DNS over TLS support

My Wyze doorbell camera will not connect to the internet if my router is setup to use DNS over TLS (DoT).

Please add support to the Wyze doorbell camera for DoT

Or, you know, leave your Wyze and other devices alone and let your router be responsible for converting queries to DNS over TLS. I don’t see much reason to change the cameras?

One example:

I basically followed that article. My router is running OpenWRT and I set it up to send all DNS queries over TLS to CloudFlare’s server.

Every single device on my network (and I have dozens of devices) worked fine, except my Wyze doorbell camera.

I had the same problem using the Asus XT8 Mesh Router built in DoT implementation. As soon as I disabled DoT my Wyze Doorbell started showing online and Wyze plug completed its setup.

1 Like

Yes, please fix this issue.

More and more routers like Asus are rolling out DNS over TLS (DoT). Fixing this issue would most likely reduce the amount of returns of the doorbell as support isn’t catching the problem.

I spend some quality time trying to figure out the issue and ended up turning off DoT which I would like to flip on at some point soon.

I don’t think that Wyze really pays attention to complaints. Calling support is like talking to a brick wall where they run the same script over and over again.

I agree DNS over TLS causes Wyze cams to drop ‘offline’ from the perspective of the app the thumbnails say offline, but when you click on them you can view the camera, also recording breaks. After doing extensive testing I found the following:

For me, this only breaks if:

  • the record is not cached (they have a really low TTL)
  • you have blocked devices from getting to 8.8.8.8 to bypass your cache/filtering/privacy settings.

Here’s a cached packet which the cam can process although the TTL is less than 1 minute so the cache will never bee there when the camera needs it:

; <<>> DiG 9.16.1-Ubuntu <<>> api.wyzecam.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25936
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;api.wyzecam.com.		IN	A

;; ANSWER SECTION:
api.wyzecam.com.	19	IN	CNAME	core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	19 IN A	44.228.53.38
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	19 IN A	52.26.7.89
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	19 IN A	54.189.218.68
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	19 IN A	54.189.12.237

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Mar 10 20:43:10 UTC 2022
;; MSG SIZE  rcvd: 184



25936+ [1au] A? api.wyzecam.com. (56)
	0x0000:  4500 0054 761b 0000 4011 8089 c0a8 01a3  E..Tv...@.......
	0x0010:  c0a8 0101 cb0e 0035 0040 8446 6550 0120  .......5.@.FeP..
	0x0020:  0001 0000 0000 0001 0361 7069 0777 797a  .........api.wyz
	0x0030:  6563 616d 0363 6f6d 0000 0100 0100 0029  ecam.com.......)
	0x0040:  1000 0000 0000 000c 000a 0008 6638 a02e  ............f8..
	0x0050:  a824 d89d                                .$..
25936 5/0/1 CNAME core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com., A 44.228.53.38, A 52.26.7.89, A 54.189.218.68, A 54.189.12.237 (184)
	0x0000:  4500 00d4 1bbd 0000 4011 da67 c0a8 0101  E.......@..g....
	0x0010:  c0a8 01a3 0035 cb0e 00c0 c268 6550 8180  .....5.....heP..
	0x0020:  0001 0005 0000 0001 0361 7069 0777 797a  .........api.wyz
	0x0030:  6563 616d 0363 6f6d 0000 0100 01c0 0c00  ecam.com........
	0x0040:  0500 0100 0000 1300 4022 636f 7265 2d70  ........@"core-p
	0x0050:  726f 642d 636c 6f75 642d 6761 7465 7761  rod-cloud-gatewa
	0x0060:  792d 3133 3430 3239 3034 3234 0975 732d  y-1340290424.us-
	0x0070:  7765 7374 2d32 0365 6c62 0961 6d61 7a6f  west-2.elb.amazo
	0x0080:  6e61 7773 0363 6f6d 00c0 2d00 0100 0100  naws.com..-.....
	0x0090:  0000 1300 042c e435 26c0 2d00 0100 0100  .....,.5&.-.....
	0x00a0:  0000 1300 0434 1a07 59c0 2d00 0100 0100  .....4..Y.-.....
	0x00b0:  0000 1300 0436 bdda 44c0 2d00 0100 0100  .....6..D.-.....
	0x00c0:  0000 1300 0436 bd0c ed00 0029 0500 0000  .....6.....)....
	0x00d0:  0000 0000                                ....

And here’s a packet that is not cached, that is a new response via DNS over TLS from 1.1.1.1 you can see the packet is much bigger (447 vs 184) because instead of summarizing all 4 IP’s for the discovered CNAME record, it lists the CNAME 4 times with the IP after each occurrence. The camera doesn’t process this properly even though it is a proper DNS response that is processed just fine from other devices.

; <<>> DiG 9.16.1-Ubuntu <<>> api.wyzecam.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28450
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.wyzecam.com.		IN	A

;; ANSWER SECTION:
api.wyzecam.com.	30	IN	CNAME	core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	30 IN A	54.189.12.237
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	30 IN A	54.189.218.68
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	30 IN A	52.26.7.89
core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com.	30 IN A	44.228.53.38

;; Query time: 28 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Mar 10 20:42:58 UTC 2022
;; MSG SIZE  rcvd: 447


28450+ [1au] A? api.wyzecam.com. (56)
	0x0000:  4500 0054 7421 0000 4011 8283 c0a8 01a3  E..Tt!..@.......
	0x0010:  c0a8 0101 dfe1 0035 0040 8446 6f22 0120  .......5.@.Fo"..
	0x0020:  0001 0000 0000 0001 0361 7069 0777 797a  .........api.wyz
	0x0030:  6563 616d 0363 6f6d 0000 0100 0100 0029  ecam.com.......)
	0x0040:  1000 0000 0000 000c 000a 0008 4f01 8e77  ............O..w
	0x0050:  9708 c16d                                ...m
28450 5/0/1 CNAME core-prod-cloud-gateway-1340290424.us-west-2.elb.amazonaws.com., A 54.189.12.237, A 54.189.218.68, A 52.26.7.89, A 44.228.53.38 (447)
	0x0000:  4500 01db 099e 0000 4011 eb7f c0a8 0101  E.......@.......
	0x0010:  c0a8 01a3 0035 dfe1 01c7 863f 6f22 8180  .....5.....?o"..
	0x0020:  0001 0005 0000 0001 0361 7069 0777 797a  .........api.wyz
	0x0030:  6563 616d 0363 6f6d 0000 0100 0103 6170  ecam.com......ap
	0x0040:  6907 7779 7a65 6361 6d03 636f 6d00 0005  i.wyzecam.com...
	0x0050:  0001 0000 001e 0040 2263 6f72 652d 7072  .......@"core-pr
	0x0060:  6f64 2d63 6c6f 7564 2d67 6174 6577 6179  od-cloud-gateway
	0x0070:  2d31 3334 3032 3930 3432 3409 7573 2d77  -1340290424.us-w
	0x0080:  6573 742d 3203 656c 6209 616d 617a 6f6e  est-2.elb.amazon
	0x0090:  6177 7303 636f 6d00 2263 6f72 652d 7072  aws.com."core-pr
	0x00a0:  6f64 2d63 6c6f 7564 2d67 6174 6577 6179  od-cloud-gateway
	0x00b0:  2d31 3334 3032 3930 3432 3409 7573 2d77  -1340290424.us-w
	0x00c0:  6573 742d 3203 656c 6209 616d 617a 6f6e  est-2.elb.amazon
	0x00d0:  6177 7303 636f 6d00 0001 0001 0000 001e  aws.com.........
	0x00e0:  0004 36bd 0ced 2263 6f72 652d 7072 6f64  ..6..."core-prod
	0x00f0:  2d63 6c6f 7564 2d67 6174 6577 6179 2d31  -cloud-gateway-1
	0x0100:  3334 3032 3930 3432 3409 7573 2d77 6573  340290424.us-wes
	0x0110:  742d 3203 656c 6209 616d 617a 6f6e 6177  t-2.elb.amazonaw
	0x0120:  7303 636f 6d00 0001 0001 0000 001e 0004  s.com...........
	0x0130:  36bd da44 2263 6f72 652d 7072 6f64 2d63  6..D"core-prod-c
	0x0140:  6c6f 7564 2d67 6174 6577 6179 2d31 3334  loud-gateway-134
	0x0150:  3032 3930 3432 3409 7573 2d77 6573 742d  0290424.us-west-
	0x0160:  3203 656c 6209 616d 617a 6f6e 6177 7303  2.elb.amazonaws.
	0x0170:  636f 6d00 0001 0001 0000 001e 0004 341a  com...........4.
	0x0180:  0759 2263 6f72 652d 7072 6f64 2d63 6c6f  .Y"core-prod-clo
	0x0190:  7564 2d67 6174 6577 6179 2d31 3334 3032  ud-gateway-13402
	0x01a0:  3930 3432 3409 7573 2d77 6573 742d 3203  90424.us-west-2.
	0x01b0:  656c 6209 616d 617a 6f6e 6177 7303 636f  elb.amazonaws.co
	0x01c0:  6d00 0001 0001 0000 001e 0004 2ce4 3526  m...........,.5&
	0x01d0:  0000 2904 d000 0000 0000 00              ..)........

Seriously Wyze, I appreciate your products are cheap, but at least make them follow standards! Fix your DNS library so that these larger responses work and don’t take your devices offline! A lot of people are moving to DoT and also blocking generic public resolvers.

3 Likes

The OP says they are using their router… Wyze has a serious bug in reading responses from such routers as they tend to contain some extra data, which is still within the DNS RFC and valid. With many devices on my network, Wyze is the only device that has a problem with it. I’ve added details for Wyze to review (not that they will) below.

After having issues with my cams and bulbs, I’ve come across this thread and was able to resolve my issue.

Turning off DNS-over-TLS fixed all my devices, I’d also like to use DNS-over-TLS as extra network security.

Please allow us to use DNS-over-TLS Wyze, thank you.

1 Like

I have the same issue with DNS over TLS on my ASUS router. Out of 28 devices Wyze cameras are the only ones that fail. When I turn off DoT they work properly. Please fix this so your customers can be more secure on the internet. Is there some information that you are secretly collecting that DoT blocks/breaks?

1 Like

Same here using a Asus RT- AX86U and Cam v2’s with DoT enabled, recording to cloud seems to be a problem with router’s DoT enabled, have to disable DoT to even add a Cam v2.

Cam v3’s work as expected with DoT enabled in the Router.

Wyze Wired Doorbell, Wyze Cam Outdoor and the bulbs are a no go with DoT enabled in the router.

Disabling DoT and all is good.

Would like to have DoT enabled in the Router.

Thank You

To those of you using ASUS routers, in LAN settings you can add a DHCP reservation for your camera and include a specific DNS IP for the specific device.

I was able to enable DoT on the router for everything being forwarded through the router, and have just the camera bypass the router and DoT.

Not the best case scenario, but far from the worst.

Also discovered the Hue HDMI Sync box also has this same issue, though the Hue bridge does not.

2 Likes

Here is where this originated

I will be testing this soon

1 Like

I’ve had mine setup this way for months. It’s not a new feature on the ASUS router. Just happened to see this thread and thought I’d offer the suggestion.

1 Like

For several Asus Routers, there are three work-around options. I am using Option #2 from the Thread below which is different work-around from the one above - allows you to keep the devices on Guest Network 1. Just requires using the Asus Router App.

Wyze should fix the issue in the device though!

2 Likes

I’m also successfully using option 2.

2 Likes