[Beta] Asuswrt-Merlin 384.11 Beta is now available

[rromeroa]

Can you confirm udpxy works properly once started manually?

udpxy works fine when starts manually. Movistar iptv profile is new in AC86U, recently added in the 384_45713... I think they have simply forgotten. Thanks

 

[octopus]

Just loaded new beta2 and working fine............
Uptime 0 days 0 hours 56 minute(s) 18 seconds

Thank you RM

 

[grifo]

The redirection is done at the firewall level, so there's a good chance your application does not properly detect this. Only way to be sure is to test using tcpdump on the router - the only outbound 123 traffic should be coming from the router itself, to the servers configured on the System page.

Thanks for the reply RMerlin. The thing is it does it also with the redirection turned off and the app set to use the router as the NTP server.

 

[Jake]

Asuswrt-Merlin 384.11 Beta is now available for all supported models. This release features a number of significant changes.

RMerlin, thank you for the excellent work. The Beta 2 is working fine on my RT-AC68U C1 so far and I will continue testing. Having the DNS-over-TLS natively rather than having to install a DNSCrypt script in JFFS is awesome! Would it possible to have an option to force LAN client DNS queries over DNS-over-TLS? I realize this is basically a port 53 firewall rule, but a GUI option would be great.

With DDNS over TLS added recently as well, I am super happy. I am hoping NTP-over-TLS, which I believe would be the last significant unencrypted router service, will be an option to implement in the future.

https://tools.ietf.org/id/draft-ietf-ntp-using-nts-for-ntp-10.html

Regards, Jake

 

[skeal]

Would it possible to have an option to force LAN client DNS queries over DNS-over-TLS? I realize this is basically a port 53 firewall rule, but a GUI option would be great.

Check out DNSFilter page.

 

[maxbraketorque]

Check out DNSFilter page.

@Jake, to be more specific, enable DNSFilter and set the Global option to Router. This is mentioned in the first post of this thread.

 

[Jake]

@Jake, to be more specific, enable DNSFilter and set the Global option to Router. This is mentioned in the first post of this thread.

That works, thanks! I was not aware that option in the UI. Would you agree the DNSFilter page could be eliminated on this release, as it could be incorporated into WAN>Internet Connection page with a "Force DNS Queries over DNS-over-TLS" option?

Edit: That would loose the option to configure specific clients for DNS redirection, however. It also seems the the first 3 or 4 options under WAN>Internet Connection>WAN DNS Setting should be disabled if one is using the DNS-over-TLS option (less confusing)?

 

[Swistheater]

That works, thanks! I was not aware that option in the UI. Would you agree the DNSFilter page could be eliminated on this release, as it could be incorporated into WAN>Internet Connection page with a "Force DNS Queries over DNS-over-TLS" option?

Edit: That would loose the option to configure specific clients for DNS redirection, however. It also seems the the first 3 or 4 options under WAN>Internet Connection>WAN DNS Setting should be disabled if one is using the DNS-over-TLS option (less confusing)?

Dns over tls was placed on firmware for privacy options not to supplant or replace existing features.

 

[rgnldo]

@RMerlin @themiron the 384.11_Beta2 build is perfect. The local NTP solution is VERY GOOD. Congratulations on the excellent work. Anyway, we will have a great leap in development at FW Asus Merlin

 

[PoloNes]

@RMerlin


Thank you very much for the firmware and DOT.

CleanBrowsing DNS is incorrect in two options.

CleanBrowsing Family 2 and CleanBrowsing Adult 2.

https://cleanbrowsing.org/guides/dnsovertls

Thanks.

 

[RMerlin]

@RMerlin


Thank you very much for the firmware and DOT.

CleanBrowsing DNS is incorrect in two options.

CleanBrowsing Family 2 and CleanBrowsing Adult 2.

https://cleanbrowsing.org/guides/dnsovertls

Thanks.

Copy/paste error most likely, thanks. Fixed.

 

[Evictoria]

Just to say thank you for 384.11b2 installed and running fine on AX & AC88U and along with various scripts as per my signature.

Running flawlessly with both VPN server & clients.

Kept JackYaz ntpd to impose the ntpsync on all clients.

Great firmware that gives a great use and learn experience of these routers.

 

[L&LD]

Just to say thank you for 384.11b2 installed and running fine on AX & AC88U and along with various scripts as per my signature.

Running flawlessly with both VPN server & clients.

Kept JackYaz ntpd to impose the ntpsync on all clients.

Great firmware that gives a great use and learn experience of these routers.

While I too prefer Jack Yaz's ntpMerlin script, note that the RMerlin 384.11 Beta 2 also (optionally) redirects clients to use its built-in NTP implementation too.

 

[Evictoria]

While I too prefer Jack Yaz's ntpMerlin script, note that the RMerlin 384.11 Beta 2 also (optionally) redirects clients to use its built-in NTP implementation too.

Thanks !

Must have overlooked it. I'll give it a try.

But I love the graphs too

 

[maxbraketorque]

...

With DDNS over TLS added recently as well, I am super happy. I am hoping NTP-over-TLS, which I believe would be the last significant unencrypted router service, will be an option to implement in the future.

...

Regards, Jake

What value would this provide? Is there really information about a device or user that can be gained from an NTP query?

That works, thanks! I was not aware that option in the UI. Would you agree the DNSFilter page could be eliminated on this release, as it could be incorporated into WAN>Internet Connection page with a "Force DNS Queries over DNS-over-TLS" option?

Edit: That would loose the option to configure specific clients for DNS redirection, however. It also seems the the first 3 or 4 options under WAN>Internet Connection>WAN DNS Setting should be disabled if one is using the DNS-over-TLS option (less confusing)?

I agree that its no longer intuitive for the DNSFilter tab to be located in the LAN section. Since all the other DNS stuff is now in WAN section, perhaps with its own tab there?

The first DNS entries (DNS Server1, DNS Server2) in the WAN DNS section have a different purpose than the DNS-over-TLS stuff. This is also discussed somewhere in this thread.

 

[RamGuy]

Is there a easy way to test and verify whether DNS over TLS is working?

I'm using a local Windows Server 2019 as local DNS server as this lets me do manual DNS entries for IPv4 and IPv6 for multiple domains easy in order to get all my local FQDN to resolve correctly locally and over IP-sec VPN where I also use this same server for DNS resolving.

But I want to utilise DNS over TLS for upstream DNS resolution that is not getting resolved on my Windows Server. Currently I have entered 1.0.0.1 and 1.1.1.1 as WAN DNS servers for IPv4, and for IPv6 I have entered the static global IPv6 address of my Windows Server.

Then I enabled DNS over TLS and configured CloudFlare using both IPv4 and IPv6.

Instead of using CloudFlare as upstream DNS on the Windows Server I have instead used the Asus RT-AX88U's local IPv4 address and link-local IPv6 address and DNS resolving is working as intended I would just like to verify that it's actually using DNS over TLS.

I do get some of these in the system logs;


May 3 18:34:38 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 18:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 19:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 20:51:45 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 3 21:51:46 dnsmasq[1090]: Insecure DS reply received for 30.172.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

I don't have the "Validate unsigned DNSSEC replies" enabled.


The Windows Server is also taking care of DHCPv4 and it's only broadcasting itself as DNS server.

 

[Sonyrolfy]

Hi,

I have installed 384.11_beta2 on my RT-AX88U

I also use ProtonVPN. The server I use I can watch US Netflix from Australia.

I have also enabled DoT

On ipleak.net there shows 2 DNS addresses (1 is ProtonVPN and the other the DoT from the router's selection) and I can watch US Netflix on my Apple TV 4K from Australia perfectly ok.

https://i.imgur.com/NNhjw50.png

However, for the DoT I've selected "CleanBrowsing (1) Security" and since I have 2 DNS addresses will the security feature of the DoT server I've selected work, or are the DNS quires past through the VPN's DNS?

I hope that makes sense.

Not hijacking your Q, but kind of similar Question. The scenario you are mentioning isn’t clear for me either, in case of Clearbrowsing, which DNS comes/serves first and will clearbrowsing work, (besides the leaking) when VPN DNS is set to Relaxed with policy 192.168.1.0/24?

DoT with clearbrowsing / Diversion / Skynet and maybe AIprotect and Adblockers in browsers is a bit much. But then again, it is possible, so why not…Sjeez

 

[RMerlin]

Is there a easy way to test and verify whether DNS over TLS is working?

tcpdump -ni eth0 -p port 53 or port 853

Connections to port 853 = DoT. Connections to port 53 = not DoT.

when VPN DNS is set to Relaxed

Relaxed mode means there is no guarantee as to which server is used by dnsmasq, it could be any of them.

 

[Sonyrolfy]

Maybe a stop button on the continues ping on Network Tools? Or just go to the next TAB? But then you lose the overview of the Analysis. no biggie.

 

[Jake]

What value would this provide? Is there really information about a device or user that can be gained from an NTP query?

NTP Man-in-the-middle attacks are possible, and can affect other time-sensitive security-related functions. The TLS benefit is security, not privacy. Here's one article:

https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/