Quad9 TLS Support

It would be super nice to have an option to set-up Quad9 TLS as the DNS provider as their servers are quite often much "closer" to the user, especially this matters for travel routers.

Example:

❯ ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: icmp_seq=0 ttl=58 time=6.909 ms
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=7.038 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=6.933 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=58 time=7.894 ms
^C
--- 9.9.9.9 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.909/7.194/7.894/0.407 ms
❯ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=57 time=28.076 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=27.463 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=57 time=27.283 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=57 time=29.169 ms
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 27.283/27.998/29.169/0.737 ms
❯ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=104 time=99.528 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=104 time=99.566 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=104 time=99.071 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=104 time=100.154 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 99.071/99.580/100.154/0.385 ms

Currently, I'm using CloudFlare as it gives best results, but 7ms v/s 27ms for dns lookups makes really noticeable boost in UX.

GL firmware supported the DNS server Quad9, you can select manual DNS and choose it in GL GUI > Network > DNS > DNS Serve1 > Pop the list > Quad9 Security:

image1298×822 47.4 KB

image1286×828 40.2 KB

Thanks for the reply, but the topic is regarding DoT, DNS Over TLS.

P.S. Some ISPs, like Telkomsel in Bali (and most likely the rest Indonesia), force to use their DNS servers by DNS hijacking and time to time response with their server IP for some domains where they show advertisement — sick! and very annoying. They also seem to block DoH (at least it didn't work for me), but DoT works pretty well.

Hello,

OK, I see.

1. Select any DoT server in GL GUI > Network > DNS, and apply, for example

image1298×710 38.8 KB

2. Edit the file "/etc/config/stubby":
   vi /etc/config/stubby to enter it, and press keyboard key "i" to edit.

Remove the cloudflare part and add these following:

config resolver
        option address '9.9.9.9'
        option tls_auth_name 'dns.quad9.net'

like this:

image594×693 9.99 KB

Press keyboard key "Esc", then type ':wq' to save the configuration and exit.

4. Restart the services to make the configuration take effect:

/etc/init.d/stubby restart
/etc/init.d/dnsmasq restart

Restarting the device will not lose configuration.
Upgrading the firmware may lose configuration and requires reconfiguration manually.

In addition, the requirements for Quad9 TLS have been submitted to PM for evaluation.

@bruce and @Stan I think there is an easier way. Using an SSH session, you can add resolvers using UCI commands rather than editing the stubby config file. For Quad 9:

uci add stubby resolver
uci set stubby.@resolver[-1].address="2620:fe::9"
uci set stubby.@resolver[-1].tls_auth_name="dns.quad9.net"
uci add stubby resolver
uci set stubby.@resolver[-1].address="2620:fe::fe"
uci set stubby.@resolver[-1].tls_auth_name="dns.quad9.net"
uci add stubby resolver
uci set stubby.@resolver[-1].address="9.9.9.9"
uci set stubby.@resolver[-1].tls_auth_name="dns.quad9.net"
uci add stubby resolver
uci set stubby.@resolver[-1].address="149.112.112.112"
uci set stubby.@resolver[-1].tls_auth_name="dns.quad9.net"
uci commit stubby
service stubby restart

@bruce thanks! worked like a charm! however, it would be very convenient to have Quad9 TLS support in the UI so it would be quicker to jump between Quad9 and Cloudflare instead of using ssh+vi each time I need to change Cloudflare to Quad9.

@Dondi yep, these commands also work, but before adding new resolvers previous should be deleted.

I would like to take this moment to thank the entire GL.iNet team for the awesome travel routers and great support!

I also would like to ask for an out of the box solution. Thank you

Hello @bruce,

I don't know if it was already discussed, but will you add officially support for DNS.SB in DNS-over-TLS (DoT) encrypted recursive DNS drop-down list as well?

DNS.SB is a free public DNS recursive resolver created by the German IT company xTom.

Thank you to all GL.iNet team for your hard work to make wonderful home and travel routers such as Flint 3 and Slate 7.

I use a symlink to switch between my custom confs for those providers & /etc/init.d/dnscrypt-proxy restart

FYI: v4.8.0-beta9 on the Slate AX has these DOH providers listed. No doubt it will be a standard feature.

1. In GL GUI > Network > DNS:

Mode: Encrypted DNS 
Encryption Type: DNS over TLS
DNS Provider: Cloudflare

-> Apply

2. SSH to the router, and execute these:

uci del stubby.@resolver[0]
uci del stubby.@resolver[0]
uci del stubby.@resolver[0]
uci del stubby.@resolver[0]

uci add stubby resolver
uci set stubby.@resolver[-1].address="185.222.222.222"
uci set stubby.@resolver[-1].tls_port="853"
uci set stubby.@resolver[-1].tls_auth_name="dot.sb"
uci add stubby resolver
uci set stubby.@resolver[-1].address="45.11.45.11"
uci set stubby.@resolver[-1].tls_port="853"
uci set stubby.@resolver[-1].tls_auth_name="dot.sb"
uci add stubby resolver
uci set stubby.@resolver[-1].address="2a09::"
uci set stubby.@resolver[-1].tls_port="853"
uci set stubby.@resolver[-1].tls_auth_name="dot.sb"
uci add stubby resolver
uci set stubby.@resolver[-1].address="2a11::"
uci set stubby.@resolver[-1].tls_port="853"
uci set stubby.@resolver[-1].tls_auth_name="dot.sb"
uci commit stubby
/etc/init.d/stubby restart
/etc/init.d/dnsmasq restart

probably no plan to join dns.sb as a DoT provider for the time being, as 9b9e... mentioned, it is supported in the DoH list.

I've recently upgraded Beryl AX to 4.8.0 stable and there is no Quad9 in the list (however, upgrade didn't reset my custom manual settings).

Ahh... the joys of GL.iNet firmware not being in version sync across devices. I won't miss it if it were to ever leave.

Screenshot_20250806_075224680×194 8.97 KB

Screenshot_20250806_075145680×297 15.1 KB

It's probably for the best your conf wasn't. The GL.iNet stock conf leaves a bit to be desired to properly tighten up security, privacy:

cat <<- '__EOF' >> /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
	# edit your existing `.toml` to properly enable these security settings
	# in their respective sections or dnscrypt-proxy won't start
	user_name = 'nobody'
	dnscrypt_servers = false
	odoh_servers = true
	require_dnssec = true
	require_nolog = true
	require_nofilter = false
	disabled_server_names = [ 'quad9-doh-ip4-port443-nofilter-pri', 'quad9-doh-ip4-port443-nofilter-alt', 'quad9-doh-ip4-port443-nofilter-ecs-pri', 'quad9-doh-ip4-port443-nofilter-ecs-alt', 'quad9-doh-ip4-port443-filter-ecs-pri', 'quad9-doh-ip4-port443-filter-ecs-alt' ]
	dnscrypt_ephemeral_keys = true
	tls_disable_session_tickets = true
	bootstrap_resolvers = ['1.1.1.1:53', '1.0.0.1:53']

__EOF

Then

chown -R nobody:nogroup /etc/dnscrypt-proxy2/
/etc/init.d/dnscrypt-proxy restart

As all things in life, YMMV.

thanks this worked for me as well

I have tried this exact process but cannot get quad9 to work. Cloudflare works fine however my Network access hub which translates the fibre connection to ethernet for my router hijacks unencrypted DNS requests over port 53 and redirects them to the ISP DNS, there is no way to disable this other than using encrypted DoT.

Cloudflare works perfectly but when I arrange my /etc/config/stubby file with quad9 config as shown above, the DNS servers are back to my ISP. This is very frustrating. Can you help me diagnose the issue?

There might be an error somewhere in the stubby configuration causing DNS to fall back to dnsmasq.

Please refer to this thread: How to Manually Add DoT or DoH Servers on GL.iNet Routers