Using Cloudflare DNS with FreshTomato Router

Hello, I recently flashed my router Asus RT-AC68U with FreshTomato Firmware AIO 2020.5, I inserted Manual Dns1: 1.1.1.1 and Dns2: 1.0.0.1. also checked DNSSEC, and Stubby DoT as well.

Internet is working fine but when i do a DNS leak test on web sites such as https://www.dnsleaktest.com i see up to 8 servers that should not be there. why do I have this leak? is there anything i can do to avoid it? The only way i can get a total secured dns communication is either using Firefox browser on my iMac activating DoH + SNI and getting all 4 greens tests at https://www.cloudflare.com/ssl/encrypted-sni or otherwise installing the Cloudflare app on my iPhone and iPad, with this two methods i don’t have any dns leak as only cloudflare dns shows on dnsleaktest.
But, my goal here is to don’t have DNS leaks from the router itself without using these other methods mentioned above. Also because i’d like a private connection for other devices such as smart TVs that rely only on the router.
Any Help on this? Am i missing something?

Also is there a way to set up a cloudflare Dnscrypt-proxy in FreshTomato firmware? if yes, can someone please explain how to do so?

Thank you very much
Fabio

Hi Fabio,
I’m not familiar with FreshTomato but I think that what you could be seeing is the outgoing IPs of our resolvers but I’m not sure as it depends on what dnsleaktest is actually checking.
You can check who own’s the network of an IP using whois:

whois 1.1.1.1

2 Likes

Thanks for your quick reply C_Elmerot.

I tried whois with the server IPs i get on the leaktest and they belong to Google, SurfNet etc… as you can see on this screenshot using safari:


If i do the test with a more secure browser like firefox i get instead only one server (Clouflare DXB) as it should be.

So what i don’t understand is why if i manually set DNS 1.1.1.1 on the router settings there are servers like google and surfnet intercepting the comunication… as per my understanding this is a leak of dns.

Anyway maybe the problem is at a router level, i’ll try to reach out to FreshTomato developers too and see if i can fix it.

Thanks

Hi Fabio,
yes this looks like something in the router firmware which would be the cause as with Firefox it uses it’s own internal DNS setting and if you enable DoH it bypasses whatever the router announces to your device.

1 Like

Hi Fabio,

Tomato routers are usually used to establish vpn connections so all your home traffic is encrypted, are you using a VPN? When you configure 1.1.1.1 and test for dns leaks is the vpn connected ? If so I would repeat the test disconnecting the vpn because the vpn inserts its own dns servers.

Thanks

Hi nkonda,

Thanks for your reply.

I resolved the problem! now i have no leak. it was an issue with the router configuration, i forced the router to connect to cloudflare servers via Stubby dmasq, doing so now i have no leak at all, only cloudflare server shows up in the leak test. :slightly_smiling_face:

However when checking on 1.1.1.1/help page DoT comes as a NO while it should be YES as stubby is configured to use DoT.

need to figure this out now. Possible that the 1.1.1.1/help page shows an incorrect result?

thanks