I’m using smartdns and have some issues with dns resolution. In order to resolve I now use only the dns servers recommended by egc in his write up.
I cannot resolve some addresses used by banks for secure login,
I also don’t reach the site “sl.se” owned by the Stockholm commuting company, a major site in Sweden.
If I switch off WiFi on my iPhone no problem to access.
reaching sites is less likely not due to problems with SmartDNS but... ISP blocking, use of VPN or your DNS has blocking list..in general SmartDNS on my R7000 works ok...
try using TLS servers if https servers give you an errors..
Those are the exact servers I use but without the “tls-host-verify …”
Very annoying! In general everything works well _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Tue Nov 14, 2023 12:49 Post subject:
I have (very) random resolution drop-outs, but it usually resolves itself on page refresh. It's either that, or Cloudflare asking me to verify that I'm human. BUT, I have *many* tls servers in my config.
I have (very) random resolution drop-outs, but it usually resolves itself on page refresh. It's either that, or Cloudflare asking me to verify that I'm human. BUT, I have *many* tls servers in my config.
I used to have a number of servers but cut down in order to see if that would help. It didn’t.
Tried to traceroute one of the unreachable sites and it stops half way. Maybe the problem is one of my ISPs DNS-servers? _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Nov 14, 2023 17:34 Post subject:
kernel-panic69 wrote:
I have (very) random resolution drop-outs, but it usually resolves itself on page refresh. It's either that, or Cloudflare asking me to verify that I'm human. BUT, I have *many* tls servers in my config....
KP-69 my experience with lots of servers always yield those result..random drop outs refresh...i tend to believe it happens due to different servers with different filtering capabilities...
Also in the past Cloudflare required to not mix their servers with others...same was with NextDNS..
So, i either use NextDNS or Quad9 same for all my configs..Stubby, DNSCrypt-proxy v2 or SmartDNS..
Never had any issues with Stubby where SmartDNS and DNScrypt-proxy v2 are very touchy..
For some personal reason i avoid 8.8.8.8 or 1.1.1.1 ... but its just me...
for the record close friend used to work for quad9 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
There are only chnages to DOT in the way it is now entered as above
Does the Dns over https remains same format : server-https https://1.1.1.1/dns-query ?
There are only chnages to DOT in the way it is now entered as above
Does the Dns over https remains same format : server-https https://1.1.1.1/dns-query ?
After a VERY long time of testing and checking documentation, I found the solution! THIS IS HOW YOU GET HTTPS TO WORK!
server-https is designed by SmartDNS to only use a Domain URL, not an IP URL. So using "server-https https://0.0.0.0/dns-query" is NOT going to work. It has to be the actual hostname, like you'd enter it into a browser.
So then that leaves the obvious question: How do you resolve the domain URL You can't have it find its own IP unless you have another DNS server set, such as server-tls.
If you want to only use HTTPS, or make it work properly in the first place, you need an additional command! Deep in the documentation, I have found an unhighlighted line: -host-ip
Here is an example:
server-https https://example.com:443/dns-query -host-name example.com -tls-host-verify example.com -host-ip 0.0.0.0
After you apply this, REBOOT THE ROUTER! THAT IS VERY IMPORTANT! Then it starts working flawlessly! DO NOT ADD A : (colon) IN FRONT OF THE PARAMETERS! They do not need a colon! As well, the reason I have added :443 to the URL, is because the default https port on SmartDNS is set to 853 (TLS's port). Why? Don't know! "tls-host-verify" is a parameter listed under server-https in the documentation, so it still counts for HTTPS even though the wording has TLS! I will compile my other findings into a single spot:
Setup > Basic Setup: Set "Local DNS" to whatever "Local IP Address" is set to. Uncheck "Use dnsmasq for DNS".
Setup > Basic Setup: Your NTP server must be in IP Address form. If DNS doesn't have the proper time and thus won't connect because of that, how is the NTP hostname going to be resolved? Point concluded. This can cause a whole lot of other issues in your setup if not remedied!
I hope this helps you guys! That was an AWFUL headache to get something so simple to work properly! If you want more info, you can find it here (as well why DoH could be preferred over DoT, even though DoH is a layer higher in the OSI model, in the second link):
https://pymumu.github.io/smartdns/en/configuration/ https://dnscrypt.info/faq/
Last edited by RedSoviet on Wed Jan 10, 2024 11:24; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Jan 10, 2024 8:32 Post subject:
RedSovietserver-https https://example.com:443/dns-query -host-name example.com -tls-host-verify example.com -host-ip 0.0.0.0
I never tried this format, but tried with https and -tls-host-verify but it seams it only verify the tls connections...
As far as the SmartDNS default port...never heard of 853 default port...it usually uses 6053 as default form local side(on loopback interface)...but 853 or 443 are for resolving...
IP works better than, resolving name...as egc said, you need bootstrap DNS to avoid chicken and the egg problem....if resolving by name...as NTP time also starts late you have those certificate errors from SmartDNS side..but those are normal...
Anyway ill try what ever you offered as https verify option...
Have you test it with dig, to find what is doing actually ?
I usually only use IP for SmartDNS...and prefer tls instead of https...but have them both indeed
it works, but i haven't dig it yet... just quickly tested it...as this router is busy atm...and I doesn't have entware to install kdig for further test's... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Jan 10, 2024 11:43; edited 2 times in total
RedSoviet server-https https://example.com:443/dns-query -host-name example.com -tls-host-verify example.com -host-ip 0.0.0.0 i never tried this format but tried with -tls-host-verify and it seams it only verify the tls connections...as far as the SmartDNS default port...never heard of default port...ot usually uses 6053 as default form local side...but 853 or 443 are fro resolving...
IP works better than resolving name as the egs said you need bootstrap DNS to avoid chicken and the egg problem....
anyway ill try what ever you offered as https verify option...did you test it with dig ?
to find what is doing actually ?
I've not tested it with dig. But for me, the bootstrapping does not seem to work with some providers. I find it a bit pointless, since -host-ip is for initiating the connection first and tells SmartDNS what to contact. Bootstrapping it doesn't seem so secure to me, unless it literally does the exact same thing.
As for why the documentation is so scuffed, the creator of SmartDNS speaks Mandarin primarily. There is a barrier in this regard.
Services > Services: Set Maximum Cached Entries to 0. You want SmartDNS to be the only service caching. Unless the "cache-size" parameter is set, SmartDNS will automatically adjust the size based upon your memory size.
Joined: 29 Sep 2020 Posts: 260 Location: United States
Posted: Sat Feb 24, 2024 16:17 Post subject:
thanks for the response
yeah i don't have ipv6 enabled. the rest looks like it normally does.
the router does give out fe80 addresses. is that normal with ipv6 not enabled?
*
on my android in About phone settings. IP address has a fe80 address above the router given IP address. this is the way it behaved with unbound as well. just wanted to make sure it was normal
Last edited by itwontbewe on Sat Feb 24, 2024 16:33; edited 1 time in total