[AC87U] DNS issues post 384.7 upgrade

[BSOD2600]

Any known issues with the dns server with the latest 384.7 code?

Was previously only 384.5 and no problems.
The router itself cannot resolve dns (using OpenDNS... the classic config where not dnsfilter, but hardcoded dns IPs for their service), yet has network connectivity. network clients are config to use router as DNS... sot they too obviously are not working right now (unless manually change their dns config). Also have AB-Solution installed... which I notice has been renamed to Division -- possibly related?

 

[BSOD2600]

... and there we go, soon as I disabled DNSSEC, dns has started to work again. hmm.

 

[DinoBot]

... and there we go, soon as I disabled DNSSEC, dns has started to work again. hmm.

That's because OpenDNS dont support DNSSEC

 

[BSOD2600]

DNSSEC has been enabled for many builds with OpenDNS. This was the first time it caused a problem.

 

[M@rco]

OpenDNS does not support DNSSEC and it most likely will never do so. See https://support.opendns.com/hc/en-us/community/posts/220028387-OpenDNS-and-DNSSEC

I think the change you've noticed is related to the recently added option: DNSSEC strict unsigned validation.

If you continue to use OpenDNS, you need to disable DNSSEC Support. You can try whether it works when you only disable DNSSEC strict unsigned validation, but it has no added value to leave DNSSEC Support enabled, as your upstream DNS server does not support it.

 

[RMerlin]

DNSSEC has been enabled for many builds with OpenDNS. This was the first time it caused a problem.

It was enabled, but it never worked because dnsmasq simply ignored unsigned replies. This was a serious security issue that pretty much made DNSSEC useless, so the dnsmasq author changed it so it will now properly reject unsigned replies if you enable dnssec and a queried zone is signed.

This was documented in the changelog BTW:

  - CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
              DNS replies received with DNSSEC enabled are legitimate.
              If your upstream DNS doesn't support DNSSEC, this means
              all replies from signed zones will be considered
              invalid.  Make sure you only enable DNSSEC if your
              upstream DNS servers do support it.  This behaviour is
              a bit slower, but far more secure than the old default.

 

[Treadler]

... and there we go, soon as I disabled DNSSEC, dns has started to work again. hmm.

Yup, Opendns not DNSSEC compatible.
Cloudflare, Google, Quad9 are your public DNS go to’s if you want the benefit of DNSSEC.

 

[BSOD2600]

Thanks all for the pointers, for something overlooked in the changelog.

Also eventually got AB upgraded to Diversion too. First attempt, it was partially migrated and then did something to kill the router (both cores 100% cpu for hours; 2nd SSH session not responsive to investigate or kill; eventually had to pull usb drive and restart to fix). Second attempt was successful; using Lite mode for now.

 

[MarcoPolo]

If you want to secure the DNS layer, you can also take a look at DNSCrypt !
https://github.com/thuantran/dnscrypt-asuswrt-installer

(In this case, disable DNSSEC support in the Asuswrt-Merlin interface)

And to check if DNSSEC is active:
http://dnssec.vs.uni-due.de