ASUSWRT-Merlin and NextDNS issue

[XIII]

Due to dnsmasq failing all the time I wiped my flash drive and re-installed amtm, Diversion, Entware and SkyNet.

Now I again have "This device is using NextDNS with another configuration." and my selected filters are not active.

Configuration still looks good:

round_robin_upstreams: 0
upstream_recursive_servers:
  - address_data: 45.90.28.0
    tls_auth_name: "<ID>.dns1.nextdns.io"
  - address_data: 45.90.30.0
    tls_auth_name: "<ID>.dns2.nextdns.io"

What could be wrong?

 

[dave14305]

how well did this test work for you?

So so. Had different dnsmasq configs for DoT vs regular dnsmasq. Always felt something wasn’t the same. Tried the new Nextdns CLI last night. Not quite intuitive how to setup, but it was literally pushed to GitHub last night as a beta.

I always fall back to running Unbound with Diversion to keep a happy home.

Generally, I get uneasy disabling DNSSEC locally.

if [ "$(nvram get dnspriv_enable)" = "1" ] && [ -n "$(nvram get dnspriv_rulelist | grep nextdns)" ]; then
        pc_append "alias=0.0.0.0,192.168.1.2" "$CONFIG"
        pc_delete "stop-dns-rebind" "$CONFIG"
        pc_delete "addn-hosts=/opt/share/diversion/list/" "$CONFIG"
        pc_delete "dnssec" "$CONFIG"
elif [ "$(nvram get dnspriv_enable)" = "0" ] && [ "$(nvram get wan_dnsenable_x)" = "0" ]; then
        if [ -n "$(nvram get wan0_dns | grep -E "45\.90\.[23][80]\.170")" ]; then
                pc_append "strict-order" "$CONFIG"
                pc_append "add-cpe-id=Nextdnscfgid" "$CONFIG"
                pc_append "add-mac" "$CONFIG"
                pc_append "add-subnet=32,128" "$CONFIG"
                pc_delete "addn-hosts=/opt/share/diversion/list/" "$CONFIG"
                pc_delete "dnssec" "$CONFIG"
        fi
fi

EDIT: typo in code

 

[SomeWhereOverTheRainBow]

So so. Had different dnsmasq configs for DoT vs regular dnsmasq. Always felt something wasn’t the same. Tried the new Nextdns CLI last night. Not quite intuitive how to setup, but it was literally pushed to GitHub last night as a beta.

I always fall back to running Unbound with Diversion to keep a happy home.

Generally, I get uneasy disabling DNSSEC locally.

if [ "$(nvram get dnspriv_enable)" = "1" ] && [ -n "$(nvram get dnspriv_rulelist | grep nextdns)" ]; then
        pc_append "alias=0.0.0.0,192.168.1.2" "$CONFIG"
        pc_delete "stop-dns-rebind" "$CONFIG"
        pc_delete "addn-hosts=/opt/share/diversion/list/" "$CONFIG"
        pc_delete "dnssec" "$CONFIG"
elif [ "$(nvram get dnspriv_enable)" = "0" ] && [ "$(nvram get wan_dnsenable_x)" = "0" ]; then
        if [ -n "$(nvram get wan0_dns | grep -E "45\.90\.[23][80]\.170")" ]; then
                pc_append "strict-order" "$CONFIG"
                pc_append "add-cpe-id=Nextdnscfgid" "$CONFIG"
                pc_append "add-mac" "$CONFIG"
                pc_append "add-subnet=32,128" "$CONFIG"
                pc_delete "addn-hosts=/opt/share/diversion/list/" "$CONFIG"
                pc_delete "dnssec" "$CONFIG"
        fi
fi

EDIT: typo in code

You shouldnt have to disable local dnssec to use them but I imagine it is more for accurate statistics logging on their end.
What made you go with
nvram get wan0_dns vs
nvram get wan_dns

 

[dave14305]

You shouldnt have to disable local dnssec to use them but I imagine it is more for accurate statistics logging on their end.
What made you go with
nvram get wan0_dns vs
nvram get wan_dns

Their own DoH daemon for Merlin compatibility disables these things.
https://github.com/nextdns/nextdns/blob/master/router/merlin/setup.go#L47

I went with wan0 because I felt more certain about it. Probably doesn't matter.

 

[SomeWhereOverTheRainBow]

Their own DoH daemon for Merlin compatibility disables these things.
https://github.com/nextdns/nextdns/blob/master/router/merlin/setup.go#L47

I went with wan0 because I felt more certain about it. Probably doesn't matter.

i think wan0 is probably more quickly available as well, i have noticed issues with regular wan in past (values not populating and what not).

I still feel like it is better to control all this stuff locally v.s forwarding it all to an upstream service and requesting them handle it.

 

[SomeWhereOverTheRainBow]

@Olivier Poitrey you should start a thread specifically for beta support as some people will come to these threads seeking Rmerlinian advice while the setup issues would most likely pertain to your script.

 

[Olivier Poitrey]

Done: https://www.snbforums.com/threads/nextdns-installer.61002/

 

[Smokey613]

[

I still feel like it is better to control all this stuff locally v.s forwarding it all to an upstream service and requesting them handle it.

I agree but, if your router has limited resources then offloading this processing would be beneficial. When I tried Diversion on my 68U it functioned properly but over time it would start consuming a lot of cpu processing, hence my reason to give NextDNS a try. I have a brand new RT-AC86U arriving tomorrow and I plan to do a Merlin install, then Skynet, diversion and all my other scripts to see how well it handles it all.

 

[SomeWhereOverTheRainBow]

[


I agree but, if your router has limited resources then offloading this processing would be beneficial. When I tried Diversion on my 68U it functioned properly but over time it would start consuming a lot of cpu processing, hence my reason to give NextDNS a try. I have a brand new RT-AC86U arriving tomorrow and I plan to do a Merlin install, then Skynet, diversion and all my other scripts to see how well it handles it all.

i suppose if you are trying to block more than diversion (or routers DNSMASQ) can handle, then this is an accurate statement. For 1.99 a month, I don't think you could go wrong. I will stick with diversion for now as i don't feel i need to block that much.

 

[gattaca]

--- I have a brand new RT-AC86U arriving tomorrow and I plan to do a Merlin install, then Skynet, diversion and all my other scripts to see how well it handles it all.

Keep us posted.

 

[gattaca]

Here is my recommendation for dnsmasq options
dnsmasq.conf.add (with gui dnssec turned on for additional validation)

strict-order

OK trying this now that I upgraded to latest FW.. .

 

[gattaca]

So I'm experimenting with NextDNS and the large dbl.oisd.nl list (known as the Large list in Diversion). NextDNS is configured to return UNSPECIFIED ADDRESS (i.e. 0.0.0.0) for blocked domains. This prevents my continued use of Pixelserv-tls locally with 192.168.1.2 as my blocking IP. Not awful, but can I have the best of both worlds?

I'm experimenting with adding this line to dnsmasq.conf to map upstream responses of 0.0.0.0 to 192.168.1.2:

alias=0.0.0.0,192.168.1.2

Added via dnsmasq.postconf:

#!/bin/sh
CONFIG="$1"
. /usr/sbin/helper.sh

if [ "$(nvram get dnspriv_enable)" = "1" ] && [ -n "$(nvram get dnspriv_rulelist | grep nextdns)" ]; then
        pc_append "alias=0.0.0.0,192.168.1.2" "$CONFIG"
        pc_delete "stop-dns-rebind" "$CONFIG"
fi

Of course, I need to disable DNS Rebind protection, but this is just an experiment to benefit from the dbl.oisd.nl list without the high memory usage on my AC68U.

So you are trying this prior to your new router and will (maybe) undo this once your AC86U proves out? It seems like those of use using Diversion/Pixelserv-tls would want to keep this active? I cut it into my setup b/c it sort of makes sense...

 

[Smokey613]

i suppose if you are trying to block more than diversion (or routers DNSMASQ) can handle, then this is an accurate statement. For 1.99 a month, I don't think you could go wrong. I will stick with diversion for now as i don't feel i need to block that much.

That was my thoughts as well, hence my finally purchasing the 86U. I too would rather handle it all “in house” if possible. On that thought, which DNS servers would you use? My ISP recently switched over to pointing everyone to Google servers on their setup. I would rather not do that. I have had great service from NextDNS so far.

 

[gattaca]

I've used cloudflare and quad9 + amtm + diversion + skynet + other for more than a year without any issues. I'm only playing around with NextDNS. I may go back to these. I'm not a fan of giving ABC/Google anything. YMMV.

 

[SomeWhereOverTheRainBow]

That was my thoughts as well, hence my finally purchasing the 86U. I too would rather handle it all “in house” if possible. On that thought, which DNS servers would you use? My ISP recently switched over to pointing everyone to Google servers on their setup. I would rather not do that. I have had great service from NextDNS so far.

for the most part, I use cloudflare (don't have any issues that some users report in their areas). my second choice would be quad9. (alternative clean browsing but they are hit or miss in my area). if i had to i would use google or my isp as last option, my isp is now playing around with DoT and DoH support, their DNSSEC capabilities are phenomenal, but they are horrible as far as privacy is concerned.

 

[XIII]

@Olivier Poitrey Can you please have a look at my logs in #152 in the 384.15 alpha tread?

Do they make any sense to you?

(Maybe I should try your DoH solution, but I'd rather use the firmware built-in DoT)

 

[Olivier Poitrey]

@Olivier Poitrey Can you please have a look at my logs in #152 in the 384.15 alpha tread?

Do they make any sense to you?

(Maybe I should try your DoH solution, but I'd rather use the firmware built-in DoT)

If you don't disable DNSSEC validation in dnsmasq, any blocked queries on domains supporting DNSSEC will fail the validation. It will still kind of block them but pollute your logs and may slow down the blocking as most stub will retry on SERVFAIL instead of just giving up.

We do DNSSEC validation at NextDNS level. It is advised not to enable it as client level with us.

 

[XIII]

If you don't disable DNSSEC validation in dnsmasq, any blocked queries on domains supporting DNSSEC will fail the validation. It will still kind of block them but pollute your logs and may slow down the blocking as most stub will retry on SERVFAIL instead of just giving up.

We do DNSSEC validation at NextDNS level. It is advised not to enable it as client level with us.

That's what I thought after reading the comment from your source code that I posted there.

Any idea why dnsmasq stops functioning after some time when I use NextDNS with DNS over TLS?

 

[Olivier Poitrey]

That's what I thought after reading the comment from your source code that I posted there.

Any idea why dnsmasq stops functioning after some time when I use NextDNS with DNS over TLS?

I think it’s stubby that fails. We got several reports of instability of stubby with our service. We still need to figure out why.

 

[XIII]

I think it’s stubby that fails. We got several reports of instability of stubby with our service. We still need to figure out why.

Ah, I wonder whether I also had stubby failures with Cloudflare and Quad9 earlier this year.

Don't understand yet why it worked fine with those in 2019, but stopped in 2020 (or maybe on the last day of 2019).