Difference between "Override DNS Settings for All Clients" and Custom DNS Server

Hi community!

Does anyone know the difference between “Override DNS Settings for All Clients” and “DNS over TLS (Cloudflare or NextDNS)”?

When I only select “DNS over TLS (Cloudflare or NextDNS)” and perform a dnsleaktest, and connect with my phone, I find that my Gl.inet Shadow correctly uses the Cloudflare servers for DNS lookups. If I turn it off, the Google servers programmed into my phone instead. This is all as expected.

So, what is the purpose of “Override DNS Settings for All Clients,” and how does that feature work exactly? Clearly, without the “Override DNS Settings for All Clients” option checked, the DNS selected on my phone is being overridden.

The reason I’m asking is because when I have the “Override DNS Settings for All Clients” option checked, there are no problems with my phones, computers, etc… but it seems like my iOT stuff stops working over time. In particular, i’m having trouble with a B-hive sprinkler controller, a Govee Smart Home connector, and an Emporia energy monitor. It seems as if having the “Override DNS Settings for All Clients” option checked is interfering with the ability of these devices to connect to the internet… but not always.

Does anyone have any feedback as to why this might be happening, how these two features work, etc? I couldn’t find this info online or in any manual.

Thanks!

‘Override DNS Settings for All Clients’ will intercept any DNS requests downstream, originating from LAN client devices, on port 53 (traditional, insecure/unencrypted DNS) & route them through DOT/DOH/DNSCrypt-Proxy, accordingly.

IDK what’s happening to your IoT gear. Unless you can gain SSH/command prompt to ping/traceroute/nslookup I couldn’t begin to guess.

How much free flash space do you have on your Shadow? Can you get tcpdump installed (opkg update && opkg install tcpdump)?

Thanks for the tcpdump information. That is helpful! I think that there is more than one problem I’m having with this router!

For the Orbitz B-Hive, it seems that I can easily connect it to my guest network (regardless of DNS override settings). But it refuses to connect to the main network. When I listen on tcpdump, it is silent on the main network (even when trying to establish a wifi connection). Meanwhile, on the guest network, everything looks fine.

For the Govee device, there is definitely an issue related to the Custom DNS server option. I began a tcpdump, and let the Govee try to connect for a while. It couldn’t connect with “Custom DNS server” set (as Cloudflare). But as soon as I toggled off the Custom DNS server, Govee made the connection. Here is the tcpdump (somewhat trimmed for easy reading):

With DNS Override on:

10:30:00.514752 IP 192.168.8.101.31780 > 192.168.8.1.53: 2343+ A? aqm3wd1qlc3dy-ats.iot.us-east-1.amazonaws.com. (63)
10:30:00.514793 IP 192.168.8.101.31780 > 192.168.8.1.53: 2343+ A? aqm3wd1qlc3dy-ats.iot.us-east-1.amazonaws.com. (63)
10:30:05.703559 ARP, Reply 192.168.8.101 is-at d4:ad:fc:92:0b:72, length 28
10:30:05.703591 ARP, Reply 192.168.8.101 is-at d4:ad:fc:92:0b:72, length 28

Turn off DNS override:

10:31:04.885147 IP 192.168.8.101.15686 > 192.168.8.1.53: 53339+ A? aqm3wd1qlc3dy-ats.iot.us-east-1.amazonaws.com. (63)
10:31:04.885183 IP 192.168.8.101.15686 > 192.168.8.1.53: 53339+ A? aqm3wd1qlc3dy-ats.iot.us-east-1.amazonaws.com. (63)
10:31:04.906692 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [S], seq 6509, win 2920, options [mss 1460], length 0
10:31:04.906724 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [S], seq 6509, win 2920, options [mss 1460], length 0
10:31:05.094933 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 4185278866, win 2920, length 0
10:31:05.094963 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 1, win 2920, length 0
10:31:05.102672 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [P.], seq 0:142, ack 1, win 2920, length 142
10:31:05.102700 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [P.], seq 0:142, ack 1, win 2920, length 142
10:31:05.301253 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 1555, win 1366, length 0
10:31:05.301285 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 1555, win 1366, length 0
10:31:05.302765 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 1555, win 2920, length 0
10:31:05.302794 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 1555, win 2920, length 0
10:31:05.505684 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 4475, win 0, length 0
10:31:05.505714 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 4475, win 0, length 0
10:31:05.507167 IP 192.168.8.101.59726 > 35.170.194.244.8883: Flags [.], ack 4475, win 1460, length 0

So, I have a solution for both (connect B-hive to Guest and disable custom DNS server for the Govee)… but as a learning tool, I’d still like to understand WHY this is happening. I’m guessing with the Govee, it has to do with the port (8883?)… Not sure what is going on with the B-hive only working on the guest network. Thanks again for your help.

Wow. There’s a lot going on with those devices & ports. netstat -natp &/or -natpu might be helpful.

• I’d certain try scanning those devices & see if there’s any open ports that might give a clue. nmap would be the tool there. HOW-TOs are easily found.
• logread on the Shadow could turn up something

Govee

It really should be transparent to that until regardless of the DNS method use, :53, DOT or DOH. I’d also try DOT/DOH again & see if you get a result fr drill +short amazonaws.com (opkg install drill)

IDK; it all could be some bug in the firewall or dnsmasq (the DNS/DHCP handler for OpenWrt). What’s your Shadow’s firmware version? It might be important to the devs if it is a bug.

This Shadow router is making me pull out my hair! As previously mentioned, I had trouble with an Emporia Energy Device, Orbitz B-Hive, and Govee. With the Govee, it seems that the issue is related to the Cloudflare DNS: as soon as I toggle off the DNS stuff, Govee works. When I toggle the Cloudflare back on, Govee continues to work for a while until it stops again - sometimes working as long as 24 hours. (I assume if it needs to reconnect to some server on 8883 and the custom DNS blocks 8883?). I think I understand that. But now, I’m having trouble with a Raspberry Pi too! Works fine when connected via rj45… but on wifi, my router log displays the following:

Thu Jul  6 09:22:12 2023 daemon.info hostapd: wlan0: STA e4:5f:01:03:bd:f3 IEEE 802.11: associated (aid 1)
Thu Jul  6 09:22:12 2023 daemon.notice hostapd: wlan0: AP-STA-POSSIBLE-PSK-MISMATCH e4:5f:01:03:bd:f3
Thu Jul  6 09:22:13 2023 daemon.notice hostapd: wlan0: AP-STA-POSSIBLE-PSK-MISMATCH e4:5f:01:03:bd:f3
Thu Jul  6 09:22:14 2023 daemon.notice hostapd: wlan0: AP-STA-POSSIBLE-PSK-MISMATCH e4:5f:01:03:bd:f3
Thu Jul  6 09:22:15 2023 daemon.notice hostapd: wlan0: AP-STA-POSSIBLE-PSK-MISMATCH e4:5f:01:03:bd:f3
Thu Jul  6 09:22:21 2023 daemon.info hostapd: wlan0: STA e4:5f:01:03:bd:f3 IEEE 802.11: deauthenticated due to local deauth request

Any yes, I have checked the password 100 times, meaning I’ve identified at least 3 different types of connection problems with the Shadow; only one of which (the Govee) can be explained! The odd thing with the Pi is that SOMETIMES it will suddenly connect (without me changing the router settings)… With 4 devices having intermittent and varied problems with this router, I’m starting to wonder if I have a hardware issue. I just bought a Beryl AX router to test to see if these inexplicable issues will go away. Thanks again for your help, bring.fringe. If I happened to discover anything that will help others in the future, I’ll post back.

OK, got a new router (the Beryl AX). Plugged it in, replicated the settings I had on the Shadow… and BOOM: everything worked first try. Some other problems that I didn’t mention in this post went away too. I’m guessing I had defective hardware on the Shadow. I have spent a year struggling with so many unrelated and intermittent problems on this device: doing resets, tweaking settings, resetting and resetting… and actually quite frustrated that it took me this long to see that the problem was the device, not me. Thanks again for your help.

Hello fulmar2, hope you all well. It seems that you have put forward a ticket to us, while the email address you provided is inaccessible. We cannot get in touch with you via that email address.

Anyway could you please kindly give it a try with this beta firmware?
https://dl.gl-inet.com/?model=ar300m16&type=beta
Noted that you shall not keep settings, or just perform a factory reset after you have upgraded it.

Thank you so much, and have a nice day.

rain, thank you for this information. To my surprise, that beta software update fixed 3 of the problems I was having - including the one that prompted this topic about the DNS settings! The 4th problem turned out to be with the raspberry pi itself ( solution to the raspberry pi problem can be found here ). The new software seems better overall, thanks. One feature that seems to be missing is that I cannot see how to add the “file share” plugin. If you could help with that, I am optimistic that some of these problems will go away. Thanks.

Looks like the beta is good… BUT, you lose the ability to use the USB attached storage. I spent a lot of time working on this just now, and it appears that the cause is because there is not any space left after updating to the Beta 4 software. I looked at the log for the old software, and it seems like it installed “gl-files-browser” and “samba36-server”… I did find “samba4-server” in the repository, but no way to find “gl-files-browser”. I am fond of the Beta4 software and hope you can make it work so that the attached storage can work as well.

This is slightly off-topic but I wouldn’t lose much sleep over the lack of SMB on the Shadow. Your Beryl AX stomps all over its performance for that function:

After the official release, these packages will be published to the repository. However, users need to expand the storage space by themselves to install them.
For AR300M, it has a poor CPU performance, so it may not work fine even if it is installed.