DNS over TLS appears to stop working once DNSSEC is enabled

Good morning,

I'm trying to understand the precedence of the various DNS options available in the context of my current set-up, as I'm seeing some unexpected results.

I currently have two firewall zones: lan and guest. Traffic from my lan zone is configured to be routed over a Wireguard interface where as traffic from guest goes over the WAN.

Under Network > Interfaces > LAN > DHCP Server > Advanced Settings > DHCP-options and Network I've set 6, to use my VPN provider's resolver.

Under Network > Interfaces > WAN > Common Configuration > Advanced Settings > Use custom DNS servers I've set (and 0::1 under the WAN6 interface).

Under Network > DHCP and DNS > Server Settings > DNS forwardings I've set in order to use DNS over TLS via Stubby.

This seems to work well: clients on my LAN are using my VPN provider's resolver (i.e. no DNS leaks) whereas guest clients are using Cloudflare's resolvers and shows that they're using DoT.

Following the Stubby readme, I proceeded to enable DNSSEC using:

uci set dhcp.@dnsmasq[-1].dnssec=1
uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1
uci commit && reload_config

As soon as I do this, shows that I'm no longer using DoT. However, it does appear that DSNSEC is working (I see the ad flag)

Can anybody educate me here? Why, as soon as I enable DNSSEC, does DoT stop working? Happy to post configs here if it would help to understand why I'm seeing this behaviour.

EDIT: I'm also running adblock on the router, if that has any bearing on things.

Ah; likely a false report (false negative?) from The same behaviour has been noted here.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.