on the Stubby GitHub, which does the DoT for ASUS Merlin firmware... but I'm not sure what's used for 'stock' ASUS.
Here's some links if you wanna see the previous discussions around NextDNS and DoT on the forums here and Stubby GitHub here:
TLS Connection Failures - Stubby - Bug Reports - NextDNS Help Center
Short-term outages with DoT - Bug Reports - NextDNS Help Center
https://github.com/getdnsapi/stubby/issues/297 -
NextDNS do you have any update for us? Im sure many of us would be willing to test any changes.
-
-
I finally had to revert to using non-NextDNS resolves about a week ago. The family kept complaining about unresolved DNS issues on Merlin manual setup with DOT. I've been doing this a while and had issues at first...but something's been escalating. I was rebooting the router about every 48 hours just to keep the family happy (DNS would just stop working)... No, I do not use the "agent" and have been using manual setups for 2 years.
-
I've given up using NextDNS DoT with Merlin. I'm using DoH without issue.
-
Just an update: I've not had any complaints in the past week to the "home IT department" about DNS not working and sites not resolving since I removed the NextDNS configuration from my ASUS Merlin setup (386.3_2) - which I've been running for ~ 9+ months. (I've not upgraded to the latest 386.4 b/c of known issues...) I've also not had to reboot the router to recover DNS stability not once after I reconfigured the main router to a DOT/Quad9 configuration. That delivered stability but sadly none of the NextDNS benefits. I'm monitoring this thread and others for further progress by the NextDNS team on the issues being reported here. Stay safe, stay warm. Thanks! Peace.
-
Any updates to this issue yet @NextDNS
Content aside
- Status Fixed
-
1
Likes
- 2 yrs agoLast active
- 57Replies
- 3345Views
-
11
Following