What's new

ASUSWRT-Merlin and NextDNS issue

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

^^^^ Actually, helpful - makes perfect sense.

BUT .. I think you posted that you prefer to keep DNSSEC on locally and you made a few posts earlier to the configs to to allow diversion + Pixelserv to act as a 2nd layer to NextDNS as long as we set NextDNS to use 0.0.0.0 returns.. or am I mis-remembering? For me, I like layers for this stuff... so if something sneaks past the front link, there's a fallback waiting to stop it.
I’m all over the place when it comes to DNS solutions. I dynamically remove DNSSEC and Rebind on the router if my DNS config involves NextDNS. And map the 0.0.0.0 to my Pixelserv IP. That’s a lot of hacks just to see if something will work like Diversion Standard.
ASUSWRT-Merlin and NextDNS issue

Layers are good except when modifying cryptographically signed data. Hence I’m taking a break from fancy DNS now that kids are going back to school and I have to go back to work tomorrow. :(

I’m now just using ISP DNS with DNSSEC and Diversion. Plus SkyNet.
 
Guys, I still don't understand this conversation - sorry. Can someone explain, in laymen's terms, why we do or do not want DNSSEC checked in the WAN GUI when using NextDNS. I've seen too many conflicting reports now to know which one to believe ON or OFF and why? And BTW, I'm using DNS-over-TLS
This is not the same as gui dnssec. This is taking proxy-dnssec and placing it in the dnsmasq.conf.add this ensures clients properly recieve and dnsmasq properly cache up steam dnssec responses from nextdns nextdns is still the one supplying validations.

Do not use gui dnssec option as it will interfere with responses from nextdns and flag them as bogus.

My suggestion above should help encourage acceptance of responses and caching.
 
This is not the same as gui dnssec. This is taking proxy-dnssec and placing it in the dnsmasq.conf.add this ensures clients properly recieve and dnsmasq properly cache up steam dnssec responses from nextdns nextdns is still the one supplying validations.

Do not use gui dnssec option as it will interfere with responses from nextdns and flag them as bogus.

My suggestion above should help encourage acceptance of responses and caching.
Interesting reading about possibly deprecating proxy-dnssec in the future.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q4/013645.html
 
Interesting reading about possibly deprecating proxy-dnssec in the future.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q4/013645.html
this is interesting read, it implies proxy-dnssec isn't caching this persons responses, but i suppose you would have to test this as I have not noticed any responses going uncached properly.

with that being said, if you really wanted
you could turn on DNSSEC but leave unchecked verify unsigned replies,
this does the same thing, but in a different way. Instead, each time dnsmasq will check the dnssec bit, instead of relying on cached response, but it will not try to validate.

upload_2020-1-5_14-12-33.png


*Edit*
I stand corrected on the caching part, It will cache responses this way too. Tested it by timing responses. It is much faster than proxy-dnssec when pulling cached responses.
*Edit*
 
Last edited:
Yeap, I waterfalled my older 68U/1900u units into WAPs at opposite ends of the house.. more than one target to hit and I used different names so the family knows which WAP is which.. . YMMV :)

I moved everything to the 86U this morning. Everything seems to be zipping along. My only issue is my 2nd Gen Echo Plus and Echo Sub seems to have issues with the 5G wireless. Works great on the 2.4 though. All my other Echo devices work fine on the 5G. I am sure it’s a setting on the 5G I have incorrect, but you would think my other 2 Echos would be affected also but they are working fine on the 5G.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top