Router : AX-1800 Flint
I have implemented DNS over TLS, and upon conducting a tcpdump on port 53 of eth0, I observe traffic activity. Could you kindly provide guidance on determining if a DNS leak is transpiring and suggest measures to mitigate it?
How did you test it? Were you using a client machine connected to the modem or using the modem itself (from and ssh) to resolve the domains?
Why are you capturing traffic on eth0?
On connected clients, please use this website: https://www.dnsleaktest.com
And post the output of:
# netstat -tuplna
For DoT the default port is often not 53, but 853, theoretical what has been specified in stubby.
Now in the default configuration in gl-inet the local dns is just a forwarder to stubby, so port 53 → 853.
So the reason you see 53 going out of wan is because you just have pesky devices with hardcoded dns 
.
Chrome browser for example all use their own dns resolver and ignore often the user settings, android phones even make it more obvious.
The only solution is hijacking port 53 
So if u do tcpdump of 853 you see also the encrypted traffic, but yea its still a leak only hijacking dns can solve this, until well these devices adopting to hardcoded DoH then theres no way to hijack it so until now i hope it not happens 
