What's new

384.11 Secure DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Preskitt.man

Senior Member
I installed 384.11-2. I then went to the WAN DNS page to implement DNSSEC. There was this message underneath the select box for DNS Privacy Protocol:
Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers."
The WAN page currently point DNS1/2 to 1.1.1.1 and 1.0.0.1
I went over to the DHCP page, and DNS Server1/2 also pointed 1.1.1.1 and 1.0.0.1.
What am I missing?
 
Clients will be told to use 1.1.1.1 directly instead of using the router and DoT (DNS Privacyj. Clear the DHCP DNS entries and advertise the router as the DNS server for clients.
 
Thanks!

Cleared the DNS entries on the DHCP page and clicked Yes on Advertise the Routers IP. Applied these settings, and the warning message went away. On the DNS page, I configured as follows:
DNS Server 1/2 : 1.1.1.1 1.0.0.1
Forward Local Domain Queries to Upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC: Yes
Validate Unsigned DNSSEC replies: Yes
DNS Privacy Protocol : DoT
DNS over TLS Profile : Strict
Preset Servers: Selected Cloudfare 1.1.1.1 and 1.0.0.1

Obviously a bunch of new settings here - Not sure if all are selected for best use. Help file on this would sure be nice. Good news is, at a minimum, DNS is working on my networks. :)
 
... and advertise the router as the DNS server for clients.
I know I've laboured this point before :rolleyes: but I'm really uncomfortable when people recommend setting this value to "Yes". Two reasons:

1. The setting isn't "Advertise the router as the DNS". The actual setting is "Advertise router's IP in addition to user-specified DNS". So the setting is not applicable when there are no user-specified DNSs. (Therefore telling people to change it is misleading)

2. When people do want to set user-specified DNS(s) they could easily miss changing this back to "No". In such a situation the clients would also be using the router's DNS which is probably not what they intended.
 
Last edited:
Thanks!

Cleared the DNS entries on the DHCP page and clicked Yes on Advertise the Routers IP. Applied these settings, and the warning message went away. On the DNS page, I configured as follows:
DNS Server 1/2 : 1.1.1.1 1.0.0.1
Forward Local Domain Queries to Upstream DNS: No
Enable DNS Rebind Protection: No
Enable DNSSEC: Yes
Validate Unsigned DNSSEC replies: Yes
DNS Privacy Protocol : DoT
DNS over TLS Profile : Strict
Preset Servers: Selected Cloudfare 1.1.1.1 and 1.0.0.1

Obviously a bunch of new settings here - Not sure if all are selected for best use. Help file on this would sure be nice. Good news is, at a minimum, DNS is working on my networks. :)

Looks like you’re on the right track now.

This may help?..........
https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy
 
Thanks all - the Wiki link helps out a lot. Looks like the only things I needed to change was the Enable DNS rebind protection to Yes, and advertise the router as the DNS server for clients to No.
 
Just one other question - I did go to the Cloudfare Browsing experience security check site. As the Wiki suggested, the Secure DNS site had a Red X, while DNSSEC and TLS 1.3 were both Green. The Encrypted SNI also had the Red X. Is this an unimplemented feature in 384.11-2, an implementation error on my part, or suspected bug in the Cloudfare site.
 
There are only a few browsers that support encrypted sni it is still something new to the home user
 
interestingly, Android 9.0 has DoT built in as an option, and when I tested with it at the Cloudfare site, had Green check marks across the board, including encrypted SNI. In any case, not so paranoid that I think this really matters. If I were living in China, might feel differently.
 
interestingly, Android 9.0 has DoT built in as an option, and when I tested with it at the Cloudfare site, had Green check marks across the board, including encrypted SNI. In any case, not so paranoid that I think this really matters. If I were living in China, might feel differently.
I suspect encrypted sni will be pretty standard at some point as more browsers come around to supporting it.
 
Hope someone can help me. :confused:
Getting frustrated with trying to get DoT set up.
When I make the necessary changes my router shows Internet Status: Disconnected

I have even got to the point of resetting my router and starting from scratch.
OpenVPN Server turned on and setup. AMTM, Diversion and Skynet are the only extras installed.

I have followed the settings here and on github and I'm at a loss.
Also followed suggestions HERE
tcpdump -ni eth0 -p port 53 or port 853 Obviously all requests are using 53

After every change, I have to revert back to turning DoT off to get my internet connection back. :(
Maybe someone can post up screens of your working settings?

ASUS Wireless Router RT-AC66U_B1 - DHCP Server.png ASUS Wireless Router RT-AC66U_B1 - DNS-based Filtering.png ASUS Wireless Router RT-AC66U_B1 - Internet Connection (1).png
 
What do you have "Wan: Use local caching DNS server as system resolver (default: No)" set to in the "Tools > Other Settings" page. If it's set to Yes, try changing it to No. It could be stopping your router from getting the time, which is needed for most certificate stuff.
 
Hope someone can help me. :confused:
Getting frustrated with trying to get DoT set up.
When I make the necessary changes my router shows Internet Status: Disconnected

I have even got to the point of resetting my router and starting from scratch.
OpenVPN Server turned on and setup. AMTM, Diversion and Skynet are the only extras installed.

I have followed the settings here and on github and I'm at a loss.
Also followed suggestions HERE
tcpdump -ni eth0 -p port 53 or port 853 Obviously all requests are using 53

After every change, I have to revert back to turning DoT off to get my internet connection back. :(
Maybe someone can post up screens of your working settings?

View attachment 17828 View attachment 17829 View attachment 17830

I would test entering the CloudFlare servers in Connect to DNS Servers Automatically (set it to 'No' to enter the servers you want).
 
Set "Wan: Use local caching DNS server as system resolver " to No on the Tools -> Other Settings page.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top