ASUSWRT-Merlin and NextDNS issue

[dave14305]

^^^^ Actually, helpful - makes perfect sense.

BUT .. I think you posted that you prefer to keep DNSSEC on locally and you made a few posts earlier to the configs to to allow diversion + Pixelserv to act as a 2nd layer to NextDNS as long as we set NextDNS to use 0.0.0.0 returns.. or am I mis-remembering? For me, I like layers for this stuff... so if something sneaks past the front link, there's a fallback waiting to stop it.

I’m all over the place when it comes to DNS solutions. I dynamically remove DNSSEC and Rebind on the router if my DNS config involves NextDNS. And map the 0.0.0.0 to my Pixelserv IP. That’s a lot of hacks just to see if something will work like Diversion Standard.
ASUSWRT-Merlin and NextDNS issue

Layers are good except when modifying cryptographically signed data. Hence I’m taking a break from fancy DNS now that kids are going back to school and I have to go back to work tomorrow.

I’m now just using ISP DNS with DNSSEC and Diversion. Plus SkyNet.

 

[SomeWhereOverTheRainBow]

Guys, I still don't understand this conversation - sorry. Can someone explain, in laymen's terms, why we do or do not want DNSSEC checked in the WAN GUI when using NextDNS. I've seen too many conflicting reports now to know which one to believe ON or OFF and why? And BTW, I'm using DNS-over-TLS

This is not the same as gui dnssec. This is taking proxy-dnssec and placing it in the dnsmasq.conf.add this ensures clients properly recieve and dnsmasq properly cache up steam dnssec responses from nextdns nextdns is still the one supplying validations.

Do not use gui dnssec option as it will interfere with responses from nextdns and flag them as bogus.

My suggestion above should help encourage acceptance of responses and caching.

 

[dave14305]

This is not the same as gui dnssec. This is taking proxy-dnssec and placing it in the dnsmasq.conf.add this ensures clients properly recieve and dnsmasq properly cache up steam dnssec responses from nextdns nextdns is still the one supplying validations.

Do not use gui dnssec option as it will interfere with responses from nextdns and flag them as bogus.

My suggestion above should help encourage acceptance of responses and caching.

Interesting reading about possibly deprecating proxy-dnssec in the future.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q4/013645.html

 

[SomeWhereOverTheRainBow]

Interesting reading about possibly deprecating proxy-dnssec in the future.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q4/013645.html

this is interesting read, it implies proxy-dnssec isn't caching this persons responses, but i suppose you would have to test this as I have not noticed any responses going uncached properly.

with that being said, if you really wanted
you could turn on DNSSEC but leave unchecked verify unsigned replies,
this does the same thing, but in a different way. Instead, each time dnsmasq will check the dnssec bit, instead of relying on cached response, but it will not try to validate.

*Edit*
I stand corrected on the caching part, It will cache responses this way too. Tested it by timing responses. It is much faster than proxy-dnssec when pulling cached responses.
*Edit*

 

[Smokey613]

Yeap, I waterfalled my older 68U/1900u units into WAPs at opposite ends of the house.. more than one target to hit and I used different names so the family knows which WAP is which.. . YMMV

I moved everything to the 86U this morning. Everything seems to be zipping along. My only issue is my 2nd Gen Echo Plus and Echo Sub seems to have issues with the 5G wireless. Works great on the 2.4 though. All my other Echo devices work fine on the 5G. I am sure it’s a setting on the 5G I have incorrect, but you would think my other 2 Echos would be affected also but they are working fine on the 5G.